Skip to content

Month: May 2009

Verified by Visa is training people to get phished

NERD TIME, so feel free to ignore this.

I just placed an order for a brand new netbook to replace my current desktop (I’ll probably just use this netbook as a desktop machine, but I digress).

After a long and arduous decision process I hit submit on the shopping cart and ordered the thing. Or, rather, I had thought I ordered it. Between me and my laptop was the least legit looking XHTML floating window I had ever seen:

verified_by_visa_opt_in
Verified by Visa “opt-in”

This was a little floating window coming from the merchant site. It SAID it was from “www.SecureSuite.net” and it SAID it was secure.  Of course, I had no way to verify that because (1) it was just a floating HTML window created by JavaScript and (2) the actual page I was on was located on the merchant’s website.

There is NO way to verify that this is being issued from my bank.  Absolutely NONE.

I did manage to figure out – by opening firebug – that the JavaScript code was indeed coming from www.SecureSuite.net.  Though that didn’t help at all: who the heck is SecureSuite?  I’d never heard of it, and the “Suite” instead of “Site” made me think instantly of a phising site.

Add on top of this: I didn’t think my card had “Verified by Visa” nor had I ever been prompted to use it.

So it says — not in this part of the screenshot, but above it — that enrollment is optional.  Indeed it is, unless you want to use the card to purchase something.  THEN it’s required.

I canceled the purchase, fairly sure it was a legit request, but not entirely convinced and also a little annoyed on principle.  This dialog is essentially forcing people, in order to use their card, to enter their SSN on a questionable website over a questionably secure connection.  All requested by a site that you’ve never heard of.  Just because they used your bank’s logo.

Brilliant, Chase.  Brilliant, Visa.  Way to train your users, you dumb idiots of stupidity.