Verified by Visa is intrusive crap

I tried buying an air ticket online, filled in all the usual stuff including my credit card info, and at the very end of the transaction, instead of processing the payment it sent me to Verified by Visa which wanted me to accept a multi-page legal agreement which I didn't have time to read, so I quit out of the transaction. As a result, Verified by Visa flagged the incomplete transaction as a fraud alert and my card issuer froze my card. I got it straightened out over the phone but it delayed my buying my ticket by a day or so, which luckily didn't result in a higher fare. The crazy thing is I was able to buy the ticket with Paypal (billed to the exact same credit card), without going through Verified by Visa.

More and more sites are using Verified by Visa and it's just obnoxious. Once you enroll there is no way to get out of it, so if a site insists on using it and doesn't offer another way to pay, I just won't buy from them.

Link to the paper

Is there a working link to the research paper cited? I'm getting nothing but financial%20cryptography%20and%20data%20security/

Pointless

Another Password? This is not a security measure for verification, it's just another way to make brute force more difficult for website crackers. Pointless, more expensive for those website operators, and confusing for customers. <br>
This is not security. Was this initiative sponsored by the TSA?

... This is secure, how?

Any keylogged machine/compromised machine would then give the skimmed details, essentially the USB reader is an MSR... this means it reads the card in a format that can be then duplicated to another card.

I don't think that's a safe way to do it!

No Kidding

I presented to visa Canada about my secure anonymous electronic financial transaction and that liked it, but said they already made a decision to go with this insecure system.

Note: they new it was insecure prior to implementation; They also knew there were secure systems that they rejected.

Also, they said that security was not their main concern (I almost fell off my seat...) It is customer service...

Merchant credit card processing

Verified by Visa doesn't evoke a feeling of trust from me.

I wouldn't waste my time using this when there are plenty of free<a href="http://www.acceptpayments.org"> payment processing solutions</a> that are far better with security.

Found that link

The correct link to the paper is http://www.cl.cam.ac.uk/~rja14/Papers/fc10vbvsecurecode.pdf

SMS authentication far from secure

Murdoch is wrong to say that the SMS authentication system guarantees anything. Mobile platforms as an out of band password platform are becoming less and less secure every day if they ever were to begin with, doesnt he read the endless new phone hacks and trojans stealing mTAN stories? Also if you are doing the transaction from your mobile then there is nothing out of band about it.
As mobile operating systems have grown in complexity they have the same inumerable security holes as the pc os and criminals are focusing in on those without any extra difficulty in fact you dont even need to as most countries have anti competition legislation for their telecommunications companies which force them to allow customers (or criminals) to transfer or forward calls/SMS with very little difficulty or authentication other than date of birth. Not to mention almost any telecom worker even the little mobile huts can type in your number and read all your SMS's.

He did a great job of pointing out the holes in the VISA system which i wholeheartedly agree with however he should not try to offer up an even less secure method as a solution.

Understanding the real 3 D Secure

Guys

3D Secure allows the customer to actively participate and authenticate his e commerce purchase. However, 3DS does not force using a password for authentication. Authentication mechanism is completely at the discretion of the banks. Banks can authenticate users using a one time password sent to his registered mobile device, or initiate an out of band IVR call before completing the transaction etc etc.

Now the question which needs to be answered is how feasible are these authentication techniques.
1. One time password sent as an SMS: What would happen if the customer has not updated the bank with the correct mobile number, or he is traveling, or his phone is switched off, or his wife is making the purchase, SMS does not reach on time during festive seasons like Christmas, you are out of coverage area etc etc. Would the customer be still happy???.

2. Another example of phishing of secure systems (which is more dangerous) is when a citibank customer walks to a merchant and swipes his card. It also prompts for the ATM PIN . This looks very secure as the customer needs to enter the PIN which means even if his card is skimmed PIN is required to complete the transaction. However, you are now subjecting your ATM PIN also for phishing. The fraud merchant now has both the customer card details as well as his ATM PIN which means the fraudster can replicate the card and withdraw cash from the ATM. I would have been better off with a less secure card where i need not enter my ATM pin on a merchant POS i don't trust. Phishing can only be stopped with a combination of technology, process and awareness.

3. Smart card chips and card readers. Can you imagine the investment on the physical device the banks incur in shipping the device to millions of its customers. Bank would be happy with a few frauds instead.

I can keep going on with the draw backs of secure systems. They are either expensive or simply does not have the reach to the masses.

Summary is, no system is perfect. It has its up's and down's. Security, availability and usability does not go well with each other. Someone talked about paypal, does all merchants accept paypal. So for a more generic solution like VISA and Master card whose reach towards merchants and customers are huge, we need a generic solution which addresses the masses. You need to consider the demography, infrastructure, finance of your customers before implementing a secure solution. If you are complaining about a simple password being cumbersome imagine if you need to wait for an SMS, IVR call during a purchase.

I believe 3D Secure is a perfect solution. This system can learn and gradually upgrade its authentication mechanisms as per demographic and infrastructural growth. MOTO is to make it secure yet usable.

This is the banks responsibility, not VISA International

I have my self worked with implementing 3DS/VBV for a country, via a company that did the implementation/hosting. It was implemented closely with the company that authored the software, the local visa agency, and visa international. It was done very professionally.

It was implemented in such a way, that each bank is responsible for authenticating it's customers. This generally means implementing BankID, a common method of authenticating customers (also used to authenticate customers using online bank services). The banks then choose what way they want to implement BankID. Generally this means using 2-factor authenticating (some times in addition to account number or social security number), by using a password, and a key generator. The bank would then enroll series of visa/mastercard numbers into 3DS, until all it's series where enrolled. All the authentication is separate from VBV/3D, and it's separate from the banks. But it's the bank responsibility for securing the password, and key generators when setting it up, and sending it to the customer.

The key generator gives one time passwords, either by pressing a button, or by entering a pin code.

I honestly believe the 3DS framework/software is more than secure enough as it is, and it is the banks who are failing at implementing it at an secure manner. Letting customers set their password via ADS/birth day, is awful, in terms of security.

Other issues like iFrame, is a valid point, but there are several ways to implement 3DS/VBV, without the use of an iFrame. I've also worked with security/coding for a company that offers merchants online payment, via methods like credit cards, and there are several ways to implement this in a secure manner, without using iFrames.

Misleading Title

The title of this article and of the research document is apparently criticizing the 3d Secure protocol where in fact it is developing about the weaknesses of the issuer authentication methods used. These are independent from the 3d Secure protocol which, by design, leaves to the issuer all the liberty on how he authenticates the cardholder. A fine implementation could be done in EMV or CAP, etc., fixing for some time the security issues raised in the research paper. Imho…

Verified by Via Doesn't Protect Consumers

Verified by Visa exists to protect merchants against chargebacks. It doesn't do much to protect consumers from fraudulent credit card transactions. Even if authentication that is stronger than passwords is used by banks, consumers are only protected if the fraudster is trying to make a purchase at a merchant that has implemented Verified by Visa. A thief could easily make fraudulent charges using stolen credit card information at a merchant that has not deployed Verified by Visa. If some sort of authentication system (Verified by Visa or something else) were truly intended to protect consumers from fraud, there would need to be a way to flag a credit card number that is enrolled, so that authentication would *always* be required when the enrolled credit card number is used, no matter what the merchant has deployed.

Currently in dispute over a Secure 3D transaction.

This thread has been quiet for a couple of weeks so I don't know if anyone is reading it.

I'm concerned about the safety of the web implementation of 3D secure as I am currently disputing some large transactions done with my credit card. I am concerned about the way transactions have been handled between the merchants system, the authorisation system and the bank.

A few weeks ago I attempted a couple of large transactions to a vendor using an RBS mastercard. On each occasion the transaction failed after I filled in the 3D secure password, and it appeared that the transaction did not go through. I didn't pay a great deal of attention to the error message which appeared at the time. I am used to web systems occasionally breaking.

So I gave up on these payments. To my surprise when my credit card bill arrived (four weeks late as it happened but that is a different issue) the transactions were charged to the card.

However the vendor (which is a large government body, not a fly in the night cowboy website) cannot find the payments.

The bank is currently saying that the payments were made, while the vendor claims they never received them. As a result I am some thousands of pounds out of pocket at this point, and I'm being bounced around like a ping pong ball from one mega-corporate entity to the other, both denying this has anything to do with them.

This reeks to me of some kind of transactional bug in their systems, but I am very worried that from my position outside their systems I can't prove it. Its still early days as I will take this matter as far as I can... but I am very concerned that with government agencies increasingly mandating online payments that we are being forced to use less secure and less safe systems for making large payments.

3D secure feels like an ugly bolt on to the ecommerce process speaking as a consumer rather than a security expert. I'm really unclear that the error conditions have been fully thought through and tested through all eventualities.

I will be in financial trouble if I can't resolve this.