Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Why "Verified By Visa" System Is Insecure

timothy posted more than 4 years ago | from the shifting-the-blame dept.

Security 243

angry tapir writes "A widely deployed system intended to reduce on-line payment card fraud is fraught with security problems, according to University of Cambridge researchers. The system is called 3-D Secure (3DS) but is better known under the names Verified by Visa and MasterCard SecureCode. Steven J. Murdoch, a security researcher at the University of Cambridge, and security engineering professor Ross Anderson contend there are several flaws with 3DS. One of their main points is how 3DS is integrated into Web sites during a transaction — e-Commerce Web sites display 3DS in an iframe."

Sorry! There are no comments related to the filter you selected.

Lol (-1)

ILuvRamen (1026668) | more than 4 years ago | (#30939260)

I just literally 10 seconds before coming to slashdot and reading this, I got done giving Verified By Visa my password for a CC charge through newegg. Awesome lol. Oh well, I bet it's still more secure than not having it at all.

Re:Lol (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#30939300)

wow shut up

"lol"

Re:Lol (1)

satoshi1 (794000) | more than 4 years ago | (#30939316)

That's probably what people will fail to realize as they start commenting on this article.

Re:Lol (4, Insightful)

FlyingBishop (1293238) | more than 4 years ago | (#30939472)

No, because it's in an iFrame it's less secure than having nothing at all. When you're pulling data from two different sites on the same page, it's much easier for a third party to insert their own fields without you knowing.

Re:Lol (5, Interesting)

tatsuyame (1531849) | more than 4 years ago | (#30939322)

It's not. I tried making a purchase on newegg, got the the Verified by Visa page, but the frame didn't show anything. Assuming that the purchase wouldn't go through, I tried making the same purchase on my other computer. Frame loaded, entered password, purchase went through. However, the first purchase went through, even though I never entered the password for that one. So yeah, I'm guessing it doesn't really do anything to protect you.

Re:Lol (1, Interesting)

Anonymous Coward | more than 4 years ago | (#30939538)

similar thing happened to me, in my case I couldn't remember the password for that card, so canceled the verified by visa thingy, and used a different card. when I was done with the order using the second card, I saw that the first one went through regardless of a successful verified by visa thing.

Re:Lol (2, Interesting)

Kamokazi (1080091) | more than 4 years ago | (#30939456)

I used my Visa instead of my usual MC on Newegg for a Christmas gift and it came up for the first time ever. I closed the widow intending to buy it on my MC instead, but the payment still went through. 2 days later I got a call from the Visa fraud department...haha. I told the lady the verified thing was a bullshit pain in the ass and she let me on my way. Haven't used my Visa since.

Re:Lol (1)

ACMENEWSLLC (940904) | more than 4 years ago | (#30939500)

My Chase MC and Visa required this to be setup and crazy passwords too, which I can't recall. I rarely use my Chase cards anymore as a result.

Re:Lol (0)

Anonymous Coward | more than 4 years ago | (#30939664)

I placed an order at Newegg, got the verified by visa screen and noticed the amount had changed because newegg had adjusted the quantities in the previous screen and I didn't notice.

I hit cancel at the verified by visa but the order still went through and got charged for it. Bizarre.

Re:Lol (1, Redundant)

Lord Byron II (671689) | more than 4 years ago | (#30940032)

Here's a little tip that I discovered by accident. On a NewEgg order, if you hit "cancel" on the Verified-by-Visa page, the order still goes through.

Re:Lol (1)

Ash Vince (602485) | more than 4 years ago | (#30940456)

Here's a little tip that I discovered by accident. On a NewEgg order, if you hit "cancel" on the Verified-by-Visa page, the order still goes through.

I have recently build an ecommerce site for someone and noticed that our account on a payment gateway allows us to disable this crap. When disabled, it still displays but the user can skip it or whatever and the purchase still goes through. We have had the account for years. When the client switched it to their account on the same payment processing company the option to disable it was greyed out. It seems it is mandatory for some (maybe newer?) setups but not existing ones.

As a customer it makes no difference to me anyway. It might be an extra step I have to go through but since the password is set to a generic password I can always remember it does not inconvenience me much. Typing one word into a silly box only takes a second or two.

Re:Lol (0)

Anonymous Coward | more than 4 years ago | (#30940524)

My info always seems to change on me for VbV, so I don't bother with it. I've found hitting Cancel will, more often than not, proceed with the order as usual.

Re:Lol (1, Interesting)

Anonymous Coward | more than 4 years ago | (#30940900)

I mis-guessed my verified-by-visa password multiple times on a newegg order and then gave up. The payment went through.

It reminds me of [insider knowledge, that's why I'm posting AC] something my state's unemployment system is about to implement. They're going to have a voice system where people can call in, change what bank account their claims will go into, etc. Of course, to do this, the claimant needs to know their PIN. If they don't know their PIN, though, they can reset their PIN to anything they want, without verifying their identity in any way. If you know someone's SSN, you can have their payments go to you, without knowing anything else. So what's the PIN for?

Re:Lol (1)

m.dillon (147925) | more than 4 years ago | (#30940090)

Well, VbV's security issues are a problem for Visa to solve. It's great for merchants who sell high-priced items (like NewEgg, camera stores, etc). Many smaller merchants who had to go through a whole back-and-forth thing with the customer and credit card company before (for large, expensive orders) can now just use VbV for the same high-priced purchase instead. Higher volume merchants like NewEgg can streamline their credit checks with VbV and even allow shipments to addresses other than the billing address.

I'm not sure why people are saying that it transfers liability to the customer, it doesn't. The liability is transfered from the merchant to the Visa (well, actually the issuing bank I think). Customers are not liable for fraudulent use of a credit card by VbV or anything else.

-Matt

Re:Lol (1)

twiddlingbits (707452) | more than 4 years ago | (#30940312)

The back and forth thing is just a phone call. Takes less than a minute. My wife runs several hundred dollar Visa/MC purchases all the time in her business. We just call a toll free number, type in the card # and amount and if it needs verified by a person they come on and ask a question or two then give you the Verification number. The liability for fraud still lies with the merchant, they got your item, you got nada. The CC just charges the bad purchase it back to the merchant, they are not out a dime. VbV is nothing but marketing.

Hundreds of newegg purchases with Opera browser (0)

Anonymous Coward | more than 4 years ago | (#30940098)

I've done hundreds of newegg purchases using opera. After the order I get a redirect to the verified page with a couple of dancing eggs. Then my order completes. No popup. No iframe. No prompts for passwords ever.

I don't know if this behavior is opera related or related to the fact that my visa is issued by a credit union that I belong to. But vbv has never asked me for anything ever.

Re:Lol (1)

XorNand (517466) | more than 4 years ago | (#30940120)

Newegg is the only store I've seen Verified by Visa used (and I buy a lot of stuff online). Having had my share of problems with it, I never even browse Newegg anymore. I guess they must have such a high incidence of fraud though that it's worth losing the occasional regular customer like me.

Re:Lol (1)

JesterOne (214933) | more than 4 years ago | (#30940856)

When you make a purchase with Newegg, just cancel the VbV box and the charge will go thru. Yes, that's right. You can completly bypass the security check by canceling it. I have VbV set up and went to make a purchase a few months ago on Newegg. Didn't remember the password and canceled the password check to go and reset the password. The order was charged and went thru. I called Newegg and ask them what happened. I was told "Newegg passed the Visa charge request off to Visa and it returned a thumbs up. The VbV check is optional."

Welcome to 3 years ago (5, Informative)

rnicey (315158) | more than 4 years ago | (#30939308)

I'm in the high risk card not present industry and if it wasn't so painful it'd be funny how bad it is.

3DS solves problems for Visa and nobody else. It transfers the liability from the merchant to the customer. No more 'it wasn't me'.

Only problem is, it's crap.

Bit like the chip and pin problem in the UK which is a similar joke. If I can get your card and your pin I can go shopping as you and good luck trying to explain that to the bank.

If I can fool you into giving me your 3DS password somehow, I can shop online as you with great false trust, and the merchants don't care because they're protected. Kind of.

Most merchants refuse to deploy it anyhow unless forced. It causes a 5-8% immediate drop in throughput. I wouldn't use a site that used it either.

Re:Welcome to 3 years ago (5, Insightful)

Ken D (100098) | more than 4 years ago | (#30939566)

Exactly.
By claiming that it's more secure all they have done is made it that much harder for you, the customer, to be protected when you do get defrauded. I don't trust that its secure so I won't use it.

Pseudo-security => All Pain, No Gain.

Re:Welcome to 3 years ago (5, Interesting)

Threni (635302) | more than 4 years ago | (#30939568)

My Visa card was declined constantly when I was over in the States (from the UK) on business. I phoned my bank and they said it was declined because a chip and pin device wasn't used. Of course it wasn't - they don't have chip and pin in the states. So my Visa card is useless abroad? No matter - I had a Mastercard, which worked perfectly. No prizes for guessing which I'll be using in future.

Re:Welcome to 3 years ago (1, Interesting)

Anonymous Coward | more than 4 years ago | (#30939638)

My Visa card was declined constantly when I was over in the States (from the UK) on business. I phoned my bank and they said it was declined because a chip and pin device wasn't used. Of course it wasn't - they don't have chip and pin in the states.

So why does your bank bother to put a magnetic stripe on their cards if they guarantee that they won't work with a magnetic stripe?

Re:Welcome to 3 years ago (1)

Kral_Blbec (1201285) | more than 4 years ago | (#30939728)

Its not a magnetic stripe. In Europe they have actual chips embedded in the cards like RFID.

Re:Welcome to 3 years ago (1)

Jenming (37265) | more than 4 years ago | (#30939888)

We have embedded chips in the US as well, Visa calls it Blink.

Re:Welcome to 3 years ago (1)

Leafheart (1120885) | more than 4 years ago | (#30939930)

In Brazil too. But we do have the magnetic stripes for the cases where a chip can't be read.

Re:Welcome to 3 years ago (1)

sexconker (1179573) | more than 4 years ago | (#30939982)

How was he able to use the card in the US without the magnetic stripe?

Were the merchants phoning it in?
Running the carbon paper over the credit card?

Re:Welcome to 3 years ago (1)

jimicus (737525) | more than 4 years ago | (#30939998)

Its not a magnetic stripe. In Europe they have actual chips embedded in the cards like RFID.

The UK cards have the stripe as well, though apparently this isn't necessarily true in mainland Europe.

Re:Welcome to 3 years ago (1)

thetoadwarrior (1268702) | more than 4 years ago | (#30940272)

The magnetic stripe is still on the back along with the chip on the front.

Re:Welcome to 3 years ago (2, Informative)

zonky (1153039) | more than 4 years ago | (#30940292)

I was visiting the UK last month as a tourist. I have lived there, and moved away about 5 years ago, around the time Chip & PIN was first appearing.

Frankly, I was treated like some kind of crinimal subversive for presenting a credit card that didn't have a CHIP on it. I was told by some retailers (a Mobile phone co) that they could not except my card as ALL card HAD to be Chip & PIN. It took a bit of experimenting with other retailers for them to work out that if you inserted a non C&P card into the chip slot, it asked you to swipe it. Although, some terminals didn't have swipe-y bits.

It seemed to be a shock to many that not all countries have cars with chip and pin on them.

Many retailers refused to believe, or be able to sell to me if i didn't have a postcode. (i'm visiting. Why do you need a postcode? I don't have one!).

This was outside the main tourists bits perhaps- (West Midlands), but still...

Re:Welcome to 3 years ago (2, Insightful)

Threni (635302) | more than 4 years ago | (#30940886)

Your problems are all related to the desire to stop fraud. You're not a subversive - you're just a little unusual. If you use a mag swipe and the card turns out to be stolen, the store loses out. So, unsurprisingly, some stores would rather not serve you. With chip and pin, they'll not lose out if the card turns out to be stolen/fraudulently used. Ditto the post code - they wanted it so they could check it against the postcode the card is registered against. In the perfect world the store staff would know some people, especially tourists/foreigners, don't have chip and pin cards but really the store staff don't give a shit about you - they're just there to get paid, and frankly don't care whether you buy anything or not. I'm sure the store managers are a little more concerned you have a good time, but you're just going to have to get used to being asked awkward questions, or perhaps pay cash.

Re:Welcome to 3 years ago (1)

slimjim8094 (941042) | more than 4 years ago | (#30940184)

I wish we did. I've seen a few devices in the past year that were Chip and PIN (one was at a nearby CVS... can't remember the rest).

Still not sure how it's more secure than a normal magstripe. I guess you can't clone a chip so easily as a magstripe... but that's why I consider my plastic only slightly more "lose-able" than cash, and still keep it safe

Re:Welcome to 3 years ago (1)

Threni (635302) | more than 4 years ago | (#30940748)

You can't clone a chip, period. The devices which read them are tamper resistant and tamper evident. It's not been cracked yet. It's been done really well - unsurprisingly, because the stakes are so high. It's been so successful at stopping credit card theft/fraud that crooks turned quickly to cheques... which is why cheques are now on the way out in the UK - they're now just too risky.

It's also more secure because you need to enter a pin number, so if you lose your card the chances of it being used for fraud are far fewer. Very few shops will accept pin-less transactions now.

Re:Welcome to 3 years ago (2, Informative)

jimicus (737525) | more than 4 years ago | (#30940874)

You can't clone a chip, period. The devices which read them are tamper resistant and tamper evident. It's not been cracked yet. It's been done really well - unsurprisingly, because the stakes are so high.

Really?

You'd better tell the people whose chip cards have been cloned. [thisismoney.co.uk]

Re:Welcome to 3 years ago (2, Informative)

thetoadwarrior (1268702) | more than 4 years ago | (#30940300)

Always call your bank / credit card company before going abroad. It will save you hassle especially if you don't travel. Anything that appears to be out of the ordinary will get questioned.

Re:Welcome to 3 years ago (4, Informative)

Anne_Nonymous (313852) | more than 4 years ago | (#30940968)

Also:

1. Always carry more than one card (one each of Visa and MC for example).
2. Don't bother with AMEX or their Traveler's Checks, since neither is accepted as widely.
3. Make sure your PINs don't contain any 1's or 0's (some countries disallow those numbers).
4. When withdrawing money, use the ATMs of worldwide banks rather than local banks (BNP and HSBC work especially well).
5. Carry the overseas phone number of your cards' banks somewhere else besides your wallet or money belt.

Re:Welcome to 3 years ago (1)

Threni (635302) | more than 4 years ago | (#30941036)

My problems are nothing to do with that. I phoned my bank and they said that wasn't the problem. Yes, there's a `holiday bit` you can have set for a period of time, but my bank still said my card was useless there.

Re:Welcome to 3 years ago (0)

Anonymous Coward | more than 4 years ago | (#30940648)

Good luck with that. I have no idea what my password is. The requirements for the password are so limiting (6 chars, no spaces, no special characters), that even my worst password is too complex for it. Of course, that's easily another security problem in and of itself. I wind up just resetting the password and making one up on the fly if I need to use it, though generally I just avoid it like the plague.

Re:Welcome to 3 years ago (5, Funny)

steelfood (895457) | more than 4 years ago | (#30940706)

Plane ticket: $350
Hotel room for 5 nights: $500
Rental car for 6 days: $200
Broadway show tickets for two: $300
Finding out your VISA card doesn't work but your Master Card does: priceless.

Re:Welcome to 3 years ago (0)

Anonymous Coward | more than 4 years ago | (#30939578)

I'm in the high risk card not present industry

I'm not quite sure what that is a well-rehearsed euphemism for, but I'm not going to ask.

Re:Welcome to 3 years ago (1, Informative)

Anonymous Coward | more than 4 years ago | (#30939634)

Agreed. A while back we got a few unexplainable card not authorised failures. Turned out these card were 3DS cards.
So I asked the internet guys if we should implement 3DS on our system to avoid losing sales.

Their answer was almost word for word verbatim what you've given "It transfers the liability from them to the customer, it is not secure".

We have not implement 3DS on our site. We have no intention of doing so.

Re:Welcome to 3 years ago (3, Insightful)

Qzukk (229616) | more than 4 years ago | (#30939760)

As a customer, the worst part is when the merchant doesn't bother to tell you "oh hey we're going to redirect you to this other site now" and first anti-XSS blocks the page transfer, then the page fails to work anyway thanks to noscript blocking the JS.

Even after I added all the appropriate whitelists, when I buy from a site that uses it, all it does is flash the logo up on the screen then take me back to the merchant's site where I finish the transaction.

Re:Welcome to 3 years ago (1, Interesting)

Anonymous Coward | more than 4 years ago | (#30940146)

You mean your VbV system doesn't use an RSA token as part of the logon? How silly.
(I use the same one for online banking and VbV - not entirely sure how that's set up, but it does seem like a step up from password-only.)

Re:Welcome to 3 years ago (1)

rickb928 (945187) | more than 4 years ago | (#30940544)

Sometimes it's called risk avoidance, sometimes risk sharing, sometimes risk transfer.

It isn't sharing believe me. Wherever possible, processors and issuers will try to palm the risk off on the merchant, or the customer.

While fraud prevention is a massive issue, there is no sure method to detect it. And online merchants suffer both more fraud and more penalties. They often pay higher fees to cover the inevitable fraud expenses.

Even address verification is not enough. I'm not signing up for this, it means nothing yet.

Re:Welcome to 3 years ago (1)

KlomDark (6370) | more than 4 years ago | (#30940672)

As a buyer, I refuse to do business with any company that I haven't visited directly that doesn't take PayPal. I am not giving my credit card or bank account number directly to any establishment. While PayPal may get dinged for freezing money on sellers accounts, I'd say most of the freezes are put on scammy accounts rather than trustable accounts.

As a purchaser - it's PayPal or the Highway. It's not worth the risk to have to evaluate every single company for honesty. (And my neighbor works for PayPal, so if I ever encountered problems with them, he'd help. But so far zero problems with PayPal in a decade.) PayPal will intercede on my behalf if the company I'm buying from gives me a hard time, so it's the reverse of this situation - instead of 3DS transferring the liability to me, I'm instead transferring the liability to PayPal, so it's a total win for me.

I switched credit cards (1)

Alrescha (50745) | more than 4 years ago | (#30939374)

for all sites that I visited that tried to make me jump through the dumb VbV hoops, I switched to American Express..

I thought and still think that it is dumb to encourage consumers to type confidential information into a random pop-up page from a different web site than the one they are visiting.

A.

Re:I switched credit cards (2, Insightful)

pavon (30274) | more than 4 years ago | (#30940164)

I thought and still think that it is dumb to encourage consumers to type confidential information into a random pop-up page from a different web site than the one they are visiting.

No kidding. What is worse is that every time I have been shown the verification page isn't wasn't even hosted at something obviously legitimate like verify.visa.com, but rather the domain was some other corporation related to Visa (can't remember the name right now).

I'd rather use (4, Insightful)

sconeu (64226) | more than 4 years ago | (#30939376)

Single-use CC numbers. But my Visa (issued by my Credit Union) doesn't have one, and AMEX doesn't do them any more.

Recomendations? (1)

pavon (30274) | more than 4 years ago | (#30939938)

My credit card (Visa issued by my bank) doesn't have it either. I've been thinking about getting a second card that does have it solely for online use, but have been turned-off by the issuers I've seen with that feature. Is there anyone here that can recommend a credit card issuer that supports single-use numbers?

My requirements:
* No monthly/yearly fees
* Standard grace period
* Sane fraud protection (call me if you see something suspicion, but don't freeze my card)
* Can be paid using standard electronic transfers (ie I can use my bank's website to pay bill not the CC's)
* Visa or MasterCard are preferred.
* I don't care about earning airline miles, bonus points, whatever.

Re:Recomendations? (2, Informative)

DCstewieG (824956) | more than 4 years ago | (#30940102)

Discover passes all these, except for being Discover. I'm able to use mine for 99% of purchases.

http://www.discovercard.com/customer-service/security/create-soan.html [discovercard.com]

Re:Recomendations? (1)

pavon (30274) | more than 4 years ago | (#30940316)

Interesting. When my parents had Discover it had maintenance fees, but supposedly made up for it with their cash-back rewards program. However, they could never find enough stores that actually took the card to earn enough cash back to cover the maintenance fees, so the eventually canceled it.

If they've changed that I may look into it.

Re:Recomendations? (0)

Anonymous Coward | more than 4 years ago | (#30940746)

I haven't had a fee for my Discover card, ever, and I've had it for years. Discover's single use numbers, last time I checked, utilized the same expiry and credit limits that your actual card number has. I use my Visa card's single use because it lets me set both. Of course, my Visa's issuing bank is more likely to pull some douchebag move. At which time, I'll cancel it. But until then..

Discover has been decent to me, although the card features aren't really exceptional.

Re:Recomendations? (2, Informative)

prestonmichaelh (773400) | more than 4 years ago | (#30940532)

I would recommend the Citi Forward Card:

http://creditcards.citicards.com/usc/citiforward/single/external/affiliates/Q309/rewards/default.htm?app=UNSOL&app_COL=COLLEGE&sc=46EZA3U9&sc_COL=4CECA3T9&m=90J600000ZW&langId=EN&siteId=CB&B=V&screenID=3124&link=Consumer_15687859&ProspectID=94A073FC70EB478AB75EF008227CD425 [citicards.com]

I have had it for a while now and things have been good. It has virtual account numbers like you wanted that you can set either a time limit, spending limit, or both on. It has basicially everything thing else in your list as well. You can even dispute charges online without having to call anyone (just finished this and the charge was reversed within 2 days without me having to talk to anyone on the phone). It also does have pretty nice rewards anyway, fairly reasonable interest rates, and an interest rate that will drop by .75% after 3 months on-time payments. You can also set it up to auto-pay or "pay on demand" via ACH from your bank (enter your routing and account number). Anyway, I generally think of Citi as a pretty big corporate evil, but this card, so far, has been pretty good.

Re:Recomendations? (1)

nameer (706715) | more than 4 years ago | (#30940918)

AT&T Universal Card. Citi owns it now, so I don't know if there are other equivalent Citi cards. I've had it for years now and the only thing I can't speak to on your list is the paying with electronic transfers. My wife pays the bill, but she is massive into online banking so I would suspect that you can.

Re:I'd rather use (0)

Anonymous Coward | more than 4 years ago | (#30940176)

Like most engineering issues there is a trade-off between security and other factors like ease of use, throughput, user acceptance, etc. Unlike security researchers, banks and merchants are in business to make money so they tolerate security breaches in exchange for improved efficiency. For another example, businesses often don't require signatures on change purchases since it only slows down the checkout process requiring more checkers for a given volume of transactions.

Re:I'd rather use (1)

slimjim8094 (941042) | more than 4 years ago | (#30940286)

I'm not smart enough to figure out how many credit card numbers exist - except that I know that it's not 10^16 because many numbers are invalid. For anyone who wants to figure this out, credit cards need a merchant code and an account code. I think the account code can be pretty arbitrary, but there are only a dozen or so merchant codes. And the whole thing needs a checksum.

Are there enough credit cards to let everyone use single-use numbers all the time? Maybe we should get only one alternate card number, whose default state is "locked" except for explicitly stated merchants, which default back to "locked" after one charge...

Re:I'd rather use (3, Informative)

pdbaby (609052) | more than 4 years ago | (#30940776)

There are enough numbers. Each issuer has 1 trillion numbers and there's about a million possible issuer numbers... there's a useful description of the anatomy of credit card numbers at http://www.merriampark.com/anatomycc.htm [merriampark.com]

oops! (1, Interesting)

methano (519830) | more than 4 years ago | (#30939432)

I first read this a verified by Vista and I wasn't surprised. Just thought they were beating a dead horse.

Whew (0)

Anonymous Coward | more than 4 years ago | (#30939544)

Glad I'm not the only one that read vista.

Re:Whew (1)

jgtg32a (1173373) | more than 4 years ago | (#30939594)

I did as well

I just use Paypal (1)

Monkeedude1212 (1560403) | more than 4 years ago | (#30939450)

They verified my Visa a long time ago - and its easier to remember my email address and a password than it is to try and find my card to enter the numbers online.

Re:I just use Paypal (1, Interesting)

Itninja (937614) | more than 4 years ago | (#30939690)

I use the Paypal debit card and get the best of both worlds, sort of speak. And my Paypal account is tied to a bank account I only use for online purchases. There is only enough money in there for what I am about to buy. So even if someone does hax0r my Paypal card, there's nothing for them to steal.

It's all the wrong system anyway (5, Insightful)

Anonymous Coward | more than 4 years ago | (#30939464)

The "verified by visa" password is just another password that can be stolen. If you accidentally reveal information to the wrong person, your account is completely compromised. That's how it was before "verified by visa", and that's how it is now. The correct solution would be to use public key cryptography, where the credit card has an associated secret key, known only to the user (not even the credit card company). That way, the credit card user never has to reveal any secret information to anyone. The entire transaction can take place unencrypted, because any listening attacker (or malicious employee of the merchant) can't get the private key. They can only get the public key, and the digital signature of the transaction. There's no way to use that information to make fraudulent transactions.

Re:It's all the wrong system anyway (1)

Ken D (100098) | more than 4 years ago | (#30939642)

Yep.

Any system where you enter re-usable authentication credentials is a system that you have just enabled to pretend to be you.

Re:It's all the wrong system anyway (1)

SomeJoel (1061138) | more than 4 years ago | (#30939644)

Good system, but you greatly overestimated the intelligence of the average consumer.

Re:It's all the wrong system anyway (1)

dfgchgfxrjtdhgh.jjhv (951946) | more than 4 years ago | (#30939810)

so store the private key on the card, it'll still be more secure than a number & pin code. it could be made fairly seamless to the end user.

Re:It's all the wrong system anyway (0)

Anonymous Coward | more than 4 years ago | (#30939822)

Nah, If it's simple enough to use to log into you Wow account securely, Then It's simple enough to for the average consumer to use. But if someone steals your card your still fucked.

plus cards with lcd screens would cost the bank a few pennies.

Re:It's all the wrong system anyway (0)

Anonymous Coward | more than 4 years ago | (#30940154)

Good system, but you greatly overestimated the intelligence of the average consumer.

Main Entry: intelligence [merriam-webster.com]
Pronunciation: \in-te-l-jn(t)s\
Function: noun
Etymology: Middle English, from Middle French, from Latin intelligentia, from intelligent-, intelligens intelligent
Date: 14th century

1 a (1) : the ability to learn or understand or to deal with new or trying situations : reason; also : the skilled use of reason (2) : the ability to apply knowledge to manipulate one's environment or to think abstractly as measured by objective criteria (as tests) b Christian Science : the basic eternal quality of divine Mind c : mental acuteness : shrewdness
2 a : an intelligent entity; especially : angel b : intelligent minds or mind
3 : the act of understanding : comprehension
4 a : information, news b : information concerning an enemy or possible enemy or an area; also : an agency engaged in obtaining such information
5 : the ability to perform computer functions

Please don't confuse 1 and 4. Too many confuse 1 and 5 too. Amusingly, browsing the web and sending email are computer functions. And before someone reminds me, so is posting comments on forums, amongst other things.

Re:It's all the wrong system anyway (1)

sexconker (1179573) | more than 4 years ago | (#30939902)

The correct solution would be to use public key cryptography, where the credit card has an associated secret key, known only to the user (not even the credit card company).

A regular old password should only ever be known by a single person. The person doing the verification should hold the hash and salt only.

Public key bullshit is the same deal.

ALL NON-PHYSICAL SECURITY is the same deal.

It ALL boils down to keeping information secret.
Whether that's your private key, your password, or your stool sample.

Re:It's all the wrong system anyway (1)

Rockoon (1252108) | more than 4 years ago | (#30940030)

Whether that's your private key, your password, or your stool sample.

Anyone who wants to sample my stool deserves what they get.

Re:It's all the wrong system anyway (1)

thetoadwarrior (1268702) | more than 4 years ago | (#30940378)

It's 3 letters at a time from a password. Either you have to have a shitty password or someone will still have to work at it for awhile.

I hope Verfied by Visa does catch people with their pants down. Fuck 'em, maybe they'll be more inclined to learn how to use their computer properly after they've been had by some kid in Russia.

NoScript (1)

HisOmniscience (1361001) | more than 4 years ago | (#30939628)

Thankfully, NoScript blocks Verified by Visa, for which I have always been thankful.

Re:NoScript (1)

theJML (911853) | more than 4 years ago | (#30940954)

Exactly. And I think it's funny that you can always cancel out of the VbV thing and it'll still work.

Which I have to do everytime I want to use my Visa card online because it straight doesn't support the VbV thing. It either fails (yet sitll works) or comes up saying my bank doesn't support it. I now do all my shopping with MC.

YUO FAIL IT?! (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#30939812)

486/66 with 8 nearly two yearws 200 running NT is dying.Things

Whoa! (1)

yttrstein (891553) | more than 4 years ago | (#30939848)

There are security engineering professors now? How long have I been asleep?

Does Nothing (1)

sexconker (1179573) | more than 4 years ago | (#30939860)

You have to sign up for it.
The merchant has to offer the option to use it.
And even if you don't put in your password it still goes through.

It's all a bunch of bullshit.

Mastercard gives me Virtual Numbers for online use (3, Interesting)

JoshDM (741866) | more than 4 years ago | (#30939890)

I go to the Mastercard website and request a virtual number. I can specify amount and expiration time (in months). It is linked to my credit card and once I use it at a merchant, that number can only be used at that merchant for up to the amount I specified. I love it.

Meanwhile, a few years back I had to implement Verified by Visa, Mastercom, and Paypal solutions for the checkout process for the company I worked for. Paypal was the easiest and the other two were crappy. I'm not sure how they've worked out in the years since, but you don't see me using them currently. Virtual Numbers all the way.

Re:Mastercard gives me Virtual Numbers for online (1)

FooAtWFU (699187) | more than 4 years ago | (#30940838)

I had a credit card which could do that once (a Wachovia card administered through some "FIA Card Services"). Then Wachovia decided to end that and administer it themselves (which was mostly just annoying). What other card providers provide this capability?

On a related note: online bank security. WTF?

[citation needed] (1)

0racle (667029) | more than 4 years ago | (#30939922)

Ya, VbV is bullshit, but it would be nice if TFA could link to it's sources it lists as citations instead of financial%20cryptography%20and%20data%20security/

iframe ? you mean popup / popout (1)

troicstar (1029086) | more than 4 years ago | (#30939934)

just as users are acquiring a healthy skepticism to web generated dialogs, VISA undoes it !

I hate vbv (0)

Anonymous Coward | more than 4 years ago | (#30939952)

I no longer shop at websites that use it. Too much hassle and is not secure anyway.

The systems suck (1)

Predathar (658076) | more than 4 years ago | (#30939954)

I switched from VISA to MASTERCARD because the system sucked, it pissed me off having to jump through hoops to buy something. Then MASTERCARD came out with the same system, just not used as much so I'm still staying with them. Actually pretty funny story... I made a purchase last Fall on a website that had the MASTERCARD security thingy, I hit cancel cause my account got locked out, and the purchase STILL WENT THROUGH.... ya... nice security there.

That's why I use Paypal (1)

noidentity (188756) | more than 4 years ago | (#30939956)

I got fed up with all the security issues with online Visa transactions. Now I use PayPal for everything, and I'm fully protected. Lessee, I've made around... hmmm, frozen, what does that mean? Well, I'm having some problems with my account at the moment, but I've made a lot of transactions.

Are You are Verified by Visa? (1)

VortexCortex (1117377) | more than 4 years ago | (#30939992)

Let's say you're on a "secured" web page entering your credit card information.
You see that iframe that's "verified by visa". The code on the page you're looking at says where to get the content from, and IT is secure... The content that is loaded is via "https://..." https (TLS) is secure, it can not be spoofed.

This means that if the content in the iframe has been tampered with your web browser will not display the content. The secure iframe is sent the "Referrer"(sic) header containing the URL of the page that contains the iframe, which the iframe verifies is https and will contain a secure token in the URL (that's what the gibberish after the ? mark is). Therefore "verified by visa" is secure. Annoying as hell, but it is secure.

The issue is: if you're on "secured" web page that you don't fully trust (say from "https://theives.com") entering your credit card information and you see the "verified by visa" iframe, without any address bar for that iframe you can't trust that the content within the iframe isn't spoofed. The iframe could contain content that looked like the "verified by visa" iframe, but was actually from "thieves.com".

Therefore, the "verifed by visa" iframe content should not reassure you that the page you are on is "verified by visa"... instead you should realize that "verified by visa" means that YOU are being verified by visa.

Check the address bar of the page you are on. Check the page's certificate chain. If you don't trust the web site you're on don't enter financial information. If you don't know how to verify that you can trust the site, you should educate yourself or stop using e-commerce.

Re:Are You are Verified by Visa? (0)

Anonymous Coward | more than 4 years ago | (#30941026)

https (TLS) is secure, it can not be spoofed.

Unless there's a browser vuln or rogue CA, both issues have cropped up recently.

The secure iframe is sent the "Referrer"(sic) header containing the URL of the page that contains the iframe

Unless the user has opted to disable that particular misfeature. BTW: if this is really how it works, I can confidently say I've pulled apart better engineered phishing sites.

Annoying as hell, but it is secure.

Who the fuck are 3DS, why should I trust them and why should they be privy to my online credit card purchases? The mere involvement of a 3rd party is enough to have compromised the security of any transaction.

So no, I'm not "verified by Visa", not now and not ever. I (and several other people I've discussed it with) will simply stop using our cards for online transactions should this crock of shit become mandatory. Why don't 3DS go right ahead and verify that!

Insecure != Unsecured (5, Funny)

Anonymous Coward | more than 4 years ago | (#30939996)

Can we get this right, once and for all? Something that is unsecured is vulnerable to a security breach. However, something that is insecure is in an emotionally anxious state.

I chuckle every time I read about an "insecure document." I imagine a document harbouring feelings of self-doubt and a lack of confidence. "Am I really a document? Will people like to read me? Does this file format make me look fat?"

Re:Insecure != Unsecured (1)

Arimus (198136) | more than 4 years ago | (#30940178)

I was going to mod this up, but while true I can't decide between insightful and funny - I kept chucking when I thought of a document going to see a shrink ;)

Re:Insecure != Unsecured (1)

Yvan256 (722131) | more than 4 years ago | (#30941090)

And that shrink's name is ZIP.

Re:Insecure != Unsecured (1)

albedoa (1529275) | more than 4 years ago | (#30940352)

3. not secure; exposed or liable to risk, loss, or danger: an insecure stock portfolio.

Welp.

it kills sales (2, Interesting)

Anonymous Coward | more than 4 years ago | (#30940036)

We had it forced on us by our payment provider and it killed sales, we had so many customers asking what their password was and where do they find it. We opted out of it.

Article and "research" bad.. (1)

ltning (143862) | more than 4 years ago | (#30940038)

The researchers, and the article writers, completely fail to understand that 3-D Secure simply defines the interfaces between the three domains in the security model. The actual authentication model used is chosen and implemented by the card issuer. If the card issuer would decide it wants to use passphrase+OTP in a separate window (for URL validation), it could do so. In fact, outside of the US, many do. In Norway, for instance, online payments are usually verified through something akin to a "national electronic ID", which despite its flaws goes way above and beyond simple passwords.

The article is so full of factual mistakes and displays such a complete lack of knowledge and understanding it's not even funny.

"intended to reduce on-line payment card fraud" ? (0)

Anonymous Coward | more than 4 years ago | (#30940216)

Thats incorrect, though its easy to see how the researchers could fall into the trap of believing this.

Anyway, if you read their terms of service, it becomes obvious that the main purpose of the Verified by Visa system is to shift liability for fraud onto the card-holders. Its the main reason I've stopped using my Visa for any purchases over the Internet.

Brings me back (1)

jwinster (1620555) | more than 4 years ago | (#30940218)

TFA mentions one of the securities holes being that users "can't see the URL of the verified by visa website because it's in an iframe." Reminds me of the first time a website asked me to enter a password on verified by visa, I stopped the transaction and purchased the item somewhere else for that very reason, since I never had any notification that verified by visa was something I was going to have to do.

What Is The Point Of 6 Digit Password? (3, Informative)

tunapez (1161697) | more than 4 years ago | (#30940284)

I've used the service 3 times...guess how many times I've set/reset my "Verified by Visa" password. Rather than allow for a secure password(8+ characters, alpha-numeric-symbol) I am limited to 6 digits and remember yet another non-standard password? Might as well throw a captcha AND a question to doubly verify I am not a bot, too.

Of Course It's Insecure! (1)

Spiffy (16623) | more than 4 years ago | (#30940408)

If somebody puts a keylogger on your Windows box, they'll get what they need no matter how many passwords you are required to type. Adding another password to the stack adds zero security; it just makes it easier for the credit card company to claim you are truly responsible for the transaction. "It can't possibly be fraudulent--it was Verified by Visa(TM)!"

I try to avoid doing business with anyone who requires me to go through VbV. I know it's not there to protect me.

You don't even need the password (2, Interesting)

beneppel (1378655) | more than 4 years ago | (#30940418)

I recently forgot my verified by visa password - the only security question it asked me that wasn't printed on the card was my date of birth - it's not the first time I've had to reset my password, and each time the question is the same. That means if somebody has my card, all they need to know is my date of birth, and they can reset my 3DS password easily.

c08 (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#30940486)

Sharath (1, Funny)

Anonymous Coward | more than 4 years ago | (#30940582)

can't believe this..the people simply start commenting having just half knowledge.. 3DS protocol is secure and helps banks to chose the method that it uses to verify its customer. Its left to banks how they want to authenticate its card holder. Few banks have chosen to keep static password while others use OTPs. In future banks would use IVR calls or Voice authentication or some other technology to identify its customer but the protocol does not change.

Few merchants may have implemented the flow wrongly.. merchants are supposed to re-direct the customer to his bank site and not show in frame or i-frame; that is just a bad implementation and is a invitation for phishing attack. In India at least as for as I have seen none of the merchant use i-frame thing.. all most all the merchants re-direct the customer to his bank for verification and customer can clearly see the url of bank server (or provider) that is authenticating him.

Its like telling.. if one drunk driver crashes a car and kills himself cars are unsafe.. :P

When someone finds my password... (1)

deains (1726012) | more than 4 years ago | (#30940872)

...my account is still secure. Not all 3DS systems are the same between banks, and some of them actually do it reasonably well (though no security is ever foolproof, of course). On my account, 3DS asks me for one of the five security questions on my account, which involve various different inputs (dates, names, places, etc.). To actually log into my online acccount I need both the answer to the security questions above, a secret code (not the same as my PIN), plus the standard account details. If I want to actually do anything useful online, I have to use my bank's little security device, which takes my card in and spits out a random code so long as I enter my PIN right (think Blizzard dongle, but with Chip and PIN). And of course, if someone manages to steal my 3DS answer in order to use my card elsewhere, they still need to find out all my other card details. Even if they found out them, they've only got a 1 in 5 chance of getting the right question they know the answer to. The system allows 3 attempts. Good luck, guys.

RSA keyfobs in credit cards (4, Insightful)

ehud42 (314607) | more than 4 years ago | (#30940916)

I would like to see my credit card display a time sync'd rolling number instead of the lame 3 digit code on the back of the card. As I see it, the problem with credit card fraud is not stolen cards, but stolen numbers. If I lose my card, I will know fairly soon and can have the card canceled. However, it may take quite a while to determine my number has been compromised. When shopping online I would like to enter my card number and a second number generated by the card. Cards expire after 2 years, so this should be doable from a battery life point of view. It could even be introduced as an extra fee initially to those who want the extra online shopping security.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?