Ben Laurie blathering

Phished by Visa: The Aftermath

Well over a year ago I wrote about how stupid the Verified by Visa program is. Apparently the mainstream press have now caught up as fraudsters gear up to exploit this fantastic piece of security design. I particularly like the claim from a UK Cards Association representative that VbV reduces fraud (at around 2:30) – immediately after a victim explains that her bank refused to even investigate the possibility of fraud.

This is, of course, in line with the modern banking strategy for fraud: shift all blame to the customer.


  1. Sounds like it’s your netbanking system that’s stupid, not VbV by itself (except to the extent that VbV does not require your bank to perform better).

    As I said in a comment in the previous entry, the times I need to do a VbV verification, I am redirected to my bank’s website (confirmed by the usual HTTPS indicators), and then I am required to do a two-step authentication: first, using my regular user name and password pair, and a second time by using a one-time pad. That’s pretty secure in my view (and the industry standard here in Finland).

    Comment by Antti-Juhani Kaijanaho — 19 Oct 2010 @ 13:37

  2. What I hate is the way that my bank claim to use “intelligent heuristics” to determine the likelihood of a fraudulent action on my card. I’ve been moving back and forward between two particular countries for the last 15 years that I’ve had that account, and yet, since installation of this “advanced system”, it has not a clue about any of this. I can only imagine what they’re using as a training set for these algorithms, presumably random local transactions over a couple of months. It’s wholly inappropriate and inadequate to be honest. Of course, I’m complaining about all this, but I almost never see sanely selected and applied security measures anywhere, in any domain.

    Comment by raggi — 19 Oct 2010 @ 19:22

  3. You made a huge error in your previous post on this subject and a couple of people called you on it. You quoted this passage as evidence that the customer is burdened with more liability: “Verified by Visa helps protect you from fraudulent claims from cardholders – that they didn’t take part in, or authorise, a payment. Once you are up and running with Verified by Visa, you are no longer liable for chargebacks of this nature.”

    In actuality, it doesn’t say anything like “the customer is responsible.” The implication (in context, thanks) here is that the merchant’s liability is pushed from the merchant to the card issuer — NOT the cardholder. In all instances of fraud, the customer is to be protected. As commenters said, this isn’t really about preventing phishing. It’s about making the customers think they’re more secure while making non-VbV merchants more directly liable in cases of fraud.

    Of course this doesn’t solve the fact that fraudulent merchants can still perpetrate phishing and abuse VbV to wind up just as protected as they were before.

    Comment by Andrew — 5 Mar 2011 @ 23:16

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress