Links

Ben Laurie blathering


More Banking Stupidity: Phished by Visa

Not content with destroying the world’s economies, the banking industry is also bent on ruining us individually, it seems. Take a look at Verified By Visa. Allegedly this protects cardholders – by training them to expect a process in which there’s absolutely no way to know whether you are being phished or not. Even more astonishing is that this is seen as a benefit!

Frame inline displays the VbV authentication page in
the merchant’s main window with the merchant’s
header. Therefore, VbV is seen as a natural part of the
purchase process. It is recommended that the top
frame include the merchant’s standard branding in a
short and concise manner and keep the cardholder
within the same look and feel of the checkout process.

Or, in other words

Please ensure that there is absolutely no way for your customer to know whether we are showing the form or you are. In fact, please train your customer to give their “Verified by Visa” password to anyone who asks for it.

Craziness. But it gets better – obviously not everyone is pre-enrolled in this stupid scheme, so they also allow for enrolment using the same inline flow. Now the phishers have the opportunity to also get information that will allow them to identify themselves to the bank as you. Yes, Visa have provided a very nicely tailored and packaged identity theft scheme. But, best of all, rather like Chip and PIN, they push all blame for their failures on to the customer

Verified by Visa helps protect you from fraudulent claims from cardholders – that they didn’t take part in, or authorise, a payment. Once you are up and running with Verified by Visa, you are no longer liable for chargebacks of this nature.

In other words, if the phisher uses your Verified by Visa password, then it’s going to be your fault – obviously the only way they could know it is if you told them! If you claim it was not you, then you are guilty of fraud; it says so, right there.

35 Comments

  1. This has been driving me mad for months. This irritation is dropped in at the end of online purchase procedures wirth no way to verify whether or not it is genuine nor if it is actually required by the purchaser. Some apprently do require you to complete this and others don’t, there’s no way of knowing which. This happened to me just today, when I clicked to cancel the registration to Verify I was dropped back to the vendor’s ordering system and I had to go through the cycle again.

    Comment by sachelguru — 28 Mar 2009 @ 16:42

  2. And as long as you know the birthdate of the card holder you can just reset the password anyway.

    (Why not just ask for a birth date?)

    Comment by Dave Bush — 28 Mar 2009 @ 19:22

  3. Hi Ben,

    Adding to this is their annoying password policy, which encourages the writing down of passwords. You must have at least one capital letter and one number, and the overall password must be of a certain length. After 3 failed retries it takes you through registration again, at which point when trying to set a password, you may discover “cannot use password, already been used”, and at which point an attacker with even just your date of birth, can recreate your account as they please.

    I’ve lost count of how many times I’ve reset my password. It’s currently set to “Wankers59″. The fact I’m willing to publish this should be a good indication of how much faith I have in their system. ;)

    Comment by David W — 28 Mar 2009 @ 19:58

  4. the people who pushed this into reality are the same that killed SET (http://en.wikipedia.org/wiki/Secure_electronic_transaction).

    I’m surprised vBv has escaped the scrutiny of the security community. after working on it, I hoped it would die a quiet death. I hope the attention of security experts will hasten its demise.

    Comment by past_involvement — 28 Mar 2009 @ 21:24

  5. I ended up cancelling my Egg card after a tussle over VbV. They would not allow me to opt out of this ridiculous system:
    http://camltastic.blogspot.com/2008/11/egg-verified-by-visa.html

    Comment by Rich — 29 Mar 2009 @ 0:12

  6. It’s not just Visa – MasterCard (and JCB) are also pushing the same system: http://en.wikipedia.org/wiki/3-D_Secure. In fact, it is mandatory to support this if you take Maestro payments online.

    Comment by Chris R — 29 Mar 2009 @ 11:42

  7. While VbV is a really bad idea in general, it’s probably fair to mention that the signup flow does require you (iirc) to set a ‘personal phrase’ that’s presented in the VbV iframe, and they do have a small amount of text about checking that this is correct before you enter your password.

    However, the number of people who remember check it and the number of times they remind you to check it after you initially set it) are probably very small numbers indeed.

    Comment by Malcolm Rowe — 29 Mar 2009 @ 12:21

  8. I think everytime I have come to use the system, I have had to reset my password. They don’t allow non-alphanumeric characters or password reminders.

    I think it’s probably more secure to reset it each time – I think it requires your date of birth, name as printed on the card, and CCV.

    Comment by Cybergibbons — 29 Mar 2009 @ 12:42

  9. My bank shows a word that I set when I enrolled so that I know the login box came from them and I can’t think how anybody could get round that without hacking the banks database, in which case they would not need to phish for my password. And I don’t think enforcing strong passwords is a bad thing. I do agree that it is a bit tedious though

    Comment by Chris — 29 Mar 2009 @ 15:09

  10. The solution is simple. If an online vendor wants me to use the VbV, I will simply not make the purchase from that vendor and I will find one that does not use the VbV system. I do not *need* their item as much as they *need* my money; if need be, I will wait until I can make my purchase from a local vendor. We’ll see just how long VbV lasts when vendors realize it is costing them sales.

    Comment by Robert — 29 Mar 2009 @ 19:43

  11. Malcolm, Chris,

    VbV doesn’t seem to specify the actual authentication method, just a series of protocols to allow the verification to be direct between the cardholder and the bank, rather than via the merchant as with the CCV.

    This means that they don’t need to authenticate themselves to you, and many don’t. It’s not in the interest of the bank to make this really secure, as then any fraudulent usage would be their responsibility, not that of the cardholders.

    Comment by Cybergibbons — 29 Mar 2009 @ 21:12

  12. I’ve already complained to them about this. You fill in your card details on a shop site, and get to the very end of the purchase, and then this unexpected embedded authentication page pops up with an unrelated “alien” URL, asking you to input all your details a second time, to sign up for some security scheme that you’ve never heard of. And although the page says that signing up to the scheme is entirely voluntary, if you //don’t// comply and type in your details the second time, the order that you’ve just laboriously set up with the vendor gets rejected. And if you didn’t input your details into the mystery form, and visited the scheme’s home site for an explanation before committing, the people who wrote the scheme’s site hadn’t put the thing through a spell checker, and the “help” site had at least one bad spelling mistake, making it look even more like a fake.

    So basically, this scheme had almost all the classic hallmarks of a scam, and broke almost all the conventions that we’re told that a “proper” bank site will never, ever break. It was amateurish, incompetent, and lent on customers to do things that they should never, ever do with their bank details.
    It should never have been allowed to happen.

    Comment by Eric Baird — 30 Mar 2009 @ 1:32

  13. I remember when this came out years ago because of the insane fraud rates associated with card not present transactions in certain high risk industries. Merchants were screaming out for some recourse from blanket chargebacks that they couldn’t fight because of their coding.

    Rather than just stop the policy of blanket chargebacks for high risk merchants, VbV came along. Basically you lookup the card BIN (first 6 digits) in a Visa directory server, and it tells you if the bank participates and the URL to send the customer to. You send them over with a callback URL, and then you can query to see if they passed the VbV check or not. You submit the VbV code with the auth ticket and the customer can’t say they didn’t authorize the transaction any more.

    I challenged a few Visa/Mastercard execs on this when I met them in Vegas at a conference, they assured the room it was foolproof, blah blah blah. I had a little powerpoint show ready to demonstrate otherwise. Here are it’s main issues:

    1. Customers hate it and don’t buy. It drops a merchants throughput by over 10%. It’s so much hassle it’s not worth it. (cvv = 2% drop, last 4 of social security = 8% drop, so it’s horrible)
    2. Issuing banks hate it. In the US at least, a signature is required to bind a sale contract, so if the customer still insists they didn’t do it and the bank refuses it exposes them legally.
    3. Merchants hate it. It’s expensive to deploy, impossible to track and the sheer number of services that have to be running smoothly for it to work means there’s always downtime. Famously it used to be a requirement to ‘pop-up’ the VbV window, then pop-up blockers arrived and wasn’t that a fun 6 months complaining to Visa.

    It’s so insecure its laughable.
    1. If I can compromise a payment platform, then I can transparently redirect the customer to my VbV enrollment page and steal their information. I can then go shopping as them and the poor customer has to almost sue their bank to get any money back.
    2. If I can compromise a customers machine I can do the same. Social security numbers are almost harder than fingerprints to replace.
    3. If I can get to the DNS, then man in the middle attacks are endless.

    I don’t lose an awful lot of sleep over this stuff, it’s reliance on something as bad as Visa’s PCI program that should really scare people.

    Comment by Robert Nice — 30 Mar 2009 @ 2:51

  14. The couple of times I’ve used VfV, it redirects me to my netbanking account for the authorization; I see nothing like what you describe above.

    (The netbanking system I use is fairly secure, as far as I can tell: aside from standard stuff like HTTPS, there’s a mandatory one-time pad authentication step AFTER signing in with my username and password.)

    Comment by Antti-Juhani Kaijanaho — 30 Mar 2009 @ 7:56

  15. It gets better.

    In Halifax’s terms and conditions to the end user, “[i]f you wish to terminate your use of Halifax Secure, you must send an email to cardmemberservices@halifax.co.uk, following which your password and username will be deactivated.” (http://www.halifax.co.uk/creditcards/secure_conditions.asp).

    If you try to actually do this (I had visions of cancelling VbV immediately after using it each time) they point-blank refuse (at least they have worked out that email is insecure.) But they also point-blank refuse to change their conditions.

    Comment by James — 30 Mar 2009 @ 10:26

  16. Chris – the problem is, they try to enforce a ‘strong’ password, yet don’t allow you to use any characters that would make a truly ‘strong’ password.

    I use non-alphas in every password I can, but the one place that doesn’t allow them is the bank!? Indicates the competence of the person who designed the system, don’t you think?

    Comment by Ben — 30 Mar 2009 @ 14:27

  17. There’s nothing (that I can find anyway) in the VbV documentation that says that cardholders will be liable for fraudulent purchases. I’m not sure about Europe, but my understanding is that that would be quite illegal in the US. As I see it, the whole point is that the *merchant* will no longer be liable — instead, the *card issuer* (ie, bank) will. Under this system the issuer is both liable for losses and in a position to enforce stricter security protocols — ie, the risk and enforcement mechanisms are aligned. And that seems like a pretty clear benefit.

    As far as I can tell, your complaint about the stupidity of passwords-in-an-iframe is also a red herring. It’s certainly poor security — but it’s their money when it fails, not mine. So why should I complain if they decide to implement an easier to use system (passwords) rather than a more annoying one (OTP, chip cards, whatever)? The VbV spec says explicitly that the issuer makes these choices, and that again seems like the right thing.

    -sq

    Comment by sq — 31 Mar 2009 @ 3:09

  18. VbyV solves a political problem, not a technical one. After the costly failure of SET (and some other things) Visa decided to outsource the design of card verification protocols to third parties so that they wouldn’t have to go through that type of pain again themselves. As a result obtaining VbyV approval requires overwhelming Visa’s auditors with paperwork, not designing a useful protocol (and in particular the VbyV process seems to attract snake- oilers like flies while those who know what they’re doing stay away and use a properly-designed protocol outside the VbyV framework). I’ve been (peripherally) involved in a number of these VbyV efforts (meaning that I bailed as quickly as I could once I saw where they were going)… it’s like watching the evolution of a bunch of poorly thought-out undergraduate student projects.

    Comment by Dave — 31 Mar 2009 @ 11:10

  19. [...] by Visa Ben Laurie has a very clear-headed post on security dangers exacerbated by Visa’s VbV programme (the same criticisms seem to apply to similar efforts by [...]

    Pingback by Unverified by Visa « Rich Marr’s Tech Blog — 31 Mar 2009 @ 13:45

  20. This is very worrying. I have just passed this web page link, along with the Boing Boing article (http://www.boingboing.net/2009/03/28/verified-by-visa-bri.html) to the Guardian newspaper’s Money section.

    Comment by Patrick — 31 Mar 2009 @ 21:36

  21. VbV for my card does offer minimal authentication, insofar as you can specify a “personal greeting” that is displayed in the VbV dialog. Still far from foolproof though, but the banking industry is built on one-way authentication of consumers :)

    Still, the cleverer bit is the marketing. VbV is a vendor protection scheme, by indemnifying them against CNP fraud if the transaction is verified by VbV. It does nothing to protect my card from theft, as there are plenty of online stores that don’t use VbV. Protecting vendors is no bad thing overall, but marketing it as consumer protection is dishonest.

    Comment by Nik — 1 Apr 2009 @ 10:07

  22. What is it different about VbV being embedded into merchant’s site compared to PayPall being embedded into eBay’s site?

    How is VbV phishing different then any other? There are unlimited numbers of ways you can get this information from someone.

    Comment by Dumitru — 1 Apr 2009 @ 16:07

  23. > Comment by Antti-Juhani Kaijanaho — 30 Mar 2009 @ 7:56
    > The couple of times I’ve used VfV, it redirects me to my netbanking account for the authorization;

    Are you sure :>

    Comment by Robert Nice — 12 May 2009 @ 13:19

  24. >As I see it, the whole point is that the *merchant* will no longer be liable — instead, the *card issuer* (ie, bank) will.

    Yup, and that’s what it’s designed to do, it’s to address merchant fraud and not phishing. Specifically, it provides liability shift onto the issuing bank so that transactions declined with MasterCard RC (result code) 4837 and 4863 and Visa RC 23 and 83 (all variants of “the cardholder claims they didn’t authorise the transaction”) are no longer charged back to the merchant via the acquiring bank. This is because the VbyV/SecureCode value is passed out-of-band so the merchant never sees it. According to Visa, merchant fraud accounts for 70% of all fraud (note that that’s according to Visa, banks have a huge amount of expertise in burying fraud figures in things like bad debts to hide their true scale so take that with a grain of salt), so this is something that’s worth addressing for the banks. It’s useless against phishing (and as Ben points out probably makes phishing attacks quite a bit easier), but that’s because it was never intended to combat phishing.

    (Of course with the genius idea of using inline iframes it won’t stop a merchant phishing the VbyV/SecureCode value either so it’s pretty much self-defeating, but it will at least stop some merchant fraud where they get your card details from somewhere and rack up charges on it).

    Comment by Peter Gutmann — 1 Jun 2009 @ 10:45

  25. I don’t think vBv is all bad – it seems like the only thing it does is add a password to the process of buying something with my card. Why is that a bad thing?

    The main trouble I have with it is that the implementations out there often just don’t work.

    I just got a prompt with the wrong personal phrase on it. I figure the odds of this being an actual man in the middle attack vs simple implementation FAIL are 1:999. There are just way more idiots out there who would mess up a very simple security scheme than there are smart criminals who could pull off a MiM. Nevertheless, keeping my end of the bargain, I didn’t enter my passphrase.

    Seems problematic though that it’s so easy to change the password. Why doesn’t the Visa consortium just implement a PayPal-like scheme where everyone has to use a password? The reason is probably that it’s a consortium…

    Comment by nikolaus heger — 19 Jun 2009 @ 9:34

  26. The privacy policy button of Verfied by Visa for me takes me to this page:
    https://www.securesuite.co.uk/abbey/tdsecure/privacy_policy.jsp

    As far as I can tell, this page is a phishing site. I really have lots of evidence for that and none that it isn’t except that I have been directed there by a vendor that is well known to me.

    Comment by Robert (Jamie) Munro — 6 Jul 2009 @ 15:29

  27. Dell is the latest company to lose my business due to Verify By Visa. They sold one less PC thanks to VbV. I just don’t like it at ALL. It cannot be a worse implementation of a bad idea. I wonder how many billions OF dOLLARS IN LOST BUSINESS BECAUSE OF verify by visa. It is the MOSt frustrating USER experience on the planet. I believe it alone WILL ruin the world economy even more than the idiot W

    Comment by An Enigma — 17 Jul 2009 @ 6:03

  28. Hail Robert! he speaks the truth (29th March). Purchasing has to be quick, simple, and pleasurable. If it is not, people will take their money elsewhere. The arrogance of financial houses to expect their (valued? i think not) customers, to jump hurdles everywhere, just to be so-called ‘safe’is a nonsense.
    Control is all about creating an atmosphere of fear about safety & security, & then magically stepping in as the saviour with a panacea of unproven protection solutions. We should all vote with our feet!

    Comment by Bunny — 24 Jul 2009 @ 19:17

  29. During VBV registration, most Indian banks ask the user to enter a “personalized message” that is displayed on the VBV form during purchase. This message is known only to the bank and the card holder, thus prevent phishing attacks.

    But, of course, this requires that the cardholder register on the bank’s website directly instead of “in-shopping registration”.

    Comment by Saurabh Nanda — 30 Jul 2009 @ 5:17

  30. well i just called halifax to cancel my halifax secure thingy & they did it over the phone for me! I had to give all kinds of info but at least thats it gone. i got so pissed off having to fill out yet another security form each transaction & like everyone here has said, you have no real way of knowing where this pop up page has come from!
    the guy tried to tell me a lot of merchants wont let you make a purchase without it but I just told him I would take my business elswhere in that case!

    Comment by simon — 19 Aug 2009 @ 18:09

  31. I somehow got signed up for VbV and cannot find anyone to help me. I’ve called Visa, The Gap (where the card originated), VbV, and the bank the sponsors the card. NONE OF THEM COULD HELP ME!! Each one sent me to another and round and round I went. Insanity. I’m cancelling my card!

    Comment by Claudia — 29 Sep 2009 @ 5:59

  32. [...] The Visa Web site spells this out in a simple graphic (though there have been some interesting problems with the way the system [...]

    Pingback by Faux “Verified By Visa” Phishing Scam Targets Holiday Shoppers « Webroot Threat Blog — 18 Nov 2009 @ 19:57

  33. [...] Not exactly news, but those clever chaps at Cambridge have a nice writeup of the problems in Verified by Visa and MasterCard SecureCode. Short, too. Worth a read. [...]

    Pingback by Links » Verified by Visa, Again — 30 Jan 2010 @ 16:29

  34. [...] over a year ago I wrote about how stupid the Verified by Visa program is. Apparently the mainstream press have now caught up as fraudsters gear up to exploit this fantastic [...]

    Pingback by Links » Phished by Visa: The Aftermath — 19 Oct 2010 @ 12:18

  35. In re Comment by Robert Nice — 12 May 2009 @ 13:19

    Yes, I am sure, to the extent that the usual https safeguards against impersonation are reliable.

    Comment by Antti-Juhani Kaijanaho — 19 Oct 2010 @ 13:32

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress