Verified by Visa – supporting phishing attacks
Recently, while making an online purchase, I was asked by a online store to opt-in to the Verified by Visa anti-fraud mechanism. On face value this seemed like a very sensible thing to join up to. All I have to do is provide a password of my choosing that I re-enter each time I make a purchase online using my Visa card.
The structure of the Verified by Visa (and its Mastercard equivalent, 3D-secure) means that an online seller will not be able to keep my credit card details and re-use them later (for nefarious purposes) as I only provide my password directly to Visa NOT to the seller themselves.
Great, I thought! Until I noticed that the site that was asking me to setup my password (and I would presumably have to re-enter my password at a later date) did not identify itself in any meaningful way. Check it out for yourself https://www.securesuite.co.uk. Notice that the ’site owner’ does not appear in the Firefox/MSIE7 location bar and even if you examine the SSL certificate it seems to be registered to a company called CYOTA Inc. The only mention of ‘Verified by Visa’ is buried in the Organisational Unit entry in the certificate.
Now we can obviously google our way to finding out that CYOTA Inc are owned by RSA who probably provide the systems for Verified by Visa, but really…
The whole process is predicated on the buyer knowing that they are providing their password to Visa and no-one else so I find it incredible that Visa, CYOTA and the issuing banks are not addressing the confusion they are causing.
Worse still they aren’t just confusing the public about Verified by Visa, they are also positively ENCOURAGING user to ignore the warning signs of phishing attacks.
Hmm that seems like a very big oversight indeed.
Have you seen this? Could make things a lot safer and simpler:
Visa revamps the humble credit card
I’ve seen the PIN confirmation devices that resemble a pocket calculator, but this is a lot more convenient and safer.
It just needs to check your DNA as you use it and the problem will be solved ;->
Thats a good point actually, I’ve seen a Halifax Banking panel on a site and the only proof was the Halifax logo, it could easily be a scam.
[...] when was the last time you noticed the https padlock in your browser’s status bar and even our financial institutions sometimes inadvertently encourage us to provide sensitive information to sites with domains we [...]