Get this stuff out of my head.

Verified by Visa - Supporting Phishing Attacks

| Comments

Recently, while making an online purchase, I was asked by a online store to opt-in to the Verified by Visa anti-fraud mechanism.  On face value this seemed like a very sensible thing to join up to.  All I have to do is provide a password of my choosing that I re-enter each time I make a purchase online using my Visa card. The structure of the Verified by Visa (and its Mastercard equivalent, 3D-secure) means that an online seller will not be able to keep my credit card details and re-use them later (for nefarious purposes) as I only provide my password directly to Visa NOT to the seller themselves. Great, I thought!  Until I noticed that the site that was asking me to setup my password (and I would presumably have to re-enter my password at a later date) did not identify itself in any meaningful way. Check it out for yourself  Notice that the ‘site owner’ does not appear in the Firefox/MSIE7 location bar and even if you examine the SSL certificate it seems to be registered to a company called CYOTA Inc. The only mention of ‘Verified by Visa’ is buried in the Organisational Unit entry in the certificate. Now we can obviously google our way to finding out that CYOTA Inc are owned by RSA who probably provide the systems for Verified by Visa, but really… The whole process is predicated on the buyer knowing that they are providing their password to Visa and no-one else so I find it incredible that Visa, CYOTA and the issuing banks are not addressing the confusion they are causing. Worse still they aren’t just confusing the public about Verified by Visa, they are also positively ENCOURAGING user to ignore the warning signs of phishing attacks.