All Top Banking

Is Verified by Visa also Verified by Hackers?

Posted by John B. Frank Friday, October 24, 2008

Editor's Note: The more I learn about securing a transaction on the web, the more I realize how unsafe many transactions actually are. Here's an interesting article in the Register regarding Visa's supposedly more program designed to fool cardholders into thinking their transactions are more secure. They call it "Verified by Visa" but first it has to verified by consumers, which means it can be then verified by Hackers.

"VbyV login credentials
make it easier for crooks to make purchases online while simultaneously making it harder for consumers to deny responsibility for a fraudulent transaction".

Since card information is can be bought online for as low as $2.50, "Stolen Card Info Plunges to $2.50 in Black Market" and obtaining a DOB is so easy a caveman could do it, it's looking like VbV is more of a marketing ploy than of any real value when it comes to protecting the security of an online transaction. What I found even more interesting was Visa's declination to comment about the story which the Register tells us at the end of this article:

VbyV password reset is childishly simple • The Register

Both VbyV and SecureCode are based on 3DSecure, a name that hints at the introduction of some kind of three-factor authentication scheme. But unlike robust authentication techniques, hackers don't have a hardware token generating one-time passwords to worry about - it's just more of the same.

And since card details + CVV number is no longer considered as secure enough then it's hard to see how card details + CVV number + VbyV login is any more robust.

Much was made of how easy it was for a hacker to reset Sarah Palin's webmail account password and gain illicit access to emails, but resetting passwords for Verified by Visa - which supposedly makes online transactions more secure is arguably even easier. To reset Palin's email account a hacker needed to know the Republican VP candidate's birth date, her zip code and the answer to a secret question on where she met her husband. Resetting a Verified by Visa password, by contrast, requires only card details (got $2.50?) and a date of birth.

Register commenter Anthony explains. Barclays Verified by Visa (VbV) allows anyone who has the credit card in their hands to set a new password for VbV with just the card details and the card owner's date of birth. Since the latter is trivial to discover for most people, this adds almost no additional security to the process.

Register reader Jusme reports the same issue. Verified by Visa is one of the reasons I no longer use Barclaycard. Pretty much every time I had to use it the password was not recognised and I had to "reset it", which just meant entering my DOB and a new password, hardly very secure.

Online shoppers who buy goods and service with participating retailers are asked to submit a VbyV or SecureCode password to authorise transactions. These additional checks are typically submitted via a website affiliated to a card-issuing bank but with no obvious connection to a user's bank.

Punters aren't informed up front that a merchant has signed up to Verified by Visa. Sites used to authenticate a VbyV or SecureCode password routinely deliver a dialogue box using a pop-up window or inline frame, making it difficult to detect whether or not a site is genuine.

The appearance of phishing attacks hunting for Verified by Visa passwords are among the reasons some punters are wary of the technology. Once obtained by fraudsters, either by direct phishing attack or through other more subtle forms of social engineering trickery,

An anonymous commenter to our original stories agrees:
Verified by Visa and Mastercard SecureCode are there purely to protect the banks, not the card holder. They offer zero additional protection to the consumer, but allow the bank to claim that transactions using purloined credit card credentials were really made by the card holder. It is as simple as that.
The issue has been noted, and commented on in the blogosphere as far back as June, but has received little attention in the mainstream media, despite the obvious security implications.

Visa and MasterCard ought to be able to defend the password reseting regime they have established, but neither organisation responded to our request for comment at the time of going to press.®

Reblog this post [with Zemanta]

1 Responses to Is Verified by Visa also Verified by Hackers?

  1. Hi,

    Today,s advance world is the world of technology and software.Now the businessman easily deals with peoples on lion.
    I think the blogs is really helpful for those peoples whose deals by web.Thanks for sharing your useful information about to the verified by visa and many many more.

     

Post a Comment

Powered by Blogger.

Blog Archive

Search This Blog

Our Manufacturing Facility

Learn More About Us

Find out how our patented technology can empower your financial institution.

Our secure two-factor online banking authentication eliminates dangerous passwords and usernames and replicates the same trusted process used to access cash at ATM's. (Insert Bank Issued Card, Enter Bank Issued PIN)

There is an R.O.I. as FI's also earn recurring revenue from each transaction conducted using our PCI 2.0 Certified PIN Entry Device. Our technology also provides a unique real-time P2P "Instant-Transfer" which allows your online banking customer to transfer cash from ANY of their bankcards to ANY other bankcard...with the Swipe of a card.

Help your bank eliminate phishing and your customers avoid identity theft by providing them with the ability to stop typing and start swiping. There is no safer way to conduct financial transactions online than by 3DES DUKPT encrypting the cardholder details, which we do at the mag-head "inside the box/outside the browser."

Total Pageviews

SLIM for PC or SmartPhone

SLIM for PC or SmartPhone
Click to Inquire

Chip and PIN eCommerce and Mobile

Chip and PIN eCommerce and Mobile
Click to Inquire

Kapersky Calls for Mass Adoption of Card Readers

Kapersky Calls for Mass Adoption of Card Readers

Translate This Blog

BobCaps

Search ePayment News (example: NFC)

About Me

My photo
Named one of the best Payment Industry News Blogs 4 Years Running

Feedjit

My Zimbio