Verified by VisaAnother attempt at improving the security of online transactions is Verified by Visa (and a very similar system called Mastercard SecureCode). The system is that a password independent of anything written on the card and with much more variability (10-15 characters) is verified with the bank first and then used for transactions. Not all banks nor all retailers are signed up yet but it looks to be a good system, albeit with only one of the factors of authentication in use (Something-you-know). A clever part is the echoing back of a phrase decided by you (“Personal Message”) in advance to give you confidence that it is a genuine transactions (so beware of any Verified-by-Visa popups that don’t contain this phrase).
However the implementation on the ground has not been good. Very little advance information has been sent out to customers and often the first thing they discover is a retailer that is using it, sometimes with no option. You do get an invitation to sign up there and then (called Activation During Shopping) but this is exactly the situation we have all been warned against—an unknown web address (not even the retailer one) asking for personal details and passwords. I recommend that if you come across this, pause the transaction and go to a different window and sign up directly via your known bank web site.
Now when will The Cooperative Bank join in? Ah, they are, slowly, it just doesn’t say so on the Visa site. They have decided not to use Activation During Shopping so they get a gold star from me for having a clue. I will take half of it back though, as they are using a “memorable name” rather than a real password, nor do they seem to be using the echoed personal message. Is this really one system or are people making it up as they go along?
Webmaster
There’s been a lot of comment about how badly implemented this system has been: The Register has made some particularly good points about the fact that some banks have made it compulsory, rendering legitimate “opt-outs” more likely to label you as a fraudster: http://www.theregister.co.uk/2008/08/07/verified_by_visa_compulsion/. Also, I understand it’s ridiculously simple to reset the VbV password. These two systems are basically about trying to push the responsibility for fraudulent transactions back to the card holders, not the banks.
Thanks for pointing me to that article, it is unusually good for El Reg as John Leyden is better than most of them, but it is disapointing that his source “Steve” is used in every article. It looks like, as I said, each bank is going its own way, with the anti-fraud systems as well as other things. For a while I was bombing out of transactions, but because of my browser config not deliberately, but I never hit the anti-fraud lock-out. My main card doesn’t look like it wants to sign me up at all, I think because there are two card holders and they don’t know how to handle it.
I too have heard about the very poor security on password resets but I haven’t had a chance to check that out yet. Ditto the claim that it is all about pushing the onus back onto the card holder. It would be hard to do that more as it can already be pretty difficult to prove that you were not at fault, but I have never actually hit the problem.
The last point aside, the system *ought* to be better than the ridiculously weak three digit security code and start to control the rampant online fraud, which we are all paying for indirectly.
While I was there I spotted this article about the one time pad system as well http://www.theregister.co.uk/2008/11/19/visa_credit_card/