Editor's Note: The more I learn about securing a transaction on the web, the more I realize how unsafe many transactions actually are. Here's an interesting article in the Register regarding Visa's supposedly more program designed to fool cardholders into thinking their transactions are more secure. They call it "Verified by Visa" but first it has to verified by consumers, which means it can be then verified by Hackers."VbyV login credentials make it easier for crooks to make purchases online while simultaneously making it harder for consumers to deny responsibility for a fraudulent transaction".
Since card information is can be bought online for as low as $2.50, "Stolen Card Info Plunges to $2.50 in Black Market" and obtaining a DOB is so easy a caveman could do it, it's looking like VbV is more of a marketing ploy than of any real value when it comes to protecting the security of an online transaction. What I found even more interesting was Visa's declination to comment about the story which the Register tells us at the end of this article:
VbyV password reset is childishly simple • The Register
Both VbyV and SecureCode are based on 3DSecure, a name that hints at the introduction of some kind of three-factor authentication scheme. But unlike robust authentication techniques, hackers don't have a hardware token generating one-time passwords to worry about - it's just more of the same.
And since card details + CVV number is no longer considered as secure enough then it's hard to see how card details + CVV number + VbyV login is any more robust. Much was made of how easy it was for a hacker to reset Sarah Palin's webmail account password and gain illicit access to emails, but resetting passwords for Verified by Visa - which supposedly makes online transactions more secure is arguably even easier. To reset Palin's email account a hacker needed to know the Republican VP candidate's birth date, her zip code and the answer to a secret question on where she met her husband. Resetting a Verified by Visa password, by contrast, requires only card details (got $2.50?) and a date of birth.
Register commenter Anthony explains. Barclays Verified by Visa (VbV) allows anyone who has the credit card in their hands to set a new password for VbV with just the card details and the card owner's date of birth. Since the latter is trivial to discover for most people, this adds almost no additional security to the process.Register reader Jusme reports the same issue. Verified by Visa is one of the reasons I no longer use Barclaycard. Pretty much every time I had to use it the password was not recognised and I had to "reset it", which just meant entering my DOB and a new password, hardly very secure.
Online shoppers who buy goods and service with participating retailers are asked to submit a VbyV or SecureCode password to authorise transactions. These additional checks are typically submitted via a website affiliated to a card-issuing bank but with no obvious connection to a user's bank.
Punters aren't informed up front that a merchant has signed up to Verified by Visa. Sites used to authenticate a VbyV or SecureCode password routinely deliver a dialogue box using a pop-up window or inline frame, making it difficult to detect whether or not a site is genuine.
The appearance of phishing attacks hunting for Verified by Visa passwords are among the reasons some punters are wary of the technology. Once obtained by fraudsters, either by direct phishing attack or through other more subtle forms of social engineering trickery,
An anonymous commenter to our original stories agrees:Verified by Visa and Mastercard SecureCode are there purely to protect the banks, not the card holder. They offer zero additional protection to the consumer, but allow the bank to claim that transactions using purloined credit card credentials were really made by the card holder. It is as simple as that.The issue has been noted, and commented on in the blogosphere as far back as June, but has received little attention in the mainstream media, despite the obvious security implications.
Visa and MasterCard ought to be able to defend the password reseting regime they have established, but neither organisation responded to our request for comment at the time of going to press.®
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_uy1K7XWrRoG6tPvDGGbTmSFbJXObUcA8T5mGKLXj8wgEToYeuUseASgdq_9376KIMntJZ1HPuJQT9UPwW1Dt0koxZ9f9ZXa8wwnwPwHsP0IEkncaA4OlxPYu1hDI9j6QtNRmTsKHQXAjXnmqiAVL9k=s0-d)
