Why "Verified By Visa" System Is Insecure

angry tapir writes "A widely deployed system intended to reduce on-line payment card fraud is fraught with security problems, according to University of Cambridge researchers. The system is called 3-D Secure (3DS) but is better known under the names Verified by Visa and MasterCard SecureCode. Steven J. Murdoch, a security researcher at the University of Cambridge, and security engineering professor Ross Anderson contend there are several flaws with 3DS. One of their main points is how 3DS is integrated into Web sites during a transaction — e-Commerce Web sites display 3DS in an iframe."

Welcome to 3 years ago

[rnicey]

I'm in the high risk card not present industry and if it wasn't so painful it'd be funny how bad it is.

3DS solves problems for Visa and nobody else. It transfers the liability from the merchant to the customer. No more 'it wasn't me'.

Only problem is, it's crap.

Bit like the chip and pin problem in the UK which is a similar joke. If I can get your card and your pin I can go shopping as you and good luck trying to explain that to the bank.

If I can fool you into giving me your 3DS password somehow, I can shop online as you with great false trust, and the merchants don't care because they're protected. Kind of.

Most merchants refuse to deploy it anyhow unless forced. It causes a 5-8% immediate drop in throughput. I wouldn't use a site that used it either.

Re:Welcome to 3 years ago

[Ken+D]

Exactly.
By claiming that it's more secure all they have done is made it that much harder for you, the customer, to be protected when you do get defrauded. I don't trust that its secure so I won't use it.

Pseudo-security => All Pain, No Gain.

Re:Welcome to 3 years ago

[Threni]

My Visa card was declined constantly when I was over in the States (from the UK) on business. I phoned my bank and they said it was declined because a chip and pin device wasn't used. Of course it wasn't - they don't have chip and pin in the states. So my Visa card is useless abroad? No matter - I had a Mastercard, which worked perfectly. No prizes for guessing which I'll be using in future.

Re:Welcome to 3 years ago

I'm in the high risk card not present industry

I'm not quite sure what that is a well-rehearsed euphemism for, but I'm not going to ask.

Re:Welcome to 3 years ago

Agreed. A while back we got a few unexplainable card not authorised failures. Turned out these card were 3DS cards.
So I asked the internet guys if we should implement 3DS on our system to avoid losing sales.

Their answer was almost word for word verbatim what you've given "It transfers the liability from them to the customer, it is not secure".

We have not implement 3DS on our site. We have no intention of doing so.

Re:Welcome to 3 years ago

My Visa card was declined constantly when I was over in the States (from the UK) on business. I phoned my bank and they said it was declined because a chip and pin device wasn't used. Of course it wasn't - they don't have chip and pin in the states.

So why does your bank bother to put a magnetic stripe on their cards if they guarantee that they won't work with a magnetic stripe?

Re:Welcome to 3 years ago

[Kral_Blbec]

Its not a magnetic stripe. In Europe they have actual chips embedded in the cards like RFID.

Re:Welcome to 3 years ago

[Qzukk]

As a customer, the worst part is when the merchant doesn't bother to tell you "oh hey we're going to redirect you to this other site now" and first anti-XSS blocks the page transfer, then the page fails to work anyway thanks to noscript blocking the JS.

Even after I added all the appropriate whitelists, when I buy from a site that uses it, all it does is flash the logo up on the screen then take me back to the merchant's site where I finish the transaction.

Re:Welcome to 3 years ago

[Jenming]

We have embedded chips in the US as well, Visa calls it Blink.

Re:Welcome to 3 years ago

[Leafheart]

In Brazil too. But we do have the magnetic stripes for the cases where a chip can't be read.

Re:Welcome to 3 years ago

[sexconker]

How was he able to use the card in the US without the magnetic stripe?

Were the merchants phoning it in?
Running the carbon paper over the credit card?

Re:Welcome to 3 years ago

[jimicus]

Its not a magnetic stripe. In Europe they have actual chips embedded in the cards like RFID.

The UK cards have the stripe as well, though apparently this isn't necessarily true in mainland Europe.

Re:Welcome to 3 years ago

You mean your VbV system doesn't use an RSA token as part of the logon? How silly.
(I use the same one for online banking and VbV - not entirely sure how that's set up, but it does seem like a step up from password-only.)

Re:Welcome to 3 years ago

[slimjim8094]

I wish we did. I've seen a few devices in the past year that were Chip and PIN (one was at a nearby CVS... can't remember the rest).

Still not sure how it's more secure than a normal magstripe. I guess you can't clone a chip so easily as a magstripe... but that's why I consider my plastic only slightly more "lose-able" than cash, and still keep it safe

Re:Welcome to 3 years ago

[thetoadwarrior]

The magnetic stripe is still on the back along with the chip on the front.

Re:Welcome to 3 years ago

[zonky]

I was visiting the UK last month as a tourist. I have lived there, and moved away about 5 years ago, around the time Chip & PIN was first appearing.

Frankly, I was treated like some kind of crinimal subversive for presenting a credit card that didn't have a CHIP on it. I was told by some retailers (a Mobile phone co) that they could not except my card as ALL card HAD to be Chip & PIN. It took a bit of experimenting with other retailers for them to work out that if you inserted a non C&P card into the chip slot, it asked you to swipe it. Although, some terminals didn't have swipe-y bits.

It seemed to be a shock to many that not all countries have cars with chip and pin on them.

Many retailers refused to believe, or be able to sell to me if i didn't have a postcode. (i'm visiting. Why do you need a postcode? I don't have one!).

This was outside the main tourists bits perhaps- (West Midlands), but still...

Re:Welcome to 3 years ago

[thetoadwarrior]

Always call your bank / credit card company before going abroad. It will save you hassle especially if you don't travel. Anything that appears to be out of the ordinary will get questioned.

Re:Welcome to 3 years ago

[rickb928]

Sometimes it's called risk avoidance, sometimes risk sharing, sometimes risk transfer.

It isn't sharing believe me. Wherever possible, processors and issuers will try to palm the risk off on the merchant, or the customer.

While fraud prevention is a massive issue, there is no sure method to detect it. And online merchants suffer both more fraud and more penalties. They often pay higher fees to cover the inevitable fraud expenses.

Even address verification is not enough. I'm not signing up for this, it means nothing yet.

Re:Welcome to 3 years ago

Good luck with that. I have no idea what my password is. The requirements for the password are so limiting (6 chars, no spaces, no special characters), that even my worst password is too complex for it. Of course, that's easily another security problem in and of itself. I wind up just resetting the password and making one up on the fly if I need to use it, though generally I just avoid it like the plague.

Re:Welcome to 3 years ago

[KlomDark]

As a buyer, I refuse to do business with any company that I haven't visited directly that doesn't take PayPal. I am not giving my credit card or bank account number directly to any establishment. While PayPal may get dinged for freezing money on sellers accounts, I'd say most of the freezes are put on scammy accounts rather than trustable accounts.

As a purchaser - it's PayPal or the Highway. It's not worth the risk to have to evaluate every single company for honesty. (And my neighbor works for PayPal, so if I ever encountered problems with them, he'd help. But so far zero problems with PayPal in a decade.) PayPal will intercede on my behalf if the company I'm buying from gives me a hard time, so it's the reverse of this situation - instead of 3DS transferring the liability to me, I'm instead transferring the liability to PayPal, so it's a total win for me.

Re:Welcome to 3 years ago

[steelfood]

Plane ticket: $350
Hotel room for 5 nights: $500
Rental car for 6 days: $200
Broadway show tickets for two: $300
Finding out your VISA card doesn't work but your Master Card does: priceless.

Re:Welcome to 3 years ago

[Threni]

You can't clone a chip, period. The devices which read them are tamper resistant and tamper evident. It's not been cracked yet. It's been done really well - unsurprisingly, because the stakes are so high. It's been so successful at stopping credit card theft/fraud that crooks turned quickly to cheques... which is why cheques are now on the way out in the UK - they're now just too risky.

It's also more secure because you need to enter a pin number, so if you lose your card the chances of it being used for fraud are far fewer. Very few shops will accept pin-less transactions now.

Re:Welcome to 3 years ago

[jimicus]

You can't clone a chip, period. The devices which read them are tamper resistant and tamper evident. It's not been cracked yet. It's been done really well - unsurprisingly, because the stakes are so high.

Really?

You'd better tell the people whose chip cards have been cloned.

Re:Welcome to 3 years ago

[Threni]

Your problems are all related to the desire to stop fraud. You're not a subversive - you're just a little unusual. If you use a mag swipe and the card turns out to be stolen, the store loses out. So, unsurprisingly, some stores would rather not serve you. With chip and pin, they'll not lose out if the card turns out to be stolen/fraudulently used. Ditto the post code - they wanted it so they could check it against the postcode the card is registered against. In the perfect world the store staff would know some people, especially tourists/foreigners, don't have chip and pin cards but really the store staff don't give a shit about you - they're just there to get paid, and frankly don't care whether you buy anything or not. I'm sure the store managers are a little more concerned you have a good time, but you're just going to have to get used to being asked awkward questions, or perhaps pay cash.

Re:Welcome to 3 years ago

[Anne_Nonymous]

Also:

1. Always carry more than one card (one each of Visa and MC for example).
2. Don't bother with AMEX or their Traveler's Checks, since neither is accepted as widely.
3. Make sure your PINs don't contain any 1's or 0's (some countries disallow those numbers).
4. When withdrawing money, use the ATMs of worldwide banks rather than local banks (BNP and HSBC work especially well).
5. Carry the overseas phone number of your cards' banks somewhere else besides your wallet or money belt.

Re:Welcome to 3 years ago

[Threni]

My problems are nothing to do with that. I phoned my bank and they said that wasn't the problem. Yes, there's a `holiday bit` you can have set for a period of time, but my bank still said my card was useless there.

Re:Welcome to 3 years ago

[slimjim8094]

Yeah, chip cards have been hacked for years in satellite TV systems. Much harder than a magstripe, harder enough so that there's easier ways to steal someone's money, but still possible.

Re:Welcome to 3 years ago

[Threni]

An old story. Do your research properly next time - sometimes 30 seconds with Google isn't enough.

Those chips weren't cloned. The store staff were threatened into allowing fairly obviously doctored chip and pin devices which captured peoples pin numbers/mag stripes to be used in the garage, and the data was captured that way.

Re:Welcome to 3 years ago

Its not a magnetic stripe. In Europe they have actual chips embedded in the cards like RFID.

I am well aware of the smartcard chips found in many countries.

But:

- Many banks issue cards with CHIPS and with MAGNETIC STRIPES since there still are many merchants without CHIP readers
- His bank issues cards with CHIPS and with MAGNETIC STRIPES
- His bank declines all transactions with MAGNETIC STRIPES

My question was why do they bother with MAGNETIC STRIPES on their cards since they are always declined? It would be easier to issue cards WITHOUT magnetic stripes since then you wouldn't try to use the MAGNETIC STRIPES, and then call up the bank asking about the failed purchase.

Re:Welcome to 3 years ago

[Acron]

I see this on newegg.com (only place I shop that has this) with the noscript block in firefox, they redirect you to the visa site which then sends you right back to the newegg site and your transaction goes through. So the technology is so broken it works when it doesn't work at all.

Re:Welcome to 3 years ago

[zonky]

Oh no, they still wanted to know my postcode, even when i paid by cash. I walked out of two stores saying i didn't have one, and if i did have a postcode, i wouldn't be sharing it.

Re:Welcome to 3 years ago

[mrcaseyj]

You'd better tell the people whose chip cards have been cloned.

That article mentions the cloning of the magstripes and the capture of pin numbers, but it doesn't explicitly mention the cloning of the chip. Cloning magstripes is almost trivial. Capturing pins isn't too hard. But cloning a chip should be very difficult without destroying the card and having long term access to the card. Even then it should be very difficult. Are there any demonstrated examples of criminals cloning credit card chips (or extracting the private cryptographic key)? There may be be proof of concept demonstrations done by researchers, particularly on satellite cards, but has it been found in the wild for credit cards? And has it been verified, not just a crooked card holder falsely claiming his card was stolen?

Of course cloning the magstripe shouldn't do any good without the chip. Are some locations accepting cards with only a magstripe and pin and non-functioning chips?

While these chip and pin systems might tend to shift liability to the card holder, the reduction in the number of frauds might nevertheless make it cheaper for the card holder anyway. The American system of giving every merchant and his employees all the information needed to max out your credit card account, seems almost insane. Chip and pin and or a push system of payment like paypal, makes a lot more sense to me.

Re:Welcome to 3 years ago

Many retailers refused to believe, or be able to sell to me if i didn't have a postcode. (i'm visiting. Why do you need a postcode? I don't have one!)

Ah, some form of tv/video equipment?

Retailers are required by law to take the address of anyone purchasing equipment capable of recieving TV signals to pass on to TV Licensing (sweet and fuzzy name for Centrica, which is essentially a collection agency). Of course, taking a full address is slow, so most retailers only have terminals equipped to take name, postcode and building number. Tip: Buy in cash and give SW1A 2HQ, building 1.

Of course, a lot of retailers have miscategorised some of their products, and I've been stung by that one while buying a composite video capture device.

Re:Welcome to 3 years ago

Of course you would never use your bank account number, but what's the risk with a credit card? If there's a fraudulent charge, you dispute it and pay nothing. Maybe I'm wrong, but I've never heard of PayPal providing the same level of protection as a credit card.

Re:Welcome to 3 years ago

[Threni]

That is odd. Probably a marketing thing, unless you were buying a TV (where they need your address so they can ensure The Authorities know where to check up on your TV licence, or a mobile phone (for similar reasons, although this isn't enforced).

Re:Welcome to 3 years ago

[scamper_22]

There's a very easy solution to this problem. I'm sure they have similar system elsewhere but Interac (debit card) in Canada allows you to pay online. I use it for shopping at ncix.com for example.

You setup an account with the merchant.
You do your shopping... add to card... go to checkout... they give you a bill.

You then log into your online bank separately! and from your bank account you transfer money to the merchants account.

The merchant never sees your password and phishing is near impossible because you have to logon to your bank account separately. It's a bit inconvenient, but it's a much more secure system. You don't even have to trust the merchant as they never see your password info. They just wait for the money.

There's no other way to really do it. even if the showed a URL in the Verified by Visa scheme, you would still need to check it... a shady merchant could fake it...
About the only other way would be to have some trusted authorities built into the browser (like we do with certificates). The site can request the browser to 'bring up secure payment for visa'... and it handles it with a non-webpage login/payment system.

Re:Welcome to 3 years ago

[jimicus]

But cloning a chip should be very difficult without destroying the card and having long term access to the card. Even then it should be very difficult. Are there any demonstrated examples of criminals cloning credit card chips (or extracting the private cryptographic key)?

I did look a bit further after posting.

It would seem that the chips aren't cloned in their entirety - however it is possible to create a fake card which is good enough to fool some machines in some circumstances.

There may be be proof of concept demonstrations done by researchers, particularly on satellite cards, but has it been found in the wild for credit cards? And has it been verified, not just a crooked card holder falsely claiming his card was stolen?

Of course cloning the magstripe shouldn't do any good without the chip.

There are some instances of magswipe readers being attached to cash machines. The data isn't much good in the UK (it identifies that the card has a chip, and most if not all UK cash machines read the chip) but it is enough to create a fake card with just the magnetic strip and using it in a country where chipped cards are unknkown.

Are some locations accepting cards with only a magstripe and pin and non-functioning chips?

Not possible unless you're the bank - the magstripe doesn't contain the PIN. The verification process is "card reader asks the chip if the PIN supplied is OK. Chip says either yes or no". Incidentally, this is a weak spot - build a chip which always says "yes" and suddenly you don't need the cardholders' PIN.

While these chip and pin systems might tend to shift liability to the card holder, the reduction in the number of frauds might nevertheless make it cheaper for the card holder anyway.

Banks have not reduced their charges as a result of this system - indeed, most personal UK bank accounts are free of charge anyway. Where you get charged is if you have a business bank account or if you exceed your overdraft limit - and if you exceed your overdraft limit, boy do you get charged.

The American system of giving every merchant and his employees all the information needed to max out your credit card account, seems almost insane. Chip and pin and or a push system of payment like paypal, makes a lot more sense to me.

Better, yes. However, the banks are (or at least were originally) taking the line that it's 100% cast-iron foolproof, which is obviously balls.

Re:Welcome to 3 years ago

[moreati]

Of course cloning the magstripe shouldn't do any good without the chip. Are some locations accepting cards with only a magstripe and pin and non-functioning chip.

As I understand it these places are called East Europe, Asia, Africa, North America, South America and Weatherspoons.

Re:Welcome to 3 years ago

[orlanz]

I am a long time credit card user (don't believe in cash). I ran into this a few months back with Walmart online. It actually looked like a scam. And you are right about the security aspect, just an offloading of (increased) risk. It pops out of no where and the new page's instructions clearly said it was optional and I can hit cancel. BUT, there was no cancel button, I even looked in the source code. So I closed the browser.

This was considered _fraudulent_activity_ and locked my card for a while (automatic, no warning). I basically had to tell them: I don't want to sign up for the "optional feature" and I leave it to you if you want to keep my card locked. I just started using my MC. A Visa card that used to get charged 2-3k a month in business charges now gets about $50. I think Visa completely, utterly screwed up with not only the idea, but the implementation, and the very approach of presenting the system. A colossal failure for Visa and a big win for MC. If MC starts it, rest assured, I will move to Discover and so on with Paypal at the end.

A credit card is supposed to provide you with security and convenience. This system gives you neither! Now, you basically have the risk of a TON of cash sitting behind yet another password only _you_ are supposed to know. There are better ways to provide FAR more security with a negligible loss of convenience at a slightly higher price (ex: personal and one time pins), but I guess Visa just wanted to waste money tricking its customers into accepting a lot of the merchant's and Visa's risk.

Re:Welcome to 3 years ago

[jonbryce]

Tell them it is SW1A 2AA, and when they ask for the house number, tell them it is number 10.

Re:Welcome to 3 years ago

[zonky]

once was for a 3G data card, true, but other times it was clothing etc etc. In one shop they were unable to sell us gumboots because their point of sale couldn't cope with us refusing a postcode.

Re:Welcome to 3 years ago

[orlanz]

Chips are harder, but still hardly difficult to clone. In general, time and access is inversely linked to security. Chips have both working against them, just like mag strips, but a very dynamic pin greatly reduces both. So far, the cost-benefit analysis seems to speak for chips, but that's only because the fraud so far has been small time with small costs. The second chips (in their current form) become much more wide spread, you can bet the bigger players will get involved.

Checks (US) have always been risky. The verification system is OLD and slow and stupid. Even the fraud constructs are old and stupid. The banks compensated by off loading as much risk as possible to the originator via high fees and being a PITA. The system is inefficient and also expensive to maintain. The later, is probably more a reason why the UK is scrubbing them out.

Re:Welcome to 3 years ago

[TheRaven64]

Merchant banks will only guarantee the transaction with the chip and pin. If you don't (or can't) use it then the retailer will be liable for fraud. Big shops, like Tesco, will not care because it's better for them to eat the cost of fraud and maintain good customer relations. For smaller shops, it might cost them their profit margin to accept it.

Re:Welcome to 3 years ago

Oh wow, thanks for typing that. The same exact thing happened to me about a year ago on Newegg. I just somehow clicked my way away from Visa and got back to Newegg. I was a bit puzzled that you could just drive around the roadblock like that!

Re:Welcome to 3 years ago

[mrcaseyj]

It would seem that the chips aren't cloned in their entirety - however it is possible to create a fake card which is good enough to fool some machines in some circumstances.

The machines that would take a cloned card are probably the ones that will work with only the magstripe. That would protect the card holder somewhat against fraudulent charges, especially if the charge was in another country. You still might have a hard time getting your money back if your pin was used though.

Are some locations accepting cards with only a magstripe and pin and non-functioning chips?

Not possible unless you're the bank - the magstripe doesn't contain the PIN. The verification process is "card reader asks the chip if the PIN supplied is OK. Chip says either yes or no". Incidentally, this is a weak spot - build a chip which always says "yes" and suddenly you don't need the cardholders' PIN.

In the US cards don't typically have chips. They only have mag stripes. But ATM cards work with a pin even though they don't have a chip. The card reader pin pad encrypts the pin after it is typed, and sends it to the bank and the bank confirms if the pin is correct. No chip is needed in the card. I assumed UK cards could work similarly with regard to the pin, though with additional protection provided by the chip. With the pin being stored only at the bank and in the card holder's brain, it doesn't matter what the card says about the validity of the pin. The card need not even know what the pin is.

While these chip and pin systems might tend to shift liability to the card holder, the reduction in the number of frauds might nevertheless make it cheaper for the card holder anyway.

Banks have not reduced their charges as a result of this system - indeed, most personal UK bank accounts are free of charge anyway. Where you get charged is if you have a business bank account or if you exceed your overdraft limit - and if you exceed your overdraft limit, boy do you get charged.

The reduced fraud costs might not show up in direct charges. Merchants competing on price could reduce retail prices with lower fraud and negotiate lower merchant fees with card companies who would also have less fraud costs. And credit card interest rates could also be lowered a little. On the other hand, saving one percent on all your purchases might not be much consolation if you're one of the unlucky few that gets stuck with a fraudulent $10000 bill, because chip and pin allowed the bank to transfer the liability to you. It must also be remembered that banks don't always make it easy to get your money back even if chip and pin isn't used. If the charge is from Nigeria, then they'll probably have to give you your money back, but if the charge is made locally or shipped to your house and intercepted, you might have a hard time convincing them it was fraudulent. Chip and pin would probably drastically reduce such charges. I expect chip and pin and this verified by visa thing would be beneficial to us card holders over all.

The real solution to this though is that cards need to have a display and pin pad on the card. That's hard because they're thin, but the system would be much more secure. A fake pin pad would not be able to capture the pin (though a camera still might). And the card holder could see on the display who the payment was being sent to and how much was being sent. Such a system could even be used on a poorly secured home computer without much worry, since no transaction could take place without the card holder physically authorizing it and seeing the amount and destination on the card's secure display. If the card's operating system was simple enough, it would stand a reasonable chance of being virus proof.

Re:Welcome to 3 years ago

[TheReal_sabret00the]

If I had mod-points, Weatherspoons on the end there would've got you one.

Re:Welcome to 3 years ago

[shermo]

unsurprisingly, because the stakes are so high.

Yeah, just like how my online banking doesn't use an authenticator but my WoW account does.

Re:Welcome to 3 years ago

[shermo]

6. Make sure your credit card has a pin number on it. In some countries this is universal, in others it's not used at all.

Re:Welcome to 3 years ago

[Briareos]

The magnetic strip was actually what saved the banks' collective asses in Germany recently when the chips on their cash cards turned out to have a serious Y2k10 problem... so maybe the stripes DO work in the UK when the chip is fried?

(Then again what kind of security is that if I can just damage/destroy the chip and the card'll work anyway?)

np: Barbara Morgenstern - Deine Geschichte (BM)

Re:Welcome to 3 years ago

I travel extensively and like Threni my card has been declined innumerable times, because as Visa states it is not in my normal spending habits, if doing the same thing and travelling as much as I do it not my normal habit what is??? and they call this security?

Gary
Master Affiliate Marketing Now

Re:Welcome to 3 years ago

[gilgongo]

You can't clone a chip, period. The devices which read them are tamper resistant and tamper evident. It's not been cracked yet. It's been done really well - unsurprisingly, because the stakes are so high.

Really?

You'd better tell the people whose chip cards have been cloned.

And Google turns up rather a lot of reported incidents of chips and their readers being compromised on a grand scale. Here are just the first three I found:

http://www.telegraph.co.uk/news/uknews/2963534/Three-fraudsters-jailed-for-elaborate-petrol-station-credit-card-scam.html

http://www.northamptonchron.co.uk/news/Cards-compromised-in-petrol-station.4870282.jp

http://forums.moneysavingexpert.com/showthread.html?t=1025761

Re:Welcome to 3 years ago

[Kalriath]

It's called MasterCard SecureCode, and it's been around for ages.

Re:Welcome to 3 years ago

[he-sk]

Why would you want to rent a car in New York City?

Re:Welcome to 3 years ago

[the_arrow]

Last time I was in England, three or four years ago, I had to try my chip-and-pin three times before they just used swipe-with-pin, even though I told them it would not work. If it was company policy, the policy of their bank or if it's a general rule I don't know. Will be fun how it will be when I visit next week.

Re:Welcome to 3 years ago

[mcfedr]

they put them there because they can be used abroad with most banks, there are still a few shops in the uk that dont have chip and pin, and im fairly sure atm's use the stripe not the chip, at least some older models. also, its not like it cost them anything to put it there, probably more to remove it

Re:Welcome to 3 years ago

[mgoff]

This likely only happened because you were in the boondocks. We just moved back to the States from two years in London. It took forever to get a current account (checking) set up when we first moved to England, so we lived on our US Capital One card (no ForEx charges) for nearly a month. We were never once hassled for using a non CnP card-- everyone knew to swipe it. I don't recall ever having to give my post code the whole time I was there either.

On topic, I think CnP has to be more secure than swipe and keyboard pin as used for debit card transactions in the US. Seems like it would be trivial to skim the stripe data and the pin pads are not private at all.

Re:Welcome to 3 years ago

Exactly why biometric security needs to be treated very carefully. If someone gets their biometrics associated with your identity, good luck unwinding that mess.

Re:Welcome to 3 years ago

[ivucica]

Bit like the DNA-as-evidence which is a similar joke. If I can plant your DNA or your fingerprint, I can go killing as you and good luck trying to explain that to the Police.

FTFY.

Re:Welcome to 3 years ago

Tell them it is SW1A 2AA, and when they ask for the house number, tell them it is number 10.

I really did give that exact post code, last time I bought a TV. The poor sales clerk confirmed the address on the till -- "Prime Minister and First lord of the treasury". Didn't ask me fore the number.

The TV before, I asked why I needed to provide an address. I was assured it wasn't for marketing reasons. I gave my work address -- BBC Television Centre, Wood Lane, London, W12 7RJ.

12 months later, I receive a letter from comet at work telling me my guarantee was due. No way they could get that address aside from the "TV Licensing demands it, not for marketing use"

Re:Welcome to 3 years ago

What exactly does this have to do with Visa or Mastercard? Either your bank is an idiot or one of your banks is an idiot, whichever issued the particular Visa. Visa and Mastercard both have perfectly good implementations by lots of European banks that work perfectly well anywhere in the world, whether by chip and pin or by magnetic strip swipe and signature.

In fact, it's much more annoying the other way around, as in using a North American credit card in a European country where chip and pin is used exclusively. Yes, the merchants can 100% process the transaction with a swipe and signature, but the distrust oozing from salespeople who haven't seen such a thing is enormous. Always fun when a manager has to be called and everyone is looking at you like you're attempting to rob the place. Always makes you wonder when the first time will be that some eager youngin calls local PD to sort things out.

Re:Welcome to 3 years ago

[Guppy]

You can't clone a chip, period. The devices which read them are tamper resistant and tamper evident.

Here in the U.S., when cars started coming out with chipped ignition keys, some insurers followed similar reasoning. Whenever a car with the security feature was stolen, they pretty much decided that the owner had to be in on the theft. As a result, purchasing a car with electronic security features was a good way to put yourself in jeopardy, or at least render your insurance worthless.

Eventually, enough thieves were busted red-handed while compromising such systems that the evidence became irrefutable, but it took a long time for some companies to acknowledge it.

Re:Welcome to 3 years ago

[tresho]

Whenever a car with the security feature was stolen, they pretty much decided that the owner had to be in on the theft. I was not aware that the chipped ignition key system was capable of preventing a car from being loaded on a flat bed truck & carried away. I learn something new here every day.

Re:Welcome to 3 years ago

[barzok]

Nobody drives in New York City. There's too much traffic.

Re:Welcome to 3 years ago

[orlanz]

Yeah, I know MC has something similar, but it is actually optional. The Visa one was advertised as optional, but not in the strictest sense. Visa had it for a very long time too, but I guess not too many people were signing up so they decided to push it a bit. I fear MC will do the same and when they do, I will drop them. I already messaged a thank you to them twice for not going the Visa route; here's hoping they read and care about them.

Re:Welcome to 3 years ago

[BitZtream]

You realize MasterCard and Visa are really one and the same ... right?

Re:Welcome to 3 years ago

Wait, are you saying that if a large almost ogliopolic business saves money in a the back-end, they'll pass it on to the customers, especially those who are already use to high charges?

Since when?

Re:Welcome to 3 years ago

[Fred_A]

Its not a magnetic stripe. In Europe they have actual chips embedded in the cards like RFID.

There's also a magnetic stripe though, although they don't necessarily look like one nowadays. The ATMs rely on their presence.

Presumably the card was refused in the US because it "looked weird" to the cashier who wasn't very familiar with what the other 95% of the planet uses.

Re:Welcome to 3 years ago

[g0at]

What's with the anti- 1 and 0 restriction? I've never heard of that before. What is special about those two numerals?

b

Re:Welcome to 3 years ago

[g0at]

Same deal here in Canada.

b

Re:Welcome to 3 years ago

[iangoldby]

If I can fool you into giving me your 3DS password somehow, I can shop online as you with great false trust, and the merchants don't care because they're protected.

You don't even need my password. The password restrictions are such that when I first was forced to start using "Verified by Visa" I could not remember my password. I pressed the 'forgot password' button and in order to reset my password and continue with the transaction I was asked to enter, guess what:

# my VISA card number
and
# my date of birth

(This is with a UK bank.) That's all. Assuming that the person trying to make a fraudulent purchase with my card number knows my card number (a safe assumption?) the only other bit of information they need is my date of birth. That really would not be very difficult to find out.

I forgot and reset my password about the first dozen times I used the system. I started putting in random passwords with no attempt to memorise them.

I thought this might flag up suspicious activity and my card be blocked, but... nothing.

Re:Welcome to 3 years ago

[CaptainZapp]

Here's around Europe it's only optional for the first six purchases. Then you either register or you don't buy from merchants using the system.

Unfortunately I buy airline tickets with my card and airlines around here all insist on it.

What worries me a bit, apart from the phishing potential, is to use the card in a dodgy internet caffee in Bucharest, or so, for payment, since you're really not quite sure about the potentially sisnister software running on the box.

Re:Welcome to 3 years ago

YEs in the UK we have both chip and stripe.

I have used the stripe a couple of times. The merchant can tell you to swipe if the chip seems to be malfunctioning. If you swipe they do it the american way, and you have to sign the receipt afterwards (even though I hadn't even signed the back of my card at the time...).

Re:Welcome to 3 years ago

[Threni]

> It would seem that the chips aren't cloned in their entirety - however it is possible to create a fake card which is good enough to fool some machines in some circumstances.

The chips aren't cloned at all. They've never been cloned. They've been well designed. The cards usually contain mag stripes as well, and it's those which have been attacked, not the chips, no matter how many clueless websites (run by the Daily Mail, and aimed at elderly Daily Mail readers who dislike technology and fear change) run articles to the contrary.

Re:Welcome to 3 years ago

As a customer, the worst part is when the merchant doesn't bother to tell you "oh hey we're going to redirect you to this other site now" and first anti-XSS blocks the page transfer, then the page fails to work anyway thanks to noscript blocking the JS.

Even after I added all the appropriate whitelists, when I buy from a site that uses it, all it does is flash the logo up on the screen then take me back to the merchant's site where I finish the transaction.

Similar, NoScript blocks some URI:s that contain "(" and ")". Some ancient standards state that you shouldn't use these characters anywhere in an URL, but up until now, nobody have ever bothered. This problem is independent of NoScript being in blacklist or whitelist mode. I've written to the web masters of a couple of Swedish government sites that has this problem, they won't fix their pages because no other (huh!?) visitors uses Firefox with NoScript and suggest that I inactivate NoScript (which means I can't visit these govenrment sites at the same time as I do my regular web surfing, Firefox hithout NoScript is worse than Internet Explorer).

Re:Welcome to 3 years ago

[HungryHobo]

What I don't get is why.
In this day and age why they don't use a decently secure system with some crypto built in.

I'm sure this isn't perfect but this is off the top of my head so I'm sure there's plenty of people who could offer ideas for improvement:

My ideal:

Card with decent bit length private key stored on it in such a way that it cannot be retrieved without shaving the plastic off the card.
Allow card to be hooked up to a computer using some standard connection like micro-usb or some such. [suggestions for best/cheapest method for connecting card?]
Use protocol which requires pin from user (hashed+salted on card) before the card will sign the challenge and authorise the transaction.

That way it at least requires the card to be present(can't just rip it when someone uses it to pay for gas). If your card is stolen you have a chance to know about it and can cancel the card. If it just gets lifted when you pay for gas then it's more of a problem.

Less complex cheaper but still better than current system:
have the card given to the user be similar to those cards used for 2 factor auth which display a different number every few minutes.
build it such that the whole contents of the card cannot be ripped without mutilating the card.

I know perfect security is impossible given the physical access aspect but we can at least make it so that your card has to physically no longer be in your possession for your CC details to be stolen.

Personally I don't use a CC because I don't like how awful and insecure the current system is.
Thoughts, suggestions?

Re:Welcome to 3 years ago

[jrumney]

If I can fool you into giving me your 3DS password somehow

Why you you need to do that? Just click the "Forgot my Password" button and you can reset the password to whatever you want, using the same information you need to make the purchase plus one piece of information which can be looked up in public records.

Re:Welcome to 3 years ago

[fmoliveira]

How there is traffic if nobody drives there?

Re:Welcome to 3 years ago

[RockDoctor]

Most merchants refuse to deploy it anyhow unless forced. It causes a 5-8% immediate drop in throughput. I wouldn't use a site that used it either.

Sounds like an underestimate to me - I've already shit-canned one credit card because their implementation of VbV was so god-fuckingly horrible that it was impossible to use their card online. I now have disposed of fragments of the card over two continents and reduced the balance to them owing me about the price of a cigarette - which imposes a cost on them of maintaining the account. The other card I have which uses VbV allows me to violate a basic security principle to make the system usable, so I still use it. But I know that I'm breaking a security rule, so I probably use it less than I used to.

VbV can be an absolute nightmare for a user. Big foot-shot!

Re:Welcome to 3 years ago

[bearsinthesea]

Also: Make sure your PIN is only 4 digits, some places do not accept longer PINs.

Re:Welcome to 3 years ago

[barzok]

http://www.futurama-madhouse.com.ar/scripts/2acv06.shtml

Re:Welcome to 3 years ago

[Ed+Avis]

You wouldn't be able to fool me into giving my 3DS password since I don't remember it. Every time that Verified By Visa thing comes up, I have to go through the process of choosing a new password. The only extra information I have to provide, beyond what's printed on the card, is my date of birth. So I type that in and then cycle through about eight passwords I've previously used (it won't let you use one you have chosen before) before finding a new, unique one which I use for that transaction and then promptly forget.

Re:Lol

[satoshi1]

That's probably what people will fail to realize as they start commenting on this article.

Re:Lol

[tatsuyame]

It's not. I tried making a purchase on newegg, got the the Verified by Visa page, but the frame didn't show anything. Assuming that the purchase wouldn't go through, I tried making the same purchase on my other computer. Frame loaded, entered password, purchase went through. However, the first purchase went through, even though I never entered the password for that one. So yeah, I'm guessing it doesn't really do anything to protect you.

I switched credit cards

[Alrescha]

for all sites that I visited that tried to make me jump through the dumb VbV hoops, I switched to American Express..

I thought and still think that it is dumb to encourage consumers to type confidential information into a random pop-up page from a different web site than the one they are visiting.

A.

Re:I switched credit cards

[pavon]

I thought and still think that it is dumb to encourage consumers to type confidential information into a random pop-up page from a different web site than the one they are visiting.

No kidding. What is worse is that every time I have been shown the verification page isn't wasn't even hosted at something obviously legitimate like verify.visa.com, but rather the domain was some other corporation related to Visa (can't remember the name right now).

Re:I switched credit cards

In the UK, the server's domain name is securesuite.co.uk. How is the average user going to be aware that the domain is legit? Furthermore, most merchants seem to use iframes (seen some popups too) so you can't even see the domain unless you right-click->properties. Pretty stupid.

I'd rather use

[sconeu]

Single-use CC numbers. But my Visa (issued by my Credit Union) doesn't have one, and AMEX doesn't do them any more.

Re:I'd rather use

Like most engineering issues there is a trade-off between security and other factors like ease of use, throughput, user acceptance, etc. Unlike security researchers, banks and merchants are in business to make money so they tolerate security breaches in exchange for improved efficiency. For another example, businesses often don't require signatures on change purchases since it only slows down the checkout process requiring more checkers for a given volume of transactions.

Re:I'd rather use

[slimjim8094]

I'm not smart enough to figure out how many credit card numbers exist - except that I know that it's not 10^16 because many numbers are invalid. For anyone who wants to figure this out, credit cards need a merchant code and an account code. I think the account code can be pretty arbitrary, but there are only a dozen or so merchant codes. And the whole thing needs a checksum.

Are there enough credit cards to let everyone use single-use numbers all the time? Maybe we should get only one alternate card number, whose default state is "locked" except for explicitly stated merchants, which default back to "locked" after one charge...

Re:I'd rather use

[pdbaby]

There are enough numbers. Each issuer has 1 trillion numbers and there's about a million possible issuer numbers... there's a useful description of the anatomy of credit card numbers at http://www.merriampark.com/anatomycc.htm

Re:I'd rather use

[Anne+Thwacks]

Like most engineering issues there is a trade-off between security and other factors like ease of use

VbV has traded both of them away completely. It never works for me, and there is plenty of evidence that it encourages users to give away security information to sites they cant verify. (See above)

I suspect they keep changing their mind about whether the first character in the password is numbered 0 or 1. either that, or it forgets a lot. It gets worse: if you have more than one card: there is no way for you to know which ID goes with which card!

Re:I'd rather use

As long as you don't use the browser extension to generate them. They're all written by a company owned by Mastercard, and the code is awful, so it will crash your browser (consistently, but at times when you aren't making purchases which will make you think it's "random").

This applies to Visa, Citi, PayPal, Discover, and some others (since it's all the same code).

oops!

[methano]

I first read this a verified by Vista and I wasn't surprised. Just thought they were beating a dead horse.

I just use Paypal

[Monkeedude1212]

They verified my Visa a long time ago - and its easier to remember my email address and a password than it is to try and find my card to enter the numbers online.

Re:I just use Paypal

[Itninja]

I use the Paypal debit card and get the best of both worlds, sort of speak. And my Paypal account is tied to a bank account I only use for online purchases. There is only enough money in there for what I am about to buy. So even if someone does hax0r my Paypal card, there's nothing for them to steal.

Re:I just use Paypal

[Neoprofin]

Unless Paypal decides to shut down your account for no reason, or drain more money from the bank account than you've ever put in it for obvious reasons. Both of these are quite common if you've been following any of the Slashdot stories about Paypal.

Re:I just use Paypal

Don't you hate it when you assume PayPal will do the logical thing when withdrawing $$ from your account (in the order the transaction was received) but instead debit your account in descending order.(Greatest $$ amount transaction gets debited first.) And if you don't have the cash for that because you weren't expecting it to be debited so quickly, you receive a $30 NSF penalty from your bank (Non-sufficient funds).

I hate PayPal sometimes...but it does make online life a bit easier; i still wish for some competition from some other company that can be held more responsible/liable...like a real bank.

Re:I just use Paypal

[ImNotAtWork]

Your bank does that not pay pal. The banks "dubious" reasoning for this is that high purchases should be payed first i.e mortgage, auto loan, powerbills, etc. source: bank executive's own words on an NPR interview about the new US credit/bank regulations a few months ago.

Re:Lol

[Kamokazi]

I used my Visa instead of my usual MC on Newegg for a Christmas gift and it came up for the first time ever. I closed the widow intending to buy it on my MC instead, but the payment still went through. 2 days later I got a call from the Visa fraud department...haha. I told the lady the verified thing was a bullshit pain in the ass and she let me on my way. Haven't used my Visa since.

It's all the wrong system anyway

The "verified by visa" password is just another password that can be stolen. If you accidentally reveal information to the wrong person, your account is completely compromised. That's how it was before "verified by visa", and that's how it is now. The correct solution would be to use public key cryptography, where the credit card has an associated secret key, known only to the user (not even the credit card company). That way, the credit card user never has to reveal any secret information to anyone. The entire transaction can take place unencrypted, because any listening attacker (or malicious employee of the merchant) can't get the private key. They can only get the public key, and the digital signature of the transaction. There's no way to use that information to make fraudulent transactions.

Re:It's all the wrong system anyway

[Ken+D]

Yep.

Any system where you enter re-usable authentication credentials is a system that you have just enabled to pretend to be you.

Re:It's all the wrong system anyway

[SomeJoel]

Good system, but you greatly overestimated the intelligence of the average consumer.

Re:It's all the wrong system anyway

[dfgchgfxrjtdhgh.jjhv]

so store the private key on the card, it'll still be more secure than a number & pin code. it could be made fairly seamless to the end user.

Re:It's all the wrong system anyway

Nah, If it's simple enough to use to log into you Wow account securely, Then It's simple enough to for the average consumer to use. But if someone steals your card your still fucked.

plus cards with lcd screens would cost the bank a few pennies.

Re:It's all the wrong system anyway

[sexconker]

The correct solution would be to use public key cryptography, where the credit card has an associated secret key, known only to the user (not even the credit card company).

A regular old password should only ever be known by a single person. The person doing the verification should hold the hash and salt only.

Public key bullshit is the same deal.

ALL NON-PHYSICAL SECURITY is the same deal.

It ALL boils down to keeping information secret.
Whether that's your private key, your password, or your stool sample.

Re:It's all the wrong system anyway

[Rockoon]

Whether that's your private key, your password, or your stool sample.

Anyone who wants to sample my stool deserves what they get.

Re:It's all the wrong system anyway

Good system, but you greatly overestimated the intelligence of the average consumer.

Main Entry: intelligence
Pronunciation: \in-te-l-jn(t)s\
Function: noun
Etymology: Middle English, from Middle French, from Latin intelligentia, from intelligent-, intelligens intelligent
Date: 14th century

1 a (1) : the ability to learn or understand or to deal with new or trying situations : reason; also : the skilled use of reason (2) : the ability to apply knowledge to manipulate one's environment or to think abstractly as measured by objective criteria (as tests) b Christian Science : the basic eternal quality of divine Mind c : mental acuteness : shrewdness
2 a : an intelligent entity; especially : angel b : intelligent minds or mind
3 : the act of understanding : comprehension
4 a : information, news b : information concerning an enemy or possible enemy or an area; also : an agency engaged in obtaining such information
5 : the ability to perform computer functions

Please don't confuse 1 and 4. Too many confuse 1 and 5 too. Amusingly, browsing the web and sending email are computer functions. And before someone reminds me, so is posting comments on forums, amongst other things.

Re:It's all the wrong system anyway

[thetoadwarrior]

It's 3 letters at a time from a password. Either you have to have a shitty password or someone will still have to work at it for awhile.

I hope Verfied by Visa does catch people with their pants down. Fuck 'em, maybe they'll be more inclined to learn how to use their computer properly after they've been had by some kid in Russia.

Re:It's all the wrong system anyway

[JohnFluxx]

And have the private key downloaded completely everytime you swipe the card?

The only way it could work securely is if the card itself had the electronics built in to do the cryptography. Then when you swipe your card to pay for something, the device would require the card to OK the transaction.

Re:It's all the wrong system anyway

[petermgreen]

It's 3 letters at a time from a password.
Afaict the form of the login used for verified by visa/mastercard securecode is dependent on the bank.

Re:It's all the wrong system anyway

[hfranz]

*sigh* Brokat (disclaimer: I am a former employee), see http://en.wikipedia.org/wiki/Brokat, had a PKI based _mobile_ payment solution ready to market in 2000. With that framework the authorization would have been done on the users mobile phone via a pin and a nonrepudiation signature. The secret key would have been stored on the SIM card of the phone.

Too bad they folded in 2001.

Re:It's all the wrong system anyway

Never heard of a replay attack then?
The bank doesn't know your password in the first place.
What's the difference between "accidently revealing your password" and revealing your key.
The details of the transaction can be used in fraud by other systems, or identity theft.

So you do this transaction at shop A, i snoop on the traffic, it is unencrypted after all, then I go to the same site, order the same items use your details, different delivery address of course, and copy the signature you used. Then I take you're name, credit card number etc.. and go to another shop which doesn't have this system and buy some more things, while i'm at it, I have you're name, address etc... how about ordering some nice new credit cards for me.

Where do you enter this private key? in a web form or on you're machine?

No way to make fraudulent transactions eh?

I don't think you understood in what ways the system is flawed and when.

Re:It's all the wrong system anyway

[the_olo]

You've more or less described how Chip and PIN works, only the difference is that the card, not the user, holds the private key (would yout trust the average user managing the security of his private key?).

Still, the way it's designed and implemented has some areas for exploitation: http://www.smartcard.co.uk/Chip%20and%20PIN%20Security.pdf

For web-based payments (which 3DS is all about) you'd need a new standard for performing transactions that would involve smartcards and asymmetric crypto, and it would require special devices equipped with smartcard readers attached to each consumer's PC/laptop, which will probably make it never happen (the cost for the consumers and the complexity is just not worth it).

The operation would be quite different than in a physical store's payment terminal: the PIN should be verified locally at the user's workstation, but the verification of the card's authenticity should be left to the remote merchant, which would send in transaction data to be digitally signed on the card and verify the returning result.

Re:Lol

[FlyingBishop]

No, because it's in an iFrame it's less secure than having nothing at all. When you're pulling data from two different sites on the same page, it's much easier for a third party to insert their own fields without you knowing.

Re:Lol

[ACMENEWSLLC]

My Chase MC and Visa required this to be setup and crazy passwords too, which I can't recall. I rarely use my Chase cards anymore as a result.

Re:Lol

similar thing happened to me, in my case I couldn't remember the password for that card, so canceled the verified by visa thingy, and used a different card. when I was done with the order using the second card, I saw that the first one went through regardless of a successful verified by visa thing.

Whew

Glad I'm not the only one that read vista.

Re:Whew

[jgtg32a]

I did as well

NoScript

[HisOmniscience]

Thankfully, NoScript blocks Verified by Visa, for which I have always been thankful.

Re:NoScript

[theJML]

Exactly. And I think it's funny that you can always cancel out of the VbV thing and it'll still work.

Which I have to do everytime I want to use my Visa card online because it straight doesn't support the VbV thing. It either fails (yet sitll works) or comes up saying my bank doesn't support it. I now do all my shopping with MC.

Re:Lol

I placed an order at Newegg, got the verified by visa screen and noticed the amount had changed because newegg had adjusted the quantities in the previous screen and I didn't notice.

I hit cancel at the verified by visa but the order still went through and got charged for it. Bizarre.

Whoa!

[yttrstein]

There are security engineering professors now? How long have I been asleep?

Does Nothing

[sexconker]

You have to sign up for it.
The merchant has to offer the option to use it.
And even if you don't put in your password it still goes through.

It's all a bunch of bullshit.

Mastercard gives me Virtual Numbers for online use

[JoshDM]

I go to the Mastercard website and request a virtual number. I can specify amount and expiration time (in months). It is linked to my credit card and once I use it at a merchant, that number can only be used at that merchant for up to the amount I specified. I love it.

Meanwhile, a few years back I had to implement Verified by Visa, Mastercom, and Paypal solutions for the checkout process for the company I worked for. Paypal was the easiest and the other two were crappy. I'm not sure how they've worked out in the years since, but you don't see me using them currently. Virtual Numbers all the way.

[citation needed]

[0racle]

Ya, VbV is bullshit, but it would be nice if TFA could link to it's sources it lists as citations instead of financial%20cryptography%20and%20data%20security/

Re:[citation needed]

http://www.cl.cam.ac.uk/~sjm217/papers/fc10vbvsecurecode.pdf

iframe ? you mean popup / popout

[troicstar]

just as users are acquiring a healthy skepticism to web generated dialogs, VISA undoes it !

Recomendations?

[pavon]

My credit card (Visa issued by my bank) doesn't have it either. I've been thinking about getting a second card that does have it solely for online use, but have been turned-off by the issuers I've seen with that feature. Is there anyone here that can recommend a credit card issuer that supports single-use numbers?

My requirements:
* No monthly/yearly fees
* Standard grace period
* Sane fraud protection (call me if you see something suspicion, but don't freeze my card)
* Can be paid using standard electronic transfers (ie I can use my bank's website to pay bill not the CC's)
* Visa or MasterCard are preferred.
* I don't care about earning airline miles, bonus points, whatever.

Re:Recomendations?

[DCstewieG]

Discover passes all these, except for being Discover. I'm able to use mine for 99% of purchases.

http://www.discovercard.com/customer-service/security/create-soan.html

Re:Recomendations?

[pavon]

Interesting. When my parents had Discover it had maintenance fees, but supposedly made up for it with their cash-back rewards program. However, they could never find enough stores that actually took the card to earn enough cash back to cover the maintenance fees, so the eventually canceled it.

If they've changed that I may look into it.

Re:Recomendations?

[prestonmichaelh]

I would recommend the Citi Forward Card:

http://creditcards.citicards.com/usc/citiforward/single/external/affiliates/Q309/rewards/default.htm?app=UNSOL&app_COL=COLLEGE&sc=46EZA3U9&sc_COL=4CECA3T9&m=90J600000ZW&langId=EN&siteId=CB&B=V&screenID=3124&link=Consumer_15687859&ProspectID=94A073FC70EB478AB75EF008227CD425

I have had it for a while now and things have been good. It has virtual account numbers like you wanted that you can set either a time limit, spending limit, or both on. It has basicially everything thing else in your list as well. You can even dispute charges online without having to call anyone (just finished this and the charge was reversed within 2 days without me having to talk to anyone on the phone). It also does have pretty nice rewards anyway, fairly reasonable interest rates, and an interest rate that will drop by .75% after 3 months on-time payments. You can also set it up to auto-pay or "pay on demand" via ACH from your bank (enter your routing and account number). Anyway, I generally think of Citi as a pretty big corporate evil, but this card, so far, has been pretty good.

Re:Recomendations?

I haven't had a fee for my Discover card, ever, and I've had it for years. Discover's single use numbers, last time I checked, utilized the same expiry and credit limits that your actual card number has. I use my Visa card's single use because it lets me set both. Of course, my Visa's issuing bank is more likely to pull some douchebag move. At which time, I'll cancel it. But until then..

Discover has been decent to me, although the card features aren't really exceptional.

Re:Recomendations?

[nameer]

AT&T Universal Card. Citi owns it now, so I don't know if there are other equivalent Citi cards. I've had it for years now and the only thing I can't speak to on your list is the paying with electronic transfers. My wife pays the bill, but she is massive into online banking so I would suspect that you can.

Re:Recomendations?

[sgtrock]

MBNA'a (now owned by BofA) ShopSafe.

Re:Recomendations?

[David_W]

Discover passes all these, except for being Discover.

Gotta disagree with you there. I had a Discover card since I started college (around 15 years ago) and finally ended up getting rid of it this past year, due to their failure on this point:

* Sane fraud protection (call me if you see something suspicion, but don't freeze my card)

Not only did they freeze my card when something suspicious popped up (and never actually ended up being a problem, BTW), but they never bothered to actually call me and inform me that they had frozen it. Every time it happened (and I'd say it happened about once a year), I'd find out by my card being rejected, and then I'd call in and after unlocking it I'd ask why they didn't call me. Answers ranged from mumbled excuses, to lies saying that they did, and the occasional "oh no, we expect you to call us". Finally got tired of it, especially since with my other cards they would actually call me; I've never had one of them get rejected.

Re:Recomendations?

[DCstewieG]

The only issue I've ever had (in over 6 years with the card) was when my wife and I were out shopping separately and we both bought multiple hundred dollar items. I just got an automated call a couple hours later that spoke the 2 merchants, let me press a button to confirm and that was it. But I guess I couldn't tell you if they froze it at some point within that time.

Re:Recomendations?

[ckaminski]

And they turn off eBill, so I can't get my balance in my online bank like every other fraking vendor on earth. It didn't always used to be this way...

Re:Recomendations?

Charles Schwab Visa card meets all your above requirements and more, 2% REAL CASH back next month deposited straight into your brokerage account. No monthly fees, no bonus points hassle, you just pay.

I think the online application is hidden for now, if you google I'm sure you'll find some threads on finance forums.

Re:Recomendations?

[ajlisows]

Here is what I do for almost all of my purchases online.

I have a prepaid card from Netspend. I know of another company called Green Dot that is similar. I use Netspend because I can either load it through a bank transfer or by taking cash to a speedway gas station and load the card there. It costs $3 to load but I get a ton of "Speedy Reward Points". By the time I spend $15 loading the card, I usually have enough points for a $25 Speedway gift card. You can get unlimited transactions for $10/month or pay $1 per transaction. I just pay the $1 per transaction.

I keep a token amount of money (Somewhere between $20-$50) on my prepaid card for late night impulse buys. Other than that, when I want to make a purchase online I make the bank transfer/gas station deposit right before I am going to do the ordering. Heck, I even pay most of my online bills this way. Someone steals/cracks my netspend card? Unless it is in the extremely limited window between me loading the card and me using it...they'll get $20 tops. I close the card. I get a new one. Done. Heck of a lot better than someone getting a hold of one of my credit cards which have several thousands of dollars they can pilfer.

Yeah, people look at me like I'm some sort of Ghetto loser when I roll into a gas station and put $200 on my shitty prepaid card. Yeah, I have to take time to physically move money around (luckily my bank is near the gas station) and waste a decent amount of time in doing so. Whatever. The likelihood of any identity theft causing me any significant damage is a heck of a lot lower. I'm not constantly online checking because I'm worried some jackass maxed out my real credit cards.

And also, you can get single use Visa Card numbers with your crappy Netspend preloaded card...so if you don't even want the hassle of the prepaid account getting stolen you can use their numbers.

Re:Recomendations?

[sam0vi]

The bank i used to do business with (La Caixa, in Spain) offered what they called was a "Cyber Creditcard". It had everything that a CC has, except the physical support (it was just printed in a piece of paper). And the feature that really made it for me was that it worked like a cash card: if you wanted to buy something for 200 euros, you logged into their website (securely), added 200 euros to the card's credit and shopped. If someone grabbed your details and tried to use it they would be out of luck, and the bank would be warned blah blah. It's the sweetest set up i've seen for online shopping. May be other banks have the same thing in other countries, i hope.

I hate vbv

I no longer shop at websites that use it. Too much hassle and is not secure anyway.

The systems suck

[Predathar]

I switched from VISA to MASTERCARD because the system sucked, it pissed me off having to jump through hoops to buy something. Then MASTERCARD came out with the same system, just not used as much so I'm still staying with them. Actually pretty funny story... I made a purchase last Fall on a website that had the MASTERCARD security thingy, I hit cancel cause my account got locked out, and the purchase STILL WENT THROUGH.... ya... nice security there.

That's why I use Paypal

[noidentity]

I got fed up with all the security issues with online Visa transactions. Now I use PayPal for everything, and I'm fully protected. Lessee, I've made around... hmmm, frozen, what does that mean? Well, I'm having some problems with my account at the moment, but I've made a lot of transactions.

Re:That's why I use Paypal

I got fed up with all the security issues with online Visa transactions. Now I use PayPal for everything,...(snipped joke)

PayPal with a small balance (enough to cover the purchase). The balance in PayPal comes from selling something every now and then--works out about even. The bank account I used to verify PayPal no longer exists (the bank was bought out).

Visa card with US$1000 credit limit for online purchases that won't take PayPal, limit the damage should the card be compromised.

Are You are Verified by Visa?

[VortexCortex]

Let's say you're on a "secured" web page entering your credit card information.
You see that iframe that's "verified by visa". The code on the page you're looking at says where to get the content from, and IT is secure... The content that is loaded is via "https://..." https (TLS) is secure, it can not be spoofed.

This means that if the content in the iframe has been tampered with your web browser will not display the content. The secure iframe is sent the "Referrer"(sic) header containing the URL of the page that contains the iframe, which the iframe verifies is https and will contain a secure token in the URL (that's what the gibberish after the ? mark is). Therefore "verified by visa" is secure. Annoying as hell, but it is secure.

The issue is: if you're on "secured" web page that you don't fully trust (say from "https://theives.com") entering your credit card information and you see the "verified by visa" iframe, without any address bar for that iframe you can't trust that the content within the iframe isn't spoofed. The iframe could contain content that looked like the "verified by visa" iframe, but was actually from "thieves.com".

Therefore, the "verifed by visa" iframe content should not reassure you that the page you are on is "verified by visa"... instead you should realize that "verified by visa" means that YOU are being verified by visa.

Check the address bar of the page you are on. Check the page's certificate chain. If you don't trust the web site you're on don't enter financial information. If you don't know how to verify that you can trust the site, you should educate yourself or stop using e-commerce.

Re:Are You are Verified by Visa?

https (TLS) is secure, it can not be spoofed.

Unless there's a browser vuln or rogue CA, both issues have cropped up recently.

The secure iframe is sent the "Referrer"(sic) header containing the URL of the page that contains the iframe

Unless the user has opted to disable that particular misfeature. BTW: if this is really how it works, I can confidently say I've pulled apart better engineered phishing sites.

Annoying as hell, but it is secure.

Who the fuck are 3DS, why should I trust them and why should they be privy to my online credit card purchases? The mere involvement of a 3rd party is enough to have compromised the security of any transaction.

So no, I'm not "verified by Visa", not now and not ever. I (and several other people I've discussed it with) will simply stop using our cards for online transactions should this crock of shit become mandatory. Why don't 3DS go right ahead and verify that!

Insecure != Unsecured

Can we get this right, once and for all? Something that is unsecured is vulnerable to a security breach. However, something that is insecure is in an emotionally anxious state.

I chuckle every time I read about an "insecure document." I imagine a document harbouring feelings of self-doubt and a lack of confidence. "Am I really a document? Will people like to read me? Does this file format make me look fat?"

Re:Insecure != Unsecured

[Arimus]

I was going to mod this up, but while true I can't decide between insightful and funny - I kept chucking when I thought of a document going to see a shrink ;)

Re:Insecure != Unsecured

[albedoa]

3. not secure; exposed or liable to risk, loss, or danger: an insecure stock portfolio.

Welp.

Re:Insecure != Unsecured

[Yvan256]

And that shrink's name is ZIP.

Re:Insecure != Unsecured

[pjt33]

I would understand "unsecured" to mean "no-one has attempted to secure it". If they've attempted and failed then it's badly secured and insecure.

Re:Insecure != Unsecured

If you did not lock your front door this morning, then it is unlocked. If you tried and failed to lock it, then it's just as unlocked.

Re:Insecure != Unsecured

[pjt33]

But if I lock it with a 50 cent padlock then it's locked, but extremely easy to open.

Re:Insecure != Unsecured

Fair enough, it may be locked. But it is unsecured. ;-)

Re:Insecure != Unsecured

[BitZtream]

How many times did you get your ass kicked when you were a child for arguing the difference between affect and effect with people who didn't give a fuck?

Re:Insecure != Unsecured

Thank you for your opinion that English words should map to one meaning and one meaning only.

Unfortunately it has an insecure attachment to reality, in that it is common to talk about insecure
investments and physical fixtures, neither of which are noted for their emotional states.

Re:Insecure != Unsecured

The usage of insecure you are deriding has made its way into popular usage, and hence the dictionary. Therefore, you are wrong. It is a perfectly valid use of the word. "Unsecure" sounds rather awkward, anyway. So keep chuckling. Guess what word people are going to be using in twenty years to describe something that is not adequately protected? I'd be willing to bet, it ain't gonna be "unsecured".

Re:Insecure != Unsecured

[locofungus]

The usage of insecure you are deriding has made its way into popular usage, and hence the dictionary.
a LONG time ago:

      2. Unsafe; exposed to danger; not firm; liable to give way, fail, or be overcome.
      1654 H. L'Estrange Chas. I (1655) 56 So in-secure did overmuch security make them.

Tim.

Re:Insecure != Unsecured

Does this file format make me look fat?

It's Microsoft Office file, then yes.

Re:Lol

[Lord+Byron+II]

Here's a little tip that I discovered by accident. On a NewEgg order, if you hit "cancel" on the Verified-by-Visa page, the order still goes through.

it kills sales

We had it forced on us by our payment provider and it killed sales, we had so many customers asking what their password was and where do they find it. We opted out of it.

Article and "research" bad..

[ltning]

The researchers, and the article writers, completely fail to understand that 3-D Secure simply defines the interfaces between the three domains in the security model. The actual authentication model used is chosen and implemented by the card issuer. If the card issuer would decide it wants to use passphrase+OTP in a separate window (for URL validation), it could do so. In fact, outside of the US, many do. In Norway, for instance, online payments are usually verified through something akin to a "national electronic ID", which despite its flaws goes way above and beyond simple passwords.

The article is so full of factual mistakes and displays such a complete lack of knowledge and understanding it's not even funny.

Re:Lol

[m.dillon]

Well, VbV's security issues are a problem for Visa to solve. It's great for merchants who sell high-priced items (like NewEgg, camera stores, etc). Many smaller merchants who had to go through a whole back-and-forth thing with the customer and credit card company before (for large, expensive orders) can now just use VbV for the same high-priced purchase instead. Higher volume merchants like NewEgg can streamline their credit checks with VbV and even allow shipments to addresses other than the billing address.

I'm not sure why people are saying that it transfers liability to the customer, it doesn't. The liability is transfered from the merchant to the Visa (well, actually the issuing bank I think). Customers are not liable for fraudulent use of a credit card by VbV or anything else.

-Matt

Hundreds of newegg purchases with Opera browser

I've done hundreds of newegg purchases using opera. After the order I get a redirect to the verified page with a couple of dancing eggs. Then my order completes. No popup. No iframe. No prompts for passwords ever.

I don't know if this behavior is opera related or related to the fact that my visa is issued by a credit union that I belong to. But vbv has never asked me for anything ever.

Re:Lol

[XorNand]

Newegg is the only store I've seen Verified by Visa used (and I buy a lot of stuff online). Having had my share of problems with it, I never even browse Newegg anymore. I guess they must have such a high incidence of fraud though that it's worth losing the occasional regular customer like me.

"intended to reduce on-line payment card fraud" ?

Thats incorrect, though its easy to see how the researchers could fall into the trap of believing this.

Anyway, if you read their terms of service, it becomes obvious that the main purpose of the Verified by Visa system is to shift liability for fraud onto the card-holders. Its the main reason I've stopped using my Visa for any purchases over the Internet.

Brings me back

[jwinster]

TFA mentions one of the securities holes being that users "can't see the URL of the verified by visa website because it's in an iframe." Reminds me of the first time a website asked me to enter a password on verified by visa, I stopped the transaction and purchased the item somewhere else for that very reason, since I never had any notification that verified by visa was something I was going to have to do.

What Is The Point Of 6 Digit Password?

[tunapez]

I've used the service 3 times...guess how many times I've set/reset my "Verified by Visa" password. Rather than allow for a secure password(8+ characters, alpha-numeric-symbol) I am limited to 6 digits and remember yet another non-standard password? Might as well throw a captcha AND a question to doubly verify I am not a bot, too.

Re:Lol

[twiddlingbits]

The back and forth thing is just a phone call. Takes less than a minute. My wife runs several hundred dollar Visa/MC purchases all the time in her business. We just call a toll free number, type in the card # and amount and if it needs verified by a person they come on and ask a question or two then give you the Verification number. The liability for fraud still lies with the merchant, they got your item, you got nada. The CC just charges the bad purchase it back to the merchant, they are not out a dime. VbV is nothing but marketing.

Of Course It's Insecure!

[Spiffy]

If somebody puts a keylogger on your Windows box, they'll get what they need no matter how many passwords you are required to type. Adding another password to the stack adds zero security; it just makes it easier for the credit card company to claim you are truly responsible for the transaction. "It can't possibly be fraudulent--it was Verified by Visa(TM)!"

I try to avoid doing business with anyone who requires me to go through VbV. I know it's not there to protect me.

Re:Of Course It's Insecure!

[vakuona]

If someone puts a keylogger on your system, then nothing can protect you. I don't think VbV is a panacea, but one thing it allows is for me to set up my own prompt. If the prompt is wrong, then I know I am about to be scammed. I get the same prompt whenever I buy something online, whatever the website. It might not be perfect, but it does reduce the chance that my card is used online without my permission.

Re:Of Course It's Insecure!

[couchslug]

"If somebody puts a keylogger on your Windows box, they'll get what they need no matter how many passwords you are required to type."

Among the reasons I don't do online transactions on Windows machines.

You don't even need the password

[beneppel]

I recently forgot my verified by visa password - the only security question it asked me that wasn't printed on the card was my date of birth - it's not the first time I've had to reset my password, and each time the question is the same. That means if somebody has my card, all they need to know is my date of birth, and they can reset my 3DS password easily.

Re:Lol

[Ash+Vince]

Here's a little tip that I discovered by accident. On a NewEgg order, if you hit "cancel" on the Verified-by-Visa page, the order still goes through.

I have recently build an ecommerce site for someone and noticed that our account on a payment gateway allows us to disable this crap. When disabled, it still displays but the user can skip it or whatever and the purchase still goes through. We have had the account for years. When the client switched it to their account on the same payment processing company the option to disable it was greyed out. It seems it is mandatory for some (maybe newer?) setups but not existing ones.

As a customer it makes no difference to me anyway. It might be an extra step I have to go through but since the password is set to a generic password I can always remember it does not inconvenience me much. Typing one word into a silly box only takes a second or two.

Re:Lol

My info always seems to change on me for VbV, so I don't bother with it. I've found hitting Cancel will, more often than not, proceed with the order as usual.

Sharath

can't believe this..the people simply start commenting having just half knowledge.. 3DS protocol is secure and helps banks to chose the method that it uses to verify its customer. Its left to banks how they want to authenticate its card holder. Few banks have chosen to keep static password while others use OTPs. In future banks would use IVR calls or Voice authentication or some other technology to identify its customer but the protocol does not change.

Few merchants may have implemented the flow wrongly.. merchants are supposed to re-direct the customer to his bank site and not show in frame or i-frame; that is just a bad implementation and is a invitation for phishing attack. In India at least as for as I have seen none of the merchant use i-frame thing.. all most all the merchants re-direct the customer to his bank for verification and customer can clearly see the url of bank server (or provider) that is authenticating him.

Its like telling.. if one drunk driver crashes a car and kills himself cars are unsafe.. :P

Re:Mastercard gives me Virtual Numbers for online

[FooAtWFU]

I had a credit card which could do that once (a Wachovia card administered through some "FIA Card Services"). Then Wachovia decided to end that and administer it themselves (which was mostly just annoying). What other card providers provide this capability?

On a related note: online bank security. WTF?

Re:Lol

[JesterOne]

When you make a purchase with Newegg, just cancel the VbV box and the charge will go thru. Yes, that's right. You can completly bypass the security check by canceling it. I have VbV set up and went to make a purchase a few months ago on Newegg. Didn't remember the password and canceled the password check to go and reset the password. The order was charged and went thru. I called Newegg and ask them what happened. I was told "Newegg passed the Visa charge request off to Visa and it returned a thumbs up. The VbV check is optional."

When someone finds my password...

[deains]

...my account is still secure. Not all 3DS systems are the same between banks, and some of them actually do it reasonably well (though no security is ever foolproof, of course). On my account, 3DS asks me for one of the five security questions on my account, which involve various different inputs (dates, names, places, etc.). To actually log into my online acccount I need both the answer to the security questions above, a secret code (not the same as my PIN), plus the standard account details. If I want to actually do anything useful online, I have to use my bank's little security device, which takes my card in and spits out a random code so long as I enter my PIN right (think Blizzard dongle, but with Chip and PIN). And of course, if someone manages to steal my 3DS answer in order to use my card elsewhere, they still need to find out all my other card details. Even if they found out them, they've only got a 1 in 5 chance of getting the right question they know the answer to. The system allows 3 attempts. Good luck, guys.

Re:Lol

I mis-guessed my verified-by-visa password multiple times on a newegg order and then gave up. The payment went through.

It reminds me of [insider knowledge, that's why I'm posting AC] something my state's unemployment system is about to implement. They're going to have a voice system where people can call in, change what bank account their claims will go into, etc. Of course, to do this, the claimant needs to know their PIN. If they don't know their PIN, though, they can reset their PIN to anything they want, without verifying their identity in any way. If you know someone's SSN, you can have their payments go to you, without knowing anything else. So what's the PIN for?

RSA keyfobs in credit cards

[ehud42]

I would like to see my credit card display a time sync'd rolling number instead of the lame 3 digit code on the back of the card. As I see it, the problem with credit card fraud is not stolen cards, but stolen numbers. If I lose my card, I will know fairly soon and can have the card canceled. However, it may take quite a while to determine my number has been compromised. When shopping online I would like to enter my card number and a second number generated by the card. Cards expire after 2 years, so this should be doable from a battery life point of view. It could even be introduced as an extra fee initially to those who want the extra online shopping security.

Re:RSA keyfobs in credit cards

[RAMMS+EIN]

Now there's a good idea. I'd mod you up if I could.

The way I see it, the number one problem with credit cards is that all the verification steps do basically amount to nothing ... everything you need is printed on the card, so what is verified is neither that you have the card nor that you know some secret.

What you propose completely changes that.

By adding a number that changes over time, you foil re-use. Someone can copy the other things on your card, but they will be useless without the card.

Add some sort of secret and you have good two-factor authentication.

Re:RSA keyfobs in credit cards

[kafka47]

RSA Security has a 2-factor OTP device in a credit card form-factor. It is very slick.

Activation During Shopping

[epine]

My GF's great-grandmother passed away in November. She was very close.

Weepy GF gets onto the web site of a regional Canadian carrier that prides itself on its customer service, selects her flight, and begins to fill out the VISA information. After filling out most of the information she clicks "continue" and *bam* up comes VISA's activation during shopping page (ADS) with a giant "I agree" button under inscrutable masses of legal fine print. She is in a fine state of mind for clicking her life away.

This happens right in the middle of the transaction, with no advance warning. Not on the page before she began filling out the details: to complete this transaction with your VISA card, you will be obligated to click "I agree" to the ADS terms of service, which shifts VISA's liability onto your shoulders and plays havoc with established web security practices and altogether makes the world a shittier place.

All of this under the commercial maxim that instant gratification == learned helplessness. Your average user will blindly click anything during gratification interruptus.

As it happens, my red-eyed GF muttered out loud "WTF is this?". It took me about 30s to get past "HF those sleezy MFs". Then I told her to slam down the virtual circuit on her half-completed web page transaction and start the transaction over again using an aging circuit-switched technology far less suited to rights erosion, and also more expensive for the airline to provide. Real human at the other end. What a PITA.

Brilliant lose-lose for everyone involved.

Two of the links I recorded checked this out:
Links More Banking Stupidity: Phished by Visa
Verified by Visa: British banks phish their own customers - Boing Boing

Redacted portions of an online TOS from a large Canadian bank which has since gone 404.

You agree not to: modify, adapt, sub-license, translate, sell, reverse engineer, decompile or disassemble any portion of the Verified by Visa Website or service or the software used in connection with Verified by Visa.

You agree to immediately notify us by contacting us, as we require in our cardholder agreement with you for a lost or stolen card of any unauthorized use of your password or other verification information, or any other breach of security. You will be liable for any unauthorized activity involving use of your password or Activation Data, until we receive such notice.

Answer me this, Batman:

How is one supposed to notify the bank that you've lost control over the password, when you lose control to a phishing widget embedded in a concealed iFrame?

I wrote that riddle back in November, and I'm no closer now to coming up with the solution. FWIW, this agreement is probably less egregious than the one that came up under ADS, from a different major Canadian bank. Bonus marks for completing this task without first discovering how the service works which violates your TOS.

This whole thing makes me seriously limbic.

Larry Lessig on laws that choke creativity

And on the other side, among our kids, there's a growing copyright abolitionism, a generation that rejects the very notion of what copyright is supposed to do, rejects copyright and believes that the law is nothing more than an ass to be ignored and to be fought at every opportunity possible. The extremism on one side begets extremism on the other, a fact we should have learned many, many times over, and both extremes in this debate are just wrong.

For the good of society, the law ought not to be an ass, and the VISA company ought to not be pushing the matter like a used car salesman at the helm of an invincible glass castle.

Re:Activation During Shopping

[maxume]

It must be sort of fun to be so histrionic, I mean, when she canceled her card, she would be getting her life back, which would probably be an awesome feeling.

Re:Activation During Shopping

You agree to immediately notify us by contacting us, as we require in our cardholder agreement with you for a lost or stolen card of any unauthorized use of your password or other verification information, or any other breach of security. You will be liable for any unauthorized activity involving use of your password or Activation Data, until we receive such notice.

The banks can claim whatever they like, but the law trumps whatever they claim. Your maximum liability is $50 if you notify the bank in a reasonable period of time after you become aware that your card was stolen.

Re:Activation During Shopping

[adolf]

Every time I've been pestered by a "Verified by Visa" prompt, I've been successful in finding the "Fuck off" button and continuing anyway.

YMMV.

Re:Lol

[Trails]

Security is about tradeoffs. So, let's be clear. iFrame = bad, I agree with you. But let's take it further, let's look at what you're getting. I've hit verified by visa a couple times, I always forget my password. In part, my standard repetoire of passwords don't work because it only accepts letters and numbers, my passwords often contain various symbols. In other words, the limitations on the password characters limit the number of possible passwords. Not great, though not as bad as the iframe thing. So I use the "forgot your password" flow everytime. The genius thing about that is that it asks me stuff I'd already entered on the retailer's purchase form. There's no additional info required, it's all fairly standard "accessible" user profile info, but for the re-entering of the card details. So, to be clear, from a quantitative aspect we have 1 bad and 1 "not so hot". But what have we gained? Nothing!!! It's online security theatre. It's about as effective as a Dutch Airport security officer.

Re:What Is The Point Of 6 Digit Password?

[Neoprofin]

That's odd. My Verified by Visa password is 8+ characters and alpha-numeric, I've also only had to reset it after reporting a card stolen and having it replaced. Maybe it differs from different card issuers.

virtual cards

[vanyel]

This is why I use a virtual card online (paypal offers them, and some banks do too) - generate a card, use it and then close it. It's also handy for sites that force you to subscribe when you only want a brief access (e.g. I'm only an occasional wow player, so I pay for a month, close the card, don't have to pay for the rest of the time when I don't have time to play).

No surprise

[sjames]

The entire financial industry is about 2 things. First, skimming a few cents off of the top of any financial activity they can get their claws into and second, pushing any and all risks and costs onto the public.

Get wiped out by high risk loans? Get a bailout. Credit reporting systems so flimsy they can't even tell two people in the same apartment building apart? Spawn an entire industry for people to fix it at their own expense. Can't be bothered to implement a secure credit card system? Either make it the merchant's problem or the consumer's. Someone defrauds you out of some money? Demand it from the person they impersonated and tell them it's their problem (cost and obligation) to fix it (even though they're not the ones sending credit offers to dogs and toddlers).

In a just system, credit agencies munging data together based on practically nothing would be guilty of libel if they wrongly claim you're a deadbeat. Creditors would be obligated to show that you personally are the actual person they extended credit to before they could try to collect. There would be no such thing as "identity theft", only the usual run of the mill fraud.

In such a system, the banks would make sure credit card transactions were as secure as they could practically be because THEY would lose out when it fails.

Re:No surprise

[columbus]

I agree wholeheartedly. Furthermore, this is the most succinct and correct form in which I have ever heard anyone describe this problem.

Bravo sir.

Not Used By NewEgg Anyway

[MrTripps]

The Verified by Visa thing comes up after I try to place an order on NewEgg. Thing is, if I don't bother with it and browse to another page when the VbV window comes up the transaction goes through anyway. This means Visa is trying to verify a transaction that has already taken place.

Re:Lol

[Wintermute__]

My Chase MC and Visa required this to be setup and crazy passwords too, which I can't recall. I rarely use my Chase cards anymore as a result.

See that! You're more secure already!

And you doubted the value of this valuable security feature...

Bank responce (one year before "Cambridge resear")

[trust_jmh]

To: ive_seen_a_scam@smile.co.uk 23/02/2009

Please forward this to someone with the ability to assess the risk of such security breach. (Preferably with basic knowledge of SSL and cross site scripting.)

A web site (not smiles) is asking for my accounts memorable name. I shouldn't be entering this information anywhere other than into a secure smile web site.

[Other sites that take payment using pay-pal I can trust as I see they redirect to a pay-pal server for me to enter my account details.] Perhaps you should take a look at how pay-pal processes such orders.

As the site I was ordering from should probably be trusted I choose to enter it this time and to then change the memorable name as soon as the order had complete.

Specifically;
http://www.smile.co.uk/servlet/Satellite?cid=1076315830501&pagename=Smile%2FPage%
2FsmView&rendermode=preview&c=Page
Suggests I don't enter details into "computers that aren't your own" which I also assume applies to supplying to sites that aren't smiles.

http://www.smile.co.uk/servlet/Satellite?cid=1124867052028&pagename=Smile%2FPage%2FsmView&c=Page&loc=l
"all secure messages between us travel in a closed environment, so they can’t be read by anyone else" but this is a 3rd party asking for my memorable name and not smile.

Order was from;
http://wck2.companieshouse.gov.uk
Appears to use
https://www.netbanx.com
to make the payment then it either takes the memorable name in this site or uses an embedded site from;
https://secure5.arcot.com

Please contact me if you require more information.

----
Reply: 23/02/2009
Thanks for your message.

I can understand your security concerns with the verified by visa scheme.

For more information with all aspects of this please visit our site
(www.smile.co.uk) then click the security link at the top. Once there
select the verified by visa link on the left and this will then be able to
give you all the information you need.

----
My responce: 23/02/2009
Q: Is Verified by Visa (VbV) easy to use?
A: Yes. When you make an online purchase, a window from the Bank will be displayed and prompt you for your memorable name/VbV password. Simply enter your memorable name/VbV password and complete your purchase.

My problem is no apparent window from the bank is shown so it appears like (don't know if this is true or not) I am giving my security details directly to a third party. (It is very easy to create a malicious secure web site that looks just like the one I saw.)

----
Reply: 24/02/2009
I'm sorry you have concerns about your online security.

When you sign in to a Verified by Visa site using your smile card, you'll
automatically be asked for your memorable name. This will confirm that
you've been connected to smile behind the scenes. Other banks will ask
different questions, however being asked memorable names will confirm it is
us.

The original brief from Visa stated banks could introduce individual
questions for each customer, that's not been fully introduced yet, however
we'll be reviewing this in the near future. At the moment we're reviewing
and looking to implement other security procedures.

Please make sure the website you're using to make the online transaction is
a website that you trust, this is important as using a trusted website will
greatly reduce the likelihood of there being a scam.

Please also check that your PC is fully protected with antivirus, firewall
and anti-spyware software plus the relevant phishing filters available with
your chosen web browser. Please let me know if you need any more advice on
this.

Thanks for taking the time to contact us, I appreciate your concerns and
comments and have raised it internally for further consideration.

Re:Lol

[jonbryce]

In some of the accountancy newsgroups I frequent, we sometimes get merchants wondering why so many people abandon their purchases when they put 3D Secure on their websites. Anecdotally it seems that about 2/3 of customers will abandon their transaction if they hit the verified by visa page. I certainly do, because it asks me to enter password details into a site called "securesite.co.uk", owned by some very small company called Redstation Limited I've never heard of.

Re:Lol

[FlyingBishop]

Except you can be reasonably sure that the Dutch Airport security officer won't surreptitiously plant a bomb in your bag while giving you an inspection.

Here is the original paper

The link in TFA is broken.

Here is the original paper:

http://www.cl.cam.ac.uk/~rja14/Papers/fc10vbvsecurecode.pdf

Some countries disallow 1's or 0's in a PIN??

[daveewart]

3. Make sure your PINs don't contain any 1's or 0's (some countries disallow those numbers).

Seriously?!?

Re:Some countries disallow 1's or 0's in a PIN??

[LiquidFire_HK]

Why?

Re:Some countries disallow 1's or 0's in a PIN??

[adolf]

Because there is no Roman numeral for zero. And 1 was often substituted with I on old typewriters.

So, to avoid confusion, PINs must only consist of the numbers 2 through 9.

Obviously.

[/sarcasm, for the sarcasm impaired]

Re:Lol

[mr_lizard13]

I've often wondered about that. When presented with the 'Verified by Visa' screen, how do I know it's the real thing?

What's to stop a dysfunctional e-store using a mocked-up version of that screen to collect my online PIN?

Re:Lol

[BikeHelmet]

SecuCode annoys me. Half the time the page doesn't even load. When all the hot deals were coming out around Christmas, I had to use Paypal to buy everything, because SecuCode was indefinitely down.

Oh yeah - know what password does fit their limitations? bullsh1t

A complex solution...

[ALeader71]

I agree. The chip and PIN has its limits. The magnetic strip is useless and outdated. Here's my view

Most people use a single PIN for everything. Hence it is part of a solution. Multi-part authentication is key to increasing security. Add in an RSA keyfob, and a personal public/private key certificate on the chip. Here's how it works.

Waiter brings the payment device to the customer. This device uses a network not part of the restaurant network. A VPN tunnel will suffice, so long as it is encrypted.
The customer inserts the card, and unlocks the PPK certificate with the PIN. The PIN is comprised of letters and numbers, say 6-14 characters, eliminating the debit card PIN re-use.
Finally, the transaction is authorized using the RSA keyfob's constantly changing number.

The system isn't foolproof. The customer is always the weakest link, and businesses prefer to make spending easier, not harder. It will eliminate the card swipe and make lifting the PIN harder.

Finally, require a voice print authorization from the card holder for purchases over $500 and/or purchases per day over a pre-set limit. This will make stealing a card a lot less attractive.

Re:A complex solution...

[cdrguru]

Restaurants aren't going to want to spend $1000 (or more) on a wireless VPN device that has non-consumer physical connections to other devices. Nope, sorry, the restaurant business doesn't have the margins for something like that.

Besides, with a credit card (not a usless risky debt card), what do you care if the waiter snags your credit card number? He gets to make a few bucks off selling 100 of them at the end of the day and you get a phone call when it is used fraudulently. Even if you don't get the call, you notice that your bill is $500 over what you thought it might be and call up to get the charges taken off. The waiter makes a little money, the guy using the card get some stuff and the merchant's insurance has to pay. Who loses here?

The fraudulent charge game is very, very familar to me as it happens at least once a year. I have never paid a fraudulent charge, ever. Ever single credit card company I have used has not had any problem cancelling the charges and sending me a new card with a different number.

We are living in a high-theft society where people make their entire living by stealing. To try to deny that is to ignore a fact of life in the Western world. Sure, if we were all living as subsistance farmers we wouldn't have this problem because we would have nothing to steal. But if you have a computer, a cell phone and a car you have something people far less fortunate than you want. And they are going to get it because stealing has no penalties anywhere near what living without is like.

So put up with it. Nobody loses on credit card fraud. Would you rather get mugged?

Re:A complex solution...

What restaurants do you go to ? I want to make sure to avoid them.

Re:Same company

[Kalriath]

No, they aren't the same company at all. They're two separate associations run by their member banks. Some banks may be a member of both, but probably not all.

3DS is also broken from a human factors POV

[gilgongo]

I am a UI designer with an interest in security-related human factors.

3DS as deployed by MasterCard is also fundamentally insecure because its based on an anti-pattern: trust by proxy without offering any easy way to verify that trust. Visa's implementation is marginally better becuase it echoes a "secret phrase" to you on the screen before you input your pin, thereby allowing you to verify that it's them, and not some random phisher.

The trouble is most people just trust in the application of the anti-pattern. How then can anyone make sense of the fact that on the one hand, their bank exhorts them to be on the lookout for fraudulent emails and websites pretending to be their bank, while on the other hand their bank does EXACTLY that with 3DS.

Not only that, but there are apparently exploits in the wild that deploy browser-based man-in-the-middle attacks by throwing up fake 3DS forms on checkout pages. I recently received a mail from Zopa (a financial services website) that said the following:

"Thanks to one of our members who reported that during the process of paying funds into his lender account, he was presented with a ‘verified by Visa’ screen that requested his ATM pin code.
Suffice it to say that Zopa does not use this kind of verification so you should never submit any passwords or codes should you be prompted to do so via such a screen when using the Zopa site.

We have investigated the issue and can confirm that the problem is an issue entirely localized to this member’s local environment and does not affect the Zopa site or its servers. Nevertheless, we wanted to make you aware so that you can avoid filling in your details should you be presented with a similar screen. "

Words fail me.

Re:3DS is also broken from a human factors POV

[mcfedr]

the displaying of a phrase is a good start, but personaly i see it so rarely i wouldnt remember what it was, and if it wasnt there i probably wouldnt notice

Re:3DS is also broken from a human factors POV

[jareds]

Visa's implementation is marginally better becuase it echoes a "secret phrase" to you on the screen before you input your pin, thereby allowing you to verify that it's them, and not some random phisher.

It lets you verify that it's either Visa or a man-in-the-middle attack...

Doesn't work the same with all banks

[the_arrow]

While some of the problems exist for me, some others don't. For example it is shown in an iframe, but I don't enter a simple password. Instead my bank have a challenge-reply system, where I need physical access to my card, know it's pin-code, know my personal number (Swedens version of social security number) and use a special device given out by the bank. Yes, the iframe can still be hijacked, but all the hijacker will know is my personal number, and a one time code (which is generated differently from the one used to log into the bank, which is different from the one used to sign bills and transfers).

Re:Doesn't work the same with all banks

[rdebath]

This is better, but still not good.

For a proper challenge/reply the server has to authenticate to you too. For example, it could be that the server gives you the last 3 digits of the current pin number for the keyfob. If the pin is wrong the keyfob doesn't give you a number to pass back to the server. Of course the easiest way is to use the built in facilities of the browser's certificate system ...

Your "personal number" does not increase security at all, in fact it probably reduces security a little as it's actually a universal user name so allows merging of intelligence about you.

BTW: Nothing you've said needs physical access to the Card, just the keyfob (calculator?) device

Re:Doesn't work the same with all banks

[the_arrow]

Ok, I was a little unclear. The bank give me a number I have to enter into the keyfob, and I also need to have my card inserted into the keyfob so it can read the chip.

Re:Mastercard gives me Virtual Numbers for online

[mcfedr]

thats sounds awesome, what bank is that with?

Not only insecure, WORTHLESS

[macbuzz01]

I recently made a purchase through newegg.com. Used my trusty VISA, was redirected to the VbyV site, realized I didn't know my password, clicked cancel and figured the transaction was done when I canceled out of the VbyV. Got my Discover and completed the transaction. Low and behold, what shows up in my email, but two tracking numbers for identical shipments with both my Visa and Discover getting charged!
After some investigating with both newegg and my bank, turns out that the merchant can choose what to do when they get a failed VbyV transaction.

Talk about a perfect "no it's their fault" situation

Next on "security theater"...

Isn't iframe trademarked by Apple?

[bezenek]

Just checking...

Mandatory in India...

In India, it is mandatory to use 3DS - no Indian CC will work without this extra step...
Online shopping sites here reported a 30-50% drop in orders when 3DS became mandatory.

Re:Same company

[BitZtream]

Yea, different companies that have the same owner. Just because they play some corporate legal sheltering doesn't make them any less of the same company for all practical purposes.

It's a CITI card

[JoshDM]

Citibank.

Re:Lol

[PitaBred]

I like Newegg. They have a technical audience, but they say "Hey, we're redirecting you... you'll come back when you're done", and the certificate and everything is right in the address bar like it should be. I've only had one merchant where the VbV page was in an iframe... I checked out the frame to verify it, but as soon as I get my shipment from them I'm going to complain about that experience.

Re:What Is The Point Of 6 Digit Password?

[HoppQ]

That's odd. My Verified by Visa password is 8+ characters and alpha-numeric, I've also only had to reset it after reporting a card stolen and having it replaced. Maybe it differs from different card issuers.

VbV password is the password you use in your card issuers online banking service, and it indeed differs among issuers.

I *really* switched credit cards

[rdebath]

That's the whole reason I got an Amex card.

Of course now I do well over 90% of my offline card transactions with Amex too.

Shame.

Pradeep Chandar

[itpradeepchandar]

Insane Discussion .... None of the discussion is proving a point here... It is something Like Venus Project from Zeitgeist like discussing Democracy is Bad... Think thru the Other way around................

Trust the pop-up!

[PMBjornerud]

The big issue I have with "Verified by VISA" is that they are teaching users to enter bank passwords into pop-up / embedded windows.

Trust the pop-up, it's got a VISA logo! So just enter that bank password of yours.

Is there ANY possible way you could better train users to fall for phishing attacks? If the users trust a pop-up, they will enter anything - PIN codes, Social Security numbers, numbers from keychain password generators... anything.

VbV/3D sucks

For the unfortunate ones of us stuck in India, the VbV/3D secure systems are mandatory by order of the Reserve Bank. Although the law says additional authentication mechanism must be used apart from card details, banks were all to ready to implement VbV/3D systems. And it sucks big time.

Airport Security

[Xeleema]

Well that's good news, because the American ones like to plant drugs as a practical joke.

Known this for ages.

I worked for a company that runs a payment gateway. We had to implement Verified by Visa in our systems, and we very quickly realised just how pointless it was. It was painfully obvious to us all how easy it would be to circumvent the system. The whole thing was a running joke in the office for the duration of the project.

The trouble was, we weren't given a choice -- if we didn't implement it, we lost our deals with the card companies, which would have basically been the end of the company. And not only that, but we had to do it in a hurry -- Visa were auditing us to make sure we did it, and gave us a very aggressive deadline to get it finished.

VbV

Brings back memories of working at a bank while VbV was being implemented, we all knew it was poor system just being used to shift blame to customers but obviously we wern't allowed to say that.

As for security online you are best using a credit card that you pay off in the intrest free period, this way your bank will work to recover any fraudulent activity as it is technically their money.

Bank fucked up

[Nicolas+MONNET]

Chip cards have been in use for a very long time in France. They all have mag stripes, mainly because that's what most ATM use anyway, but also for use abroad. The mag stripe contains information as to whether the card also has a chip, so that even when an authorisation (the terminal phoning the acquirer) is not required, it can decide to deny the transaction preemptively if the card is supposed to have a pin and the terminal is supposed to be able to read it.

In that I case I guess the bank is just being incompetent, and failed to implement the ultra-advanced algorithm:

if (card.haschip() && terminal.haschipreader())
        return MUSTUSECHIP;
else
        return ITSOKTOUSETHEMAGSTRIPE;

Re:Mastercard gives me Virtual Numbers for online

[thijsh]

Virtual numbers are very useful, but nowhere to be found on the site. Do you have an URL?

Re:Lol

[osmosium]

I know what you mean about Newegg. But heres a tip: When you get to the "Verified by Visa" after placing your order w/Newegg, just ignore it. Its meaningless, it doesnt work, and if you ignore it, your order will go through anyway.

Mastercard Virtual Account Numbers Info Link

[JoshDM]

Try going here for more information. Scroll down to Virtual Account Numbers. https://www.citicards.com/cards/wv/detail.do?screenID=700

Re:Lol

[jecblackpepper]

Verified-by-Visa is intended to be a card holder authentication step. If you cancel then all that means is that the merchant hasn't authenticated the card holder and they can decide to take the risk themselves and rely instead on other fraud checks.

Re:Lol

[Little_Professor]

So I use the "forgot your password" flow everytime. The genius thing about that is that it asks me stuff I'd already entered on the retailer's purchase form. There's no additional info required

For me it always asks additional information such as date of birth, that you wouldn't have entered at the retailer's form