$whoname
Greg's “Verified by VISA”
“security” for morons
Greg's diary
Photo index
Greg's home page
Network link stats
Greg's other links
Copyright information
Groogle

Since early 2008 I've had repeated difficulties paying some online transactions with my VISA credit card. The cause is one of the most broken online applications I have ever come across, “Verified by VISA”. The design and implementation both raise severe doubts about the capability of the people behind it.

To quote their web site:

... Verified by Visa, a free, simple-to-use service that confirms your identity with an extra password when you make an online transaction.

But does it confirm my identity? To register, assuming that registration even works, I need the following information (click on any image for larger versions):

 
This should be vbv.detail.gif.  Is it missing?
Image title: vbv.detail
Dimensions: 390 x 883, 34 kB
Dimensions of original: 390 x 883, 34 kB
Display this image:
thumbnail    hidden   alone on page
Display all images on this page as:
thumbnails    this size
Show for Sunday, 26 October 2008:
thumbnails    small images    diary entry

That's the information on my credit card, and my birth date. Anybody who gets my card in his hand can get the former, and the latter is available in dozens of places on the web. If they intend to abuse the system, it's even easier: “Please show me a photo ID”. In Australia that's usually a driver's license, which has the date of birth written on it. So do most other “photo IDs”. So the “security” is, at best, non-existent.

Does registration work? Not for me. The image above also gives the highly informative text “an error was encountered”. It doesn't even have the semantic completeness to state that the error was “encountered” during the attempted registration, let alone the nature of the error.

And what happens if you lose your password? Never mind, just re-register. Same security as before.

What happens if Verified by VISA loses your password, as has happened to me? Never mind, just re-register. Same security as before.

What happens if you have a password, but somebody doesn't know it? Never mind, just re-register. Much less security than before. This has been commented on in more detail elsewhere.

As I mentioned, in the past “Verified by VISA” has “lost” my password. I think what really happened was that on one occasion they changed their rules for passwords, making the minimum length longer, and mine was no longer valid. On another, they decided that including certain characters makes the password insecure—only letters and digits, please. But given the ease with which people can get the information needed to change my password, it could equally well have been somebody changing it for me. Now doesn't “that” make you feel secure?

So what's the point in the exercise? I can't see any. But my bank, ANZ, appears to insist on it. According to The Register, this is a voluntary scheme, and banks are “bullying” their customers into using the scheme. This certainly appears to apply to ANZ. This article also states that the “personal” information can vary from country to country (and possibly from bank to bank). I wonder who the idiot was who chose the date of birth.

The Register also has another interesting article on phishing related to VbV. That's another serious issue: how do I know, when I enter the password, that it's really VbV? Almost nobody checks that web sites are who they say they are.

In early 2010, somebody apparently presented a paper stating these same facts. The report on the matter is unfortunately broken; the HTML for the link is:

 They wrote a seven-page <a href="http://Financial Cryptography and Data Security" target="_blank">paper</a> on the topic

The correct link is here. It's well worth reading.

My experience with VbV

None of this would be quite as bad if the scheme actually worked. I've been told by ANZ online staff that they're inundated with complaints about it. In my own experience, I've had very little success in even registering, and when I do, the system forgets my registration or claims that my password is invalid. Here a brief summary with references to my online diary:

The results were horrifying: on 7 November I received a phone call from somebody claiming to be Maryanne from ANZ bank, relating to my complaint. So far so good, but the first thing she did was to ask me for my secret password, the one that gives unlimited access to my account.

As usual, of course, I refused, and made my annoyance clear. Her answer was to give me her identification code, MV9, as if that would prove that she works for ANZ. When I told her that I would not discuss the matter with her over the phone, and that I saw no reason to call back when ANZ should be answering the letter, she said that she would close the complaint.

In the end, I did call back and gave the reference number she had given me—only the first three digits of a six digit number—and spoke to an almost inaudible Nicky, who told me that Maryanne had closed the complaint as “resolved”! What insolence!

She also claimed that Verified by VISA was imposed by VISA, that there was no opt-out, and that I should contact VISA if I had further questions. To prove her point, she pointed me to the VBV FAQ, which said no such thing:

Q: What if I don't sign up for Verified by Visa?

A: Without Verified by Visa you will not benefit from the fraud and dispute protection Verified by Visa provides. Visa estimates that the costs associated with e-commerce fraud and disputes can be reduced by up to 50 percent with Verified by Visa.

On the contrary, this statement makes it clear that it is possible not to sign up for the scheme. But she wanted to answer the question over the phone. I asked her if she was refusing to give me a written answer, and she finally said that she would send a written reply. But what an unbelievable lack of security!

The reply arrived on 18 November 2008, though it claimed to be in reply to a phone call. And, of course, it didn't address the issues beyond saying “no, we can't take you off this scheme”. It's possible that they're correct, but the level of accuracy they've shown me so far gives me no reason to believe their version over other, conflicting information. In particular, as a bank, they should be insisting on proper security. Instead, they're just blaming it on VISA. Time for a new bank.

By coincidence, also on 18 November, I bought a monitor on-line, and paid by PayPal, which, after my experience with Verified by VISA, was particularly attractive. The whole transaction was over and done with in 5 minutes, a far cry from the pain I've experienced with ANZ.

One of the interesting things about the order was a little detail in the order form:


This should be id.gif.  Is it missing?
Image title: id          Dimensions:          967 x 85, 14 kB
Make a single page with this image Hide this image
Make this image a thumbnail Make thumbnails of all images on this page
Make this image small again Display small version of all images on this page
All images taken on Tuesday, 18 November 2008, thumbnails          All images taken on Tuesday, 18 November 2008, small
Diary entry for Tuesday, 18 November 2008

 

This is exactly the scenario that I had mentioned above. With this information, they would have everything they needed to sign up with Verified by VISA as myself. The only “security” is that the signup almost never works properly.

After the end of 2008, I have had no more problems with using “Verified by VISA”, at least partially because I have only used it twice. The insecurity remains.


Greg's home page Greg's diary Greg's photos Copyright

Valid XHTML 1.0!

$Id: verified-by-visa.php,v 1.8 2010/01/29 01:31:47 grog Exp $