Saturday 27 January 2007

Verified by Visa is just plain dumb

I hate the "Verified by Visa" program - it doesn't provide extra security... in fact it takes some away.

The whole concept of the verified by visa program is that when I pay online using my Visa card I get prompted to enter a password for my Visa card before the transaction can continue. This program is just dumb because using the VbV program is optional to merchants. This means that sometimes I get prompted to login to the program when using the card but, more often than not, I don't. So how does this protect me, the consumer? It doesn't... fake vendors will still attempt to steal credit cards from suckers and the suckers will keep giving it to them - outside of the VbV program.

But ahhh... I hear you say... the program isn't for the consumers... it's for the merchants, it verifies to them that the credit card is really being used by the owner of the card. No it doesn't! Because if I setup a fake merchant website to steal credit card details, all I need to do is add a popup at the end asking for the users VbV password... the user will happily give it to me because they've been trained to do this by Visa. You see when a merchant uses VbV I, as a consumer, get redirected from the merchants website to a supposedly Visa website (although it's not even on a visa.com URL) and asked to provide my password. This teaches users to give up their passwords to anyone who asks - bad Visa!

Similary, if someone had already stolen my credit card through some other means (and didn't have my VbV login) and they wanted to run up a bill on it or to extract money from it - they'd just choose a merchant who isn't using the VbV program - they're not prevented from using the credit card number in any real way.

If VISA really wanted a secure program then they would require you to log into your Visa account (or your bank account) and authorise the transaction apart from the merchants website... but they've skipped this step, no doubt, to make the transaction 'smoother'. The end result being that neither the customer nor the merchant are any more protected than they were before.

C'mon VISA - you should be doing more than training users to act in this way in the name of security theater.

2 comments:

Anonymous said...

Amiable dispatch and this mail helped me alot in my college assignement. Thank you on your information.

Stuardo said...

Is it possible to disable this process?

Recent Geocaching Logs

Stuff I"ve read lately