The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)
Center for Education and Research in Information Assurance and Security

“Verified by VISA” Issues

Thursday, May 03, 2007 by Pascal Meunier
in Kudos, Opinions and Rants, Secure IT Practices
Share:

The premise of the “Verified by VISA” program seems fine:  request a password to allow the use of a credit card online, to lower credit card fraud (besides the problem of having to manage yet another password).  However, there were several problems with how I was introduced to the program:

  • I was unexpectedly requested to register my card after doing some shopping online on a site that allowed customer comments, and had forced me to turn on JavaScript.
  • I knew nothing about this program, and the request was presented in an authoritative manner, implying that I *had* to register or else my purchase would be denied.  (Bull!  Even though I closed my browser without completing the registration, my purchase went through)
  • I was asked for the last 4 digits of my SSN as proof of identity (!), along with information I had just provided to the online merchant (CC number, phone number, etc…)
  • There was no explanation or link to an explanation of what was going on, why VISA would want me to register my card and what was this program.

That appeared to me more like a phishing attempt, exploiting a XSS vulnerability, than anything else.  After contacting my bank, I was assured that the program was legitimate.  Visa actually has a web site where you can register your card for the program: 
https://usa.visa.com/personal/security/vbv/index.html

On that site, you will find that most links to explanations are broken.  I get a “Sorry! The page you’ve requested cannot be found.” when clicking almost all of them (I found out later that it works if you activate JavaScript).  Another issue is that you need to activate JavaScript in order to provide that sensitive information, therefore exposing your browser to exploits against the browser and to any XSS exploits (I’m not worried as much about the VISA site, which doesn’t have user-submitted content, as much as the shopping sites).  If you are not using NoScript or forget to disable JavaScript afterwards, then you expose yourself to exploits from all the future sites you will visit.  It’s irresponsible and unnecessary:  there was nothing in the JavaScript-activated forms (or in the explanations) that couldn’t have been done with regular HTML.  It’s all in the name of security…

A fundamental issue I have with this process is that commands (the registration) to reach a higher level of security are issued in-band, using the very medium and means (browser) that are semi-trusted and part of the problem we’re trying to solve (I realize that this program addresses other threats, such as the vulnerability of CC numbers stored by merchants).  Moreover, doing this exposes more sensitive credentials.  It is almost like hiring a thief as a courier for the new keys to the building, while giving him as well the key to the safe where all the keys are stored.

The Visa program also enables a new kind of attack against credit cards.  If criminals get their hands on your last 4 SSN digits (or if they guess it, it’s only 9999 brute force attempts) and your credit card number, they could register it themselves, denying you its use!  The motivation for this attack wouldn’t necessarily be financial gain, but causing you grief.  I also bet that you will have a harder time proving that fraud occurred, and may get stuck with any charges made by the criminals.

The correct way of registering for this program would be by using a trusted channel, such as showing up at your bank in person to choose a password for your credit card, or through registered mail with signatures.  However, these are not available options for me (I wonder if some banks offer this service, and if so, whether they are not simply using the above web site).  There should also be a way to decline participation in the program, and block the future registration of the card. 

In conclusion, this poorly executed program had a reverse effect on me:  I now distrust my Visa card, and Visa itself, a little bit more.

Update:  There doesn’t seem to be a limit on the number of times you can try to register a card, enabling the brute force finding of someone’s last 4 SSN digits (I tried 20 times.  At the end I entered the correct number and it worked, proving that it still accepted attempts after 20 times).  An attacker can then use the last 4 digits of your SSN elsewhere!  Let’s say, your retirement accounts with Fidelity and others that accept SSNs as user IDs. 

For more fun, I attempted to register my credit card again.  I received a message stating that the card was already registered, but I was offered the chance to re-register it anyway and erase my previously entered password simply by entering my name, the complete SSN and phone number.  Isn’t that great, now attackers could validate my entire SSN!

It gets worse.  I entered an incorrect SSN, and the system accepted it.  I was then prompted to enter new passwords.  The system accepted the new passwords without blinking…  Not only is the design flawed, but the implementation fails to properly perform the checks!

Tags for this post:

Leave a comment (36 so far) »

Comments

Posted by Alex Vargas
on Monday, June 4, 2007 at 04:00 AM

Scary Stuff, Maybe someone should write to VISA ... I will start and hopefully others will follow to redesign this application and pull this off the web now.

Posted by Erik Soderburg
on Tuesday, July 31, 2007 at 03:18 PM

I ran into this same issue when I tried to buy a monitor on the Dell web site. It looked very fishy (or phishy) and I tried to get out of the popup thinking that it was optional, if legitimate at all. I got a stern warning about the consequences of closing the window, but I managed to close it without entering any information. This also looked very suspicious. It seemed that I could continue with my purchse, but later the “verified by visa” popup came back up and it seemed clear that I wouldn’t be allowed to complete my purchase without going through this process. So I just cancelled the whole thing (and ran virus and spyware scans!). I was going to use the phone to make the purchase but tried using a Mastercard online and this worked without a similar problem. When I googled “verified by visa” your post was the first hit that wasn’t a Visa site. I’m glad to see that someone else has run into this and agrees that it is very badly presented. It was interesting to see the results of your experiments into just how badly this is designed, especially from a security standpoint. I think I’ll complain to Dell and tell them that they almost lost a sale because they made signing up for this at the time of purchase, with no real explanation, mandatory. Thanks for the additional information about this problem and badly run program.

Posted by Bclinton
on Sunday, August 19, 2007 at 07:10 AM

I see a lot of pharacutical emails saying “Verified by Visa”. Is there a site that lists the actual stores that are actually “verified by Visa”?

Posted by Dave Rutledge
on Tuesday, August 28, 2007 at 05:38 PM

Just ran into this myself.  If someone cracks and roots my system, I doubt she will have too much trouble getting this new password along with all the other data needed.  These guys must be hiring tenth decile business majors as security managers.

Posted by Pascal Meunier
on Thursday, September 6, 2007 at 03:19 AM

Bclinton, a bit of Googling turned up this:

http://usa.visa.com/personal/security/visa_security_program/vbv/shop.html

Indeed, it’s likely that this mechanism will become another target for phishing so it’s not a bad idea to verify the legitimacy of “verified by VISA” requests.

Posted by cafeameric
on Monday, September 10, 2007 at 11:02 AM

I was very suspicious when I encountered the “verified by VISA” pop-up, since I’d just given my credit card number to the merchant I was attempting to make a purchase from.  Also disliked being “forced” into filling out the “verified by VISA” form to complete my purchase.

I’ve since discovered that I can enter “none” into most of the boxes on the form, and a date of my choice in the expiration date box, then hit enter, and have the pop-up disappear, allowing me to complete the checkout process!

Posted by Jameson Burt
on Monday, October 15, 2007 at 04:02 AM

With a Purdue degree, I have also had problems with Verified by Visa.
I too perceived its actions as insecure, ending at various times large orders orders with newegg.com, zipzoomfly.com,  nextwarehouse.com, and viosoftware.com.  I found other companies to take my orders.
Combined with the widespread Diebold election insecurities if not downright fraud, one must question banking institutions choices for security with Diebold and “Verified by Visa”.

What are banks main business?
Security?
No, their main customers are customers because they want to make business transactions.
When security is both insecure and impedes business deals, its time for we consumers to look elsewhere.  I wish Purdue Employees Federal Credit Union (PEFCU) would offer some credit card besides Visa, or a choice of credit cards.

Because I use Linux computers with Mozilla or Firefox web-browsers, I have met numerous problems with “Verified by Visa” during commercial transactions. 
I’m reminded of PEFCU’s early attempts at web access.  Eventually, after over a year, PEFCU fired their computer programmers and hired another company to program web transactions.
So too, Verified by Visa should probably fire the group that conceived it and programmed it.

Posted by M_Fox
on Wednesday, October 17, 2007 at 07:17 PM

I’ve hit this for the first time trying to order from Wal*Mart, of all places.  VbyV isn’t letting me out of it’s screen.  My main concern is that there is a blurred logo in the upper right hand corner of my credit union’s OLD name.  Big red flag right there!
Think I’ll have to go dig out the mastercard.

Posted by S_Smith
on Wednesday, October 24, 2007 at 07:59 AM

MasterCard has an identical program called MasterCard SecureCode. 

I work in the Verified by Visa/SecureCode Industry (Not for Visa, MC, or the above companies listed) and many of the above opinions are warrented.

How a merchant chooses to implement the solution has a positve or negative impact on the customers experience.

Many of the above stories don’t lead towards a poor product, but rather poor consumer education by both the merchant and your bank.

The above stories also point to the local credit union that issues Purdue University employees Visa Cards.

In the US Visa has allowed Credit Unions to mandate Verified by Visa and SecureCode on all their cardholders who shop online.  If you are not already enrolled, you will be prompted to (again noted above) this process is called Activation During Shopping. (ADS)

The likes of Dell and Wal-Mart do not control ADS or what is displayed in the window for your password.  This is all controlled by Software that your Credit Union maintains and runs.  Probably bought from one of two companies, Arcot Solution or Cyota.

The creation of a password or submitting of a password is not shared with Dell or Visa.  It is being directly submitted to your card issuer (Credit Union) for validation or creation.

Your Credit Union should be made aware that their software is causing confusion and may not be up to par with other Card issuers software platform running the same programs.

However, VbV and MCSC are here to stay.  With 30,000+ merchants currently running the programs and 100,000,000 card holders world wide already enrolled.

MasterCard ha started to mandate SecureCode in many international regions for certain MC card types.

33% of Visa Card holders enter their password when shopping online every day.

In the UK and other parts of the world VbV/MCSC are second nature to those consumers who have embraced this extra layer of security because of the lack of other security measure, such as Address Verification.

It is very interesting that this community is discussing the programs.  At the very least discussions like this can lead to positive changes in the exerience.

Posted by D Lim
on Friday, October 26, 2007 at 07:52 AM

This is a good program that is just badly implemented.  They have had a few years to implement this and surely someone could have thought of a better launch plan.  Catching everyone by surprise like this “pop up” is irritating at least and down right “fishy” at worst.

VbV is basically a program to shift liabilities around.  From the merchants to the issuing banks.  At the end of the day they need us the consumers to participate to allow them to reduce the risk of accepting orders online.  That is not bad.  The industry will save billions lost to fraudsters annually.  Shouldn’t VISA get the industry to offer an incentive to the consumer.  Get the banks to explain how it helps the industry, how we can be offered an incentive to participate, and oh BTW how it works as well.

Posted by P Maitra
on Friday, October 26, 2007 at 09:48 AM

“Verified by VISA”! Wow!  Sounds like an attempt by the merchants to get to know you a little better may be—by your SSN!  Otherwise why would the popup be presented during the transaction of sensitive information with your merchant?  The first time newegg.com threw that at me I called up the credit card issuer immediately and asked for guidance.  They told me to just close that window and everything would be fine.

I specifically asked if this is something the issuing bank has arranged with “Verified by VISA”.  They said no such arrangement is in place and they neither endorse nor discourage the use of it.

Personally, I do not want to manage “just one more password” ... already there are plenty.  And let the burden of a fraudulent transaction still remain with Visa or the issuing bank while limiting my liabilities to $50.

Posted by Doug Wade
on Saturday, October 27, 2007 at 08:29 AM

I just tried to order a $2700 machine from Dell and failed because of this.  It looked like a phishing attempt to me as well - and there’s no way I’m going to enter any social security information while buying a computer.  That’s just crazy.

Posted by e_goodman
on Saturday, October 27, 2007 at 09:34 AM

Actually, the merchant never captures your password or any of the information you share to set up the password.

You are directly communicating with your bank and sharing this information directly with your bank. Not the merchant.

Posted by Ed Finkler
on Saturday, October 27, 2007 at 01:34 PM

@e_goodman: That’s in many ways irrelevant. There’s no way to verify what’s happening.

In fact, I’d argue that this process is actually training people to be victims of phishing attacks.

Posted by dollhouse
on Tuesday, November 20, 2007 at 04:23 PM

I too got stuck with verified by visa, after 2 calls to my bank, 3emails to the walmart website and 2 emails to verified by visa, i still can’t use my card….what a joke!!!!!!!!!!!!!!!

Posted by Name
on Sunday, November 25, 2007 at 04:58 AM

Its a Good program…but the way it was being implemented is not correct or needs to be improved

1)There was no mail or post to me from the bank or Visa about this program

2)We should register this through bank website ..rather than thorugh XXXX.com since we are giving the SSN

Posted by m gagnon
on Thursday, November 29, 2007 at 06:52 AM

Wow! I’m so glad that I checked out this site before filling out the VbyV site requested by Walmart. i decided to pick up photos instore rather than use CC.

We’ve all been cautioned by these phishing attempts. My sister got caught by a fake EBay verification and got stung. No way will I sign up. Thanks for your info.

Posted by J Duggan
on Monday, December 3, 2007 at 07:33 PM

I made a Black Friday purchase from Walmart using my VISA card. The request came up for information for the Verified by Visa which I provided. The purchase shows up as verified on the card issuers website but Walmart canceled my order due to some problem with the verification process which they can’t disclose to me. VISA cost me a good purchase.

Posted by Adrian
on Sunday, December 9, 2007 at 01:06 PM

I’ve just had a similar experience, but the sign-up was not in a separate window, it was inline with the purchasing flow (perhaps it was in an IFRAME).  It also required activating Flash in addition to JavaScript.  There was no way to complete the purchase by closing the separate window.

I jumped over to the Visa site.  It says “create a unique password for your card.”  Sorry, but it’s not per card, it’s per account.  If you share an account with your spouse, you have to agree on and share a password.  Furthermore, only the primary card holder can sign up for it.

This is introduced at the wrong time, and it’s training users to be phished.  Merchants should be furious that they’re losing sales because secondary card holders cannot sign up and complete a purchase.

Posted by Robert Fuchs
on Wednesday, December 12, 2007 at 01:45 PM

I backed out of the newegg verified window, I never got a order confirmation; none the less it placed the order I ended up ordering 3 times. I ended up calling Bank of America where they claimed that had no affiliation to the system. Thats BS there logo was all over everything including the terms of agreement. People please complain to Visa.

Posted by Chris Heidelberg
on Monday, December 17, 2007 at 08:57 AM

As a new media researcher, I was appalled by this service. It is extremely heavy-handed and it has made me become very anti-Dell. Dude, you’re going to get Phished is what I felt like when I tried to do this. I actually went to the site directly and registered, but the fact that there are no links back to the secured site is simply ominous. You can bet I will be posting this on my blog.

Posted by Heinz
on Wednesday, December 26, 2007 at 09:43 AM

I had similar problems to what J Duggan had. I was trying to make Boxing Day purchases at ‘BestBuy’ and the VbV process wound up making me lose out on 4 purchases due to the Check out process “timing out” for the VbV authentication. (I did this 3x) Unbelievable! If you ever buy anything off of BestBuy, use a Mastercard, as BestBuy isn’t set up with them yet. Oh, and VbV recorded all of them as legit transactions, while BestBuy did not, I only got a confirmation from BestBuy on my Mastercard. What a horrible system! I’m going to have to fight transaction bills on my VISA.

Posted by Susan
on Thursday, December 27, 2007 at 10:29 AM

I just ran into “Verified by Visa” while trying to buy a gift certificate at newegg.com.  Given that I don’t want to patronize Frys, what’s a good site to buy a gift certificate for digital products that doesn’t require registering for this program?

Posted by Bob
on Monday, December 31, 2007 at 04:45 AM

I can only add that I, too was ‘phished’ (‘phushed’?) into VbV early in 2007. It’s caused only trouble since, preventing transactions from completing on sites where I’d had no problem before.

Worse yet I see that my VbV pw is the SAME as the one for my VISA bank’s website. This I only found out the hard way, after changing the one in the Verified by Visa screen while attempting a transaction, and later finding myself locked out of the bank/VISA card site when I went to pay the bill.

Not good.

Posted by Bob
on Tuesday, January 1, 2008 at 03:16 AM

Happy New Year!

I have written to my VISA issuing bank to complain about Verified by Visa. Below is the text of my letter, with my personal data removed:

(My address)


(My VISA bank’s address)

Verified by Visa:    COMPLAINT

Visa cardholder:    XXXXXXXXXX

Account number:    XXXX-XXXX-XXXX-XXXX


To whom it concerns:

I write to complain in the strongest terms about the costs to me, the anxiety, and the time lost thanks to the implementation of ‘VERIFIED BY VISA’. I have telephoned to order that this service be removed from all of my VISA card accounts for the following reasons:

1.  Your ‘offer’ of this service was a pop-up window that appeared some time ago as I made a routine online payment to an Italian website. The message said I had to enroll or be unable to use my card as I was then doing. Note: this method of enrollment should be regarded as a classic model for phishing websites.

2.  I am now unable to complete online payment at any site where the Verified by Visa popup screens appear. The reason is ‘lack of authorization’ according to the error messages.

3.  The password required for Verified by Visa is the same as that for my website access for US Bank’s online services for my VISA account. The security risk this presents is obvious.

I might welcome additional safety as promised by Verified by Visa, but for now this feature is flawed and fails its stated purpose. A little research* turns up ample advice that it actually harms security. I refer you to the Purdue University IT sector among others. I can’t use it as-is and won’t accept the additional expense in time and money its defects cost me.

In future I will expect full compensation from US Bank and Verified by Visa for such costs.

I telephoned Verified by Visa yesterday, (31 December, 9:28 am EST, at 1-866-213-1177) to ask Verified by Visa be removed. The representative stated it would take 15 minutes to do so. When, 90 minutes later, it was still active, I telephoned again and was told to wait 24 hours. Please note the inconsistencies in these support advisories.

I am available to you if you wish further information. You may contact me directly by telephone at XXXXX, and through email, .


Sincerely,

XXXXXX


*See: CERIAS Weblogs » “Verified by VISA” Issues,

Center for Education and Research in Information and Assurance (CERIAS) at Purdue University.

www.cerias.purdue.edu/weblogs/pmeunier/secure-it-practices/post-91/verified-by-visa-issues/

Leave a comment

Commenting is not available in this section entry.

Previous entry »

« Next entry