The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)
Center for Education and Research in Information Assurance and Security

“Verified by VISA” Issues

Thursday, May 03, 2007 by Pascal Meunier
in Kudos, Opinions and Rants, Secure IT Practices
Share:

The premise of the “Verified by VISA” program seems fine:  request a password to allow the use of a credit card online, to lower credit card fraud (besides the problem of having to manage yet another password).  However, there were several problems with how I was introduced to the program:

  • I was unexpectedly requested to register my card after doing some shopping online on a site that allowed customer comments, and had forced me to turn on JavaScript.
  • I knew nothing about this program, and the request was presented in an authoritative manner, implying that I *had* to register or else my purchase would be denied.  (Bull!  Even though I closed my browser without completing the registration, my purchase went through)
  • I was asked for the last 4 digits of my SSN as proof of identity (!), along with information I had just provided to the online merchant (CC number, phone number, etc…)
  • There was no explanation or link to an explanation of what was going on, why VISA would want me to register my card and what was this program.

That appeared to me more like a phishing attempt, exploiting a XSS vulnerability, than anything else.  After contacting my bank, I was assured that the program was legitimate.  Visa actually has a web site where you can register your card for the program: 
https://usa.visa.com/personal/security/vbv/index.html

On that site, you will find that most links to explanations are broken.  I get a “Sorry! The page you’ve requested cannot be found.” when clicking almost all of them (I found out later that it works if you activate JavaScript).  Another issue is that you need to activate JavaScript in order to provide that sensitive information, therefore exposing your browser to exploits against the browser and to any XSS exploits (I’m not worried as much about the VISA site, which doesn’t have user-submitted content, as much as the shopping sites).  If you are not using NoScript or forget to disable JavaScript afterwards, then you expose yourself to exploits from all the future sites you will visit.  It’s irresponsible and unnecessary:  there was nothing in the JavaScript-activated forms (or in the explanations) that couldn’t have been done with regular HTML.  It’s all in the name of security…

A fundamental issue I have with this process is that commands (the registration) to reach a higher level of security are issued in-band, using the very medium and means (browser) that are semi-trusted and part of the problem we’re trying to solve (I realize that this program addresses other threats, such as the vulnerability of CC numbers stored by merchants).  Moreover, doing this exposes more sensitive credentials.  It is almost like hiring a thief as a courier for the new keys to the building, while giving him as well the key to the safe where all the keys are stored.

The Visa program also enables a new kind of attack against credit cards.  If criminals get their hands on your last 4 SSN digits (or if they guess it, it’s only 9999 brute force attempts) and your credit card number, they could register it themselves, denying you its use!  The motivation for this attack wouldn’t necessarily be financial gain, but causing you grief.  I also bet that you will have a harder time proving that fraud occurred, and may get stuck with any charges made by the criminals.

The correct way of registering for this program would be by using a trusted channel, such as showing up at your bank in person to choose a password for your credit card, or through registered mail with signatures.  However, these are not available options for me (I wonder if some banks offer this service, and if so, whether they are not simply using the above web site).  There should also be a way to decline participation in the program, and block the future registration of the card. 

In conclusion, this poorly executed program had a reverse effect on me:  I now distrust my Visa card, and Visa itself, a little bit more.

Update:  There doesn’t seem to be a limit on the number of times you can try to register a card, enabling the brute force finding of someone’s last 4 SSN digits (I tried 20 times.  At the end I entered the correct number and it worked, proving that it still accepted attempts after 20 times).  An attacker can then use the last 4 digits of your SSN elsewhere!  Let’s say, your retirement accounts with Fidelity and others that accept SSNs as user IDs. 

For more fun, I attempted to register my credit card again.  I received a message stating that the card was already registered, but I was offered the chance to re-register it anyway and erase my previously entered password simply by entering my name, the complete SSN and phone number.  Isn’t that great, now attackers could validate my entire SSN!

It gets worse.  I entered an incorrect SSN, and the system accepted it.  I was then prompted to enter new passwords.  The system accepted the new passwords without blinking…  Not only is the design flawed, but the implementation fails to properly perform the checks!

Tags for this post:

Leave a comment (36 so far) »

Comments

Posted by Alumna
on Thursday, January 10, 2008 at 10:39 AM

I am on hold with VbyV right now.  I have been holding for 30 minutes.  Before that I was on hold for 30 minutes before the system disconnected me.  Before that I was on the phone for an hour with 3 different people, one who mistakenly transferred me to the spanish speaking menu, instead of a verified by visa person to help me with my issue.  Yesterday I was on the phone with my bank for almost two hours, talking to 8 different people, none who were able to help me with the fact that a can’t make a purchase on a certain website without the VbyV registration, though the VbV screen keeps telling me I’m entering my info incorrectly (even though I’m not).  The bank could not give me VbyV’s phone number and VbyV continues to tell me this is an issue with my bank (when they don’t have me on hold - 37 minutes and counting for round 2).  Right now I’m only continuing to hold so I can yell at someone.

This is an awful program - I CERTAINLY will not to register with it.  It is poorly handled - the Visa and bank phone agents are clearly running through a script and are not trained well.  The web site will lose a customer because of this I will do everything in my power to make sure others know how poorly my issue (which should not have EVER been an issue in the first place) has been handled.

I’m writing visa a letter, but more importantly, I’m going to see if someone in the media will pick up this story.  And the more web sites I can find to post how terrible this program is, the better.


Awful, awful, awful.  Shame on visa.

Posted by Stephen Rapp
on Thursday, January 10, 2008 at 12:15 PM

I was attempting to buy a software upgrade from MacMall today when the Verified by Visa page came into play (not as a pop-up). I clicked on a link for a window that would explain it. It stated authoratatively that I already had this password and would need to enter. I called by bank and they knew nothing. I went to the verified by Visa site and it had no customer service contact. I called the main visa number for my bank and they couldn’t find a contact either, but suggested I try the number for there ID theft Hotline. Some hotline that was. You dial in your zip code and are given numbers to “volunteers” who have specific hours 3 days a week. That’s scary!
I called my bank visa again and got transferred to an online specialist. They said I simply need to go through as if I’m going to enter my password on the Visa verify site and you can enter a new password. Thatall seemed pretty weird. Then I tried using my new password to complete my purchase. At first it seemed like it went through then suddenly I was redirected back to where I put in shipping information.
I contacted MacMall a while later from work and they only had record of an account from a few years ago and not the one I had just created an hour ago. A few hours later I called and they showed 2 accounts, but none were just created. When asked about the Visa verify thing they had no real information. They just keep telling me to keep checking back. I didn’t get any instant emails back from either MacMall or Verify by Visa, so I feel very uneasy about the whole thing. I’ve bought things on line from small ma and pa outlets with no problems. Now I’m feeling like they are trying to get every bit of personal info they can manage. I’m probably gonna switch banks and start over.

Posted by Mary Kay
on Monday, January 14, 2008 at 01:33 PM

Yes, to all of the above complaints.  Trying to back out (because I wasn’t comfortable giving my personal information on line) was a real treat.  I finally exited the Internet.  I went back to the site and purchased with my Master Card.  I’ve had to write “The Skinstore” to make sure I only ordered once, but after reading the above, I better check my Visa account to make sure I wasn’t charged twice.  I do almost all of my ordering online and I am definitely not a fan!

Posted by Catherine
on Thursday, January 17, 2008 at 02:59 PM

I was just confronted with this yesterday when I went to buy dowloadable VJ mixing software online. I thought that was weird, but I went through with it. I figured if they had the rest of my SS# blanked out except for the last four digits, it was legit and safe enough. I’ve just never seen this before and wondered why an online software company from Europe would require this or will this happen with anything I buy online with Visa from now on? I did get an email verification from Chase bank directing me to the Verified by Visa Web page.

Posted by ricardo smith
on Wednesday, January 30, 2008 at 07:07 PM

I encountered the Verified by Visa scam, also by surprise, while shoppying online at Fry’s Electronics.  I had the similar experience of apparently being denied completion of purchase if I did not join up with verified by Visa.  I did complete the registration but got annoyed the next time I shopped so I refused to use it.  Surprise! I could purchase anyway.  Then the $49.99 bills started coming MONTHLY!!  I contacted them and got 3 months fully refunded and my membership in Verified by Visa cancelled.  I’m writing becasue none of the posts mentioned that they steal your money big time.  You should all check your credit card bills!

Posted by ricardo smith
on Wednesday, January 30, 2008 at 07:17 PM

In my previous comment it should be added that the $49.99 charges were from onlinesupplier.com. who offers Verified by Visa as fraud protection. Ironic. I am furious with the retailer for allowing this scam to be perpetrated on the customers.  They must be in cahoots.

Posted by Tia
on Saturday, March 8, 2008 at 04:55 AM

I just keep getting a script error and a bunch of call this and that from my credit card issuer. They seem to have no control of it. It has happened with two of my cards, one for a credit union and one from PNC bank. I can’t make any purchases becuse they tell me my password is wrong. Their is no contact info for Verified by Visa. It’s really frustrating to have someone else in control of whether I can spend my money online or not.

Posted by Oblio_A
on Wednesday, March 26, 2008 at 04:56 PM

From the Wells Fargo VbV FAQ…

“Macintosh computer operating systems are not currently supported by Verified by Visa.”

So, now half of the worlds credit-cards won’t work on a tenth of the worlds computers. How does this help consumers?

Posted by Nick
on Monday, April 14, 2008 at 11:36 PM

I tried to buy a gift for my wife, and every time I tried to complete the VISA transaction I got an error.
There was no indication whether I’d entered the card details wrong, or just failed the VbV check, or whether it was a problem with the merchant’s site.
In retrospect, in was probably my fault for using Firefox + NoScript, but I ended up just calling the merchant and completing the order over the phone.

So maybe this is the plan to tackle online fraud: make the online payment experience suck so bad that nobody will want to use it, and they’ll just pay offline instead.

Posted by Phil
on Tuesday, April 22, 2008 at 08:28 PM

Thanks for the tip on backing out of the VbV page!  I was placing an order with NewEgg.com (a great online retailer) and got the VbV page.  I went back a few pages, clicked My Account and saw the order there, all ready to go—without “verifying” with Visa.

“Verified by Visa” screens give NO exit. I’m a savvy user, but 99% of people wouldn’t dare guess to back up. Worse, most retailers warn users not to back up or “it will cause your order to be charged twice” (or some such warning). Totally unconscionable!

Posted by Alan North
on Wednesday, April 23, 2008 at 02:13 AM

M-Fox says above:
“In the UK and other parts of the world VbV/MCSC are second nature to those consumers who have embraced this extra layer of security because of the lack of other security measure, such as Address Verification.”

Not it’s not second nature. I have never been able to buy anything online through vBv, even with merchants with whom I have a long history of on-line purchases. I even tore up one credit card and got another issued - same problem. I have a flawless credit history btw.

Leave a comment

Commenting is not available in this section entry.

Previous entry »

« Next entry