The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)
Center for Education and Research in Information Assurance and Security

“Verified by VISA”: Still Using SSNs Online, Dropped by PEFCU

Thursday, November 26, 2009 by Pascal Meunier
in General,
I have written before about the "Verified by VISA" program. While shopping for Thanksgiving online this year, I noticed that Verified by Visa scripts were blocked by NoScript, and I could complete my purchases without authenticating. It was tempting to conclude that the implementation was faulty, but a few phone calls clarified that the Purdue Employee Federal Credit Union stopped participating in the program. I have ambivalent feelings about this. I'm glad that PEFCU let us escape from the current implementation and surprise enrollment based on SSN at the time of purchase, and SSN-based password reset. Yet, I wish a password-protection system was in place because it could significantly improve security (see below). Getting such a system to work is difficult, because in addition to needing to enroll customers, both banks and merchants have to support it. For the sake of curiosity, I counted the number of participating stores in various countries, as listed on the relevant VISA web sites:
CountryNumber of Stores
USA126
Europe183
Thailand439
Taiwan144
Japan105
China90
Singapore65
Malaysia27
Hong Kong20
Vietnam17
Australia13
India7
Others0
Multiply this by the fraction of participating banks (data not available for the US), and for a program that started in 2001, that's spotty coverage. Adoption would be better by getting people to enroll when applying for credit cards, when making a payment, by mail at any time, or in person at their bank. The more people adopt it, the more stores and banks will be keen on reducing their risk as the cost per participating card holder would decrease. Ambushing people at the time of an online purchase with an SSN request violates the security principle of psychological acceptability. The online password reset based on entering your SSN, which I had criticized, is still exposing people to SSN-guessing risks, and also the only means to change your password. I wish that VISA would overhaul the implementation and use an acceptable process (e.g., a nonce-protected link via email to a page with a security question). The reason I'm interested is because I'd rather have a password-protected credit card, and a single password to manage, than a hundred+ online shopping accounts that keep my credit card information with varying degrees of (in)security. Using an appropriate choke-point would reduce attack surface, memorization requirements, and identity theft.

Leave a comment (7 so far) »

Comments

Posted by John Toyota
on Tuesday, December 8, 2009 at 05:22 PM
I completely agree that one centrally hosted password which would work for (almost) every shop would be very comfortable.
But as mention (in)security - in my opinion such a accumulation of passwords on some dedicated servers would definitely be a great target for hackers.
And there is no 100% secure system out there.
So I still prefer to have serveral passwords.
More uncomfortable but a lot more secure on the long run.
Posted by Pascal Meunier
on Tuesday, December 8, 2009 at 06:31 PM
John,
It's true that a central server is an attractive target. There are two threats to analyze: one is the compromise of the entire database of all credit cards, from the point of view of the credit card company. The other is the compromise of a single card, from the point of view of the card owner. Partitioning the database on several heterogeneous servers with different passwords and accounts would in theory make it less catastrophic when one of those is compromised. In that sense I agree with you. However, having identical, complete copies of the same database on multiple servers doesn't help security, because only the weakest needs to be compromised.

I would agree with you when discussing securing different resources (e.g., if you personally own several credit cards) with different passwords on different servers; that makes sense to me. However, from the point of view of the owner of a single credit card, I disagree. When you spread the same information (the same resource, the credit card) on multiple servers, only the weakest of those servers needs to be breached. I think that multiple parallel passwords don't help in protecting a single credit card, and actually increase risk.

For the sake of this argument, I've ignored the possibility of serial authentication steps that you have to do one after the other on different, heterogeneous servers to access the same resource, and also the possibility of an authentication step for each possible operation on a resource.
Posted by Alex
on Wednesday, December 30, 2009 at 06:46 PM
While a centrally hosted password would absolutely be more comfortable & convenient, but as John mentioned the place where the password is stored would be a great target for hackers, and nothing, no matter how secure, is unhackable.

I personally think that the best option to protect yourself is to diversify, i.e. different credit cards on different servers with different passwords.

Although, there's no way to guarantee that your credit card number won't get stolen. Even if you don't ever use it online, it can be stolen from the credit card company itself.

Oh what a world we live in...
Posted by Reco
on Monday, February 8, 2010 at 04:57 AM
You can imagine the type of security you will get from a company that makes use of SSNs. Until we all have personal biometric readers in combination with a two factor system, we will have to deal with arcane security.
Posted by Nelson
on Monday, February 8, 2010 at 08:13 PM
After reading your original post on the 'Verified by Visa' security farce, I shared some of your same concerns about the fact that it seemed open to being abused to basically confirm an SSN (although they're not too tough to figure out with some demographic info anyway...). No company (or government organization for the most part) should be using SSN as a unique identifier. Also, while having a centrally hosted password sounds convenient, it would be a mistake to put that amount of information and authority into one place. Just imagine what else that wealth of information could be used for; and not just if it got into the wrong hands, but even by the group charged with collecting and protecting it...
Posted by Andrew Bilger
on Wednesday, February 17, 2010 at 06:12 AM
I am very distrustful of using information online. I've read many times about holes in the security of browsers or programs that the hackers are always ahead of. I found some good advice on this website on how to protect your hard drive information:

<a href="http://www.hdrecovery.org">http://www.hdrecovery.org
Posted by Dedicated Servers
on Monday, March 8, 2010 at 01:45 AM
I completely agree with your statement "...than a hundred+ online shopping accounts that keep my credit card information with varying degrees of (in)security..."

Being with an unmanaged dedicated server hosting provider, I see a lot of servers compromised due to lack of security. You don't know if the shopping cart you're purchasing from is hosted on some fort-knox server with huge amounts of security or a 13 year old kid's server these days. Even if the online company you're purchasing from is well known and you can trust them, do you truly know who is hosting their web site?

Leave a comment

(Required)
(Required)


(Required)




« Previous entry

Next entry »

Recent Blogs

Blog Archive

Get Your Degree with CERIAS