Thursday, February 02, 2006

Verified by Visa (Veriphied Phishing?)

If you have used a Visa card to make a purchase online lately you may have encountered a relatively new program, Verified by Visa . I've encountered it twice. The system is an interesting attempt by Visa to reduce online fraud and identity theft. It's a noble effort, but the user experience is unsettling, and the security implications are not exactly crystal clear. Here's what happened to me, both times the system was activated. I was redirected away from the domain at which I was shopping, to a URL which was:
  • not the domain where I was shopping,
  • not the domain of the bank that issued my card
  • not visa.com
I've been telling people for years that if anything like that happens to you, close your web browser immediately and do not under any circumstances enter any personal information into the form, because this is a sure sign of a man in the middle or phishing scam. (Never mind that all the best phishing scams now-a-days look like the actual domain of the bank or vendor, due to security holes in web browsers.) I would have done this myself, except that I was actually aware of the Verified by Visa program and seeking it out to take it on a trial run. I was surprised at this designed-in behavior. Apparently, Visa farms out these verification transations to third party vendors, so that a variety of domains might be encountered as one verifies different cards at different times while shopping at different online sites. They might look slightly different, one to the next. The web page that was "verifying" my card asked me for super-secret information to prove that I'm the real card holder, and/or that I was holding the card. Some of this information I had just typed into a different form at the online vendor where I was attempting a purchase. As far as one can tell without grilling Visa, this system creates, through the use of these 3rd party intermediaries, yet another web server that can be cracked to steal large pools of credit card numbers and identity information. The user experience was disconcerting. It looked and felt exactly like a low-quality phishing scam web site, except that it resulted from an online transaction that I initiated, rather than clicking on an email spam. I expect that this "Verified by Visa" system will become a target of something like a phishing or pharming scam soon enough. (When it happens, someone will probably come up with a new cute name for the "proxy in the middle verifying scam", something like the "veriphying" scam. You read it here, first.) Compromised web servers which host shopping sites but not databases full of credit card information will soon have "volunteer" administrators eagerly "verifying by Visa" in order to collect identity information that the retail site doesn't collect on its own. Only now, there won't be any easy way to tell end users how to avoid the scam. If a site isn't actually using the Verified by Visa system, such scams are likely to be detected relatively early by the vendor. Even so, for a high volume site, perhaps hundreds of identities could be stolen before the scam was detected. If a site is actually using the Verified by Visa program, the spoof intercept would probably need to proxy to the actual Verified by Visa site being used by that online vendor. This would allow the charge to complete and the scammer to evade detection, possibly for months or years. (If the veriphying scam agent wasn't a proxy, presumably the charge attempt would fail causing the intrusion to be detected.) I'll probably switch to using a different card when purchasing online for a while, at least until I have a chance to learn a little more about how it works, and how easy it might be to spoof it.

Technorati Tags: , , , , , , , , ,

20 comments:

Anonymous said...

Your observations are correct, but I think a bit of background insight into what Verified by Visa actually is would help. After Visa got burned by the failure of SET in the late '90s, they (after a few years hiatus) created a SET-alternative called Verified by Visa in which they get others to do the work of designing and implementing the security. So a pile of third party vendors, dollar signs shining in their eyes, come up with enough paperwork to overwhelm Visa's auditors, and in exchange Visa gives them the "Verified by Visa" seal. There isn't any one design corresponding to "Verified by Visa", and in fact each third-party design can be completely different and often not very secure, since it's coming from things like online commerce fulfilment companies or middleware vendors and not security designers.

Gary W. Longsine said...

Thanks for confirming my suspicions. I had some indications about this, due to the interaction of one of these 3rd party suppliers with a web hosting company that is a client of mine. The problems with this program seem to run pretty deep.

Thanks for the feedback. If anyone can point me to any good public sources of information on the background you describe, I would appreciate that.

Caramella Mou said...

Reading on the visaeurope.com, the marketing blah only confirms what I thought seems blatantly obvious - to get more money out of the companies that sign up for this.
One of the most attractive parts of online shopping to me is the reduced amount of hasle that comes with going to a shop and dealing with their minimum pay employees. With this Verified by Visa, this is an additional step in the payment process, that doesn't give any sense of security. I'm not patient enough to notice differences in design, but get very angry straight away, when asked to fill out the same details I just filled in in the previous page.
Another extremely annoying thing is that the concept of joint credit cards has not been taken into account at all. By the word "joint" I understand that there are two identical credit cards tied to the same account. Unfortunately I know of two banks that do not treat the cards as such - instead treat them as primary and secondary. And here comes the problem with Verified by Visa (and as it turned out, the automated menu answering system of the helpline). Whether or not the primary card finally is forced into joining (despite the implied "on voluntary basis") and registers, the secondary card is also forced to provide the additional identification. But this function is tuned to the primary card, so the response given by the Verify by Visa is that the birth date is invalid. The helpline responded with that I as a secondary card holder would have to use the details of the holder of the primary card. This doesn't really give the impression of security, on the contrary.
Finally, this function cannot be deactivated at all and changing to MasterCard will result in the same thing.
A brief search on the Visa web site did not result in any information on opting out of this as a card holder.

Bien said...

We are now looking into implementing Verified by Visa and SecureCode in our website and your post is an eye opener. Thanks. Even if this is a problem with the consumer, merchants like us will implement this since it provides merchants with chargeback protection. Now Visa should make the consumer authentication process secure so people will actually use it.

Alun Jones said...

Visa should _not_ make the authentication page more secure - the issuing bank should make the authentication page more secure.
The issuing banks I use offer a Personal Authentication Message - in other words, they echo a message I've given to them in the past, so that I can be somewhat assured that the authentication page comes from someone authorised by my issuing bank.
Yes, someone could intercept that message (if it wasn't sent through SSL), or read it over my shoulder - but the goal here is to put responsibility for security where it belongs, in the hands of the cardholder and the issuing bank. If they choose not to authenticate one another securely, that should not become the merchant's problem, and in some respects, shouldn't be Visa's problem either.
If your authentication page looks phishy, that means you need to bug your issuing bank to make it less phishy, ideally by including some pre-shared information that allows you to feel comfortable that you are really talking to your issuing bank or their approved representative.
Yeah, Visa could regularly audit authentication pages, but then they could also regularly audit consumers' security practices. It just doesn't seem to make much sense.

Michael from Adelaide said...

I'm really unimpressed with this.

My transaction with Tiger Airways was interrupted by this rubbish a couple of days ago. I think it did a popup. I hate popups. I refused to sign up during this transaction. Who knows what it was or where it came from! I skipped it at the time but the lousy thing said I'd be forced to do it next time.

I rang my bank, the said something like this did exist. I pointed out that I couldn't recognise the URL and thought it was a scam. We had some argument about the dangers of privacy where I said thanks to Australian federal privacy legislation my birth details are now sprayed over hundreds of systems and I've never been more vulnerable to impersonation.

When I eventually went to visa's own site to sign up (the Australian site didn't seem to let you and there was no contact us link), the process opened a new window with a domain I'd never heard of. Looks very phishy. The only thing that gave me any confidence was that the part where you typed in your card number was padlock verifed to usa.visa.com and the subsequent fishy address page where you put in your password had my bank's logo on it.

To add insult to injury, it would not
accept an easy to remember 6 letter password including a punctuation mark. No, it had to be between 8 and 16 letters with a number. So now I won't be able to remember it and will have to write it down. I'm sick of not being able to use passwords I can remember. All they need do is make sure it's not in the dictionary. This is a secondary authentication anyway!

Anonymous said...

I have recently been a victim of the Verified by Visa scam. When I attempted to make a purchase from Kay's Jewelers online this authentic looking Verified by Visa webpage came up wanting me to register and actually preventing me from completely my purchase. Out of fear, I closed the window and got out of Kay's website. I called the 1-800 number of Kay's and asked about this. Actually, I asked if I could just order the jewelry on the phone and unfortunately was told no. He assured me that the Verified by Visa registration was legitimate. So believing him, I went back to the Kay's website, ordered the jewelry, registered with the Verified by Visa, and in 3 days I received my jewelry in the mail. Swell, I thought! But one week later, I had $3,000 worth of Arabian airline tickets purchased using my bank check card. After filing a claim with my bank, they have denied it. Why? Because, it was a Verified by Visa purchase, accusing me of giving out my password to someone. For those who wonder, my bank is Wells Fargo... but maybe not for long... Needless to say, I have changed some of my behavior patterns and am reading all I can about computer security.

Gary W. Longsine said...

@Anonymous "I have recently been a victim":

Don't give up. Wells Fargo will come around to your way of thinking on this, if you persist. Since you didn't buy tickets on Arabian Airlines, insist that they investigate this further. Wells Fargo should be able to work with the airline to find out the names on the tickets, the dates of travel, etc. Then you can say something like, "I was here in your office, complaining about this, when the ticket says I was in the air on the way to Jordan" (or whatever). They may discover that the tickets were redeemed for cash in a location far from where you live (US based airlines don't do this any more, but overseas airlines might).

Best of luck to you.

G Jiggy said...

This "Verified by Visa" scam has just happened to me. I got the "VBV" pop-up after trying to complete a transaction. What I caught me was that next to where my Visa card number (that was already entered, they needed me to fill in the PIN, CCV, expiration date, etc.) was the notation: "Mastercard Number"(!). At that point I smelled a rat and propertied the Visa logos and got an IP address in the Caribbean . I knew it was scam at that point and got a screen shot of the pop-up and then bailed on the transaction (that was through iPortis.com). Iportis says that the pop-up had nothing to do with them (ha) and my multiple contacts to Visa and Chase Bank finally got somebody to say that the pop-up was a virus on my machine. I'm locked down pretty tight here and sweeps show nothing so I'm sure that they are clueless. A month or so back a got a pop-up just like this one wanting all the same info only for "Mastercard Secure". I bailed on that one too but wasn't 100% sure it was a scam then. Now I am sure it was.

The way I get it, the legit VBV or Mastercard's deal only ask for a password that you have previously set-up with them elsewhere. These pop-ups don't do that, they ask for ALL your personal information for a complete rip.

Beware folks, the Visa and Mastercard people don't really know what is happening or are hiding what they know.

If somebody knows of this being a local virus I need more info as AVG and Spybot show nothing in their sweeps.

Anonymous said...

I too am a victim of a 'Verified by Visa' phisher. I saw a charge on my bank account for $50 to Moneybookers LTD on my account. I researched the company and found that it was a company in London, England that operates like PayPal. I had not interacted with any such company so I disputed the charge. Moneybookers replied that the charge was legitimate because my 'Verified by Visa' pin number was given. My bank is National City and they canceled my CheckCard and are still in the process of disputing the charge. I'm just thankful that I wasn't hit for more and caught the glitch before more charges were made.

Anonymous said...

I have had problems ever since they started the VBV mess!!! Almost every time I do an online transaction with my Visa, I get an email from saying that Visa has the transaction on hold and I have to call Visa and straighten it out!!! I am tired of having to call them every time it happens. They said that the reason they put it on hold is because I didn't put my number in when the VBV box came up. But, guess what---THE VBV BOX NEVER CAME UP FOR ME TO PUT MY NUMBER IN!!!
I think it came up once right after I registered with VBV, but it hasn't come up since!!!

Anonymous said...

I wish to add to this discussion somthing that might add to the VbV argument. Recently Square Enix has issued a statement saying that all players using credit cards at forms of payment to there MMORPG games must verify there cards on verifedbyvisa or the mastercard equivalent. They have also stated that those who do not/cannot run the risk of having there games stopped until the cards are signed into these services. After reading this an various other internet postings on VbV, i wonder why SE came to the conclusion to use there services when such sercives could be a greater poison then the one were sick with now.

Diane said...

There's so much wrong with verfied by visa - and I've experience several serious issues with it already. One major problem was it not accepting my password. Several complicated phone calls later, messing about on websites to re-register it and then still having the staff to manually alter something to get it to work. Nightmare. Not a good experience for my partner too who has has his password rejected.
Apparently they don't like "verified by visa is rubbish" as the password either.

Anonymous said...

I just had the 'verified by visa' screen come up for the first time while making an online purchase. I'VE NEVER SEEN ANYTHING LOOK SO MUCH LIKE A PHISHING SCAM!!! I've never heard of this program before, hadn't signed up for it, etc. How can they possibly do this to unsuspecting customers? Instead of filling in extremely sensitive data on a site that randomly popped up, I chose to sign up in another window on verified by visa's website. I then went back to the merchant, and redid the purchase to see if that horrible redirect would happen again (requiring my SSN!) Shockingly, the site then recognized I was signed up for Verified by Visa and then just did a shady redirect that asked for my password. I *still* have no idea if this is legit. Maybe now they have all of my private info + my verified by visa password?

What a terrible job VISA has done setting up this program. I almost hope they lose tons of money with the scams that this program will generate. Hopefully they won't leave their customers liable. :(

Anonymous said...

I just close the window as it has to opt out option. after talking to newegg to make sure my order did go in. they told me i should have had a option to not use "Verified by Visa" that if i see a window that forces me to sign up agin they would like a screen shot of it. it would seem Visa is not playing fair here if you look at the terms about your e-mail and how it would be used there money to be made there the way its worded. i get to much targeted e-amil as it is and with 40 user names and password i have to maintain in my job i dont need another log in for my personal life. Just say no use your voice and the big red X windows gave use to close the window. all that happens is Visa clles you the next day asking you if this is a vaild purchase. where i gave them a ear full on there sign up page.

Anonymous said...

I just close the window as it has to opt out option. after talking to newegg to make sure my order did go in. they told me i should have had a option to not use "Verified by Visa" that if i see a window that forces me to sign up agin they would like a screen shot of it. it would seem Visa is not playing fair here if you look at the terms about your e-mail and how it would be used there money to be made there the way its worded. i get to much targeted e-amil as it is and with 40 user names and password i have to maintain in my job i dont need another log in for my personal life. Just say no use your voice and the big red X windows gave use to close the window. all that happens is Visa clles you the next day asking you if this is a vaild purchase. where i gave them a ear full on there sign up page.

Anonymous said...

I agree with everyone else about the annoyance of this security measure. My first encounter with it definitely irritated me and worried me about it being a scam. Unlike some other comments here, my vbv screen went to another page but it still had the URL of the online store I was about to buy from with the security logos and everything so that made it more reassuring. Still...being asked for the last 6 numbers of your SSN, your card number and all that stuff is pretty unnerving. I DID see an option on the bottom of the screen to let me NOT use the vbv thing but then I sat there for a few minutes wondering if that would mean I couldn't use my card to make the transaction...which would be annoying because it's the only card I have. I did end up clicking that though because I had no interest whatsoever in typing in my SSN anywhere and it completed the transaction with no problems.

Reading some other comments here I don't think mine was a scam, but I still don't feel safe ever using this verified by visa thing. Bad idea, Visa.

Anonymous said...

I don't know if what happened to me was this but I did have the Verified by Visa questions pop up on a walmart.com order.Then 2 weeks later I had 2 charges on my debit card totaling $1994.00 to Western Union.If I didn't check my account every day I would have been in worse trouble.I stopped my card & after that Western Union said they tried to use it 15 more times!!!! They also said the culprit knew my dob,last 4 of social & the 3 numbers on back of my card.I believe it was the verified by Visa because it was so surprising at the time

Anonymous said...

I ordered some goods, Verified by Visa asked for my date of birth etc. then asked if I would LIKE to change my password now. I declined and the transaction went through. I waited in all day for my delivery, nothing came. When I checked it out with the vendor they said the transaction was cancelled by the credit card company. The vendor should have informed me in advance. Verified by Visa accepted my transaction only to decline it later.

My card company says "the more cardholders that register, the more retailers will sign up to Verified by Visa". I'm morally obliged to not sign up.

dev said...

I was a victim to this "Verified by Visa" overlay after clicking complete order at www.tirerack.com. At the very end I assumed tirerack had another layer of security for authorizing my purchase. I filled in my info and the last two options where to "Activate" or "Do not Activate". Silly me I filled in my info and clicked "Don't Activate". But this couter intuitive to ask to fill in your CC info and CCV and 4 digit SSN just click "Don't Activate". Low and behold after click "Don't Activate" the web page went blank with the IE circle spinning. I let it go think my internet connection was slow. But thats when I knew my transaction didn't go thru.

So in conclusion when in doubt remove the CC, CCV and SSN and click finish or check out and see if the webpage is still connected to the authenticated sever. It should bounce you back and ask for the *required fields. If it does close browser and try again. :)