ashok.videdot.com : 'Verified' by Visa

By Ashok Argent-Katwala

While using my Halifax Visa card online recently, I bumped into the Verified by Visa programme.

It's a nice idea, in theory, but the implementation I saw was woeful. It was depressingly similar to a phishing attack, warmly assuring me about security by chatting about it in the Web page, while hiding the parts of my browser that can tell me that more sensibly.

Like most geeks, I try and educate my less geeky family and friends about how to behave safely with technology. Things like this make that job harder.

This is how it went:

I'm registering some domains with Joker.
After putting in my payment details, Joker gave me a pop-up window, with no address or status bars, but branded as 'Halifax Secure', and claiming to be terribly secure (in the text of the page), while hiding my browser's mechanisms for telling me that more assuredly. It's asking me to set up an account, or give them my existing credentials.
After some poking about (I'm well past the usual behaviour of a consumer by this point) I saw that the site serving the pop-up was www.securesuite.co.uk, over HTTPS, with a valid certificate from Verisign.
At this point, I really expect that something funny is going on. However, further poking about turned up this Halifax page (on their non-secure site) linking to a securesuite.co.uk page.
So I carry on, roughly believing that the Halifax page is genuine (although I've no maths to back that up) and by supplying no more secrets than I had already given to Joker, create a username and password on this new whacky site. I get my domains, but I don't feel like they've ever 'verified' me.

Things they ought to fix:

make the subsidiary site one hosted by my bank, from the domain I normally use for my banking. Ideally my bank should have one domain and use it consistently, and not use halifax.co.uk for general information, hbosplc.com for corporate information and halifax-online.co.uk for online banking. I suspect getting that right is beyond them.
don't hide the toolbars and address bar (i.e. don't use a damn pop-up).
don't mix up the verification step with signing up for the programme.

It's good that I've got this VbV account now, and that ought to make it harder for a fraudster impersonating me in future. However, I'd rather they asked me for the details when I next logged in to my online banking, where I could know what the devil was going on.

Until you first bump into it, you're more at risk. If the first person to try and spend money through a merchant using VbV is the fraudster, then it's especially crap. Also, if I were evil I imagine it'd be pretty straightforward to phish someone's VbV details anyway, since the noddy consumer is expecting it to be verified by the graphics in the page, not using the mathematics their browser is doing for them.

Update at 22:51 BST, 21^st April 2007.

An article in today's Guardian has more on the confusion caused to users of the scheme.

Speaking to the head of the scheme, Jon Varco, the paper reports:

He says that there have been no phishing attacks copying the VbV process, although he admitted that some such emails have been circulating.

Not quite sure how that's possible. Surely once the emails are circulating, that's evidence of attempted phishing attacks. Now he might be claiming there have been no successful phishing attacks. Given the excellent job the Visa have done preparing the ground for the phishers, that's surely just a matter of time.

< Noddy rules for accessibility | Tv Calendar >

Tagged: Rants, Business, Fuckwittage, Security, Technology, Web

Posted at 16:22 BST, 31^st March 2007.

Update at 22:51 BST, 21^st April 2007.

4 Comments

Add a new comment.

Dan Argent on 9^th April 2007

Grr

Same thing happened to me.

Gooogling for what VbV is turned up this page :-|!

anyway, it made me angry and wary. Why was I singed out for this crazy verification system

ubuntufanboy on 13^th June 2007

its a seriously BAD and stupid idea.

whats to stop phishers setting up fake "verified by visa" pages and thereby grabbing users pin numbers?

James on 26^th July 2007

Same thing with Mastercard's variant, and they too seem to use securesuite.co.uk, a company that I've hitherto been totally unaware of.

I just clicked on 'no thanks', to avoid the registration, and carried on as normal.

It is indeed a foolish system.

Some Nobody on 6^th December 2007

Its unbelievable. What a lousy way to establish 'trust'. A uk domain registered to a US firm, with nothing to verify that the bank endorse it. Why would I want my personal data to be held in America? And if I disagree, I can click the 'no thanks' button (at least, three times before they stop me using online services). Great.

Add a new comment.

Feed for these comments