Friday, October 30, 2009

Verified by Visa

I have considered for a while writing up my thoughts on Verified by Visa, in fact I have started and thrown several blog posts away. So here goes what I hope will be my last attempt.

Verified by Visa is a "new" scheme introduced by Visa to help combat internet credit card fraud. The system is "voluntary" although many banks are forcing their customers to enrol. The scheme essentially works like this:

  1. You enter your details onto a website to make a purchase.
  2. The website either redirects you to a website owned by your bank, or it does an include of the website owned by your bank. The include looks like it is part of the retailers website and while the content is generated by the bank it looks like part of the retailer website and you cannot see the banks certificate information.
  3. The new website presents some secret information you have previously agreed with your bank, to identify itself to you.
  4. You enter a "password" you previously agreed to use.
  5. You are redirected back to the retailed and the transaction goes through.
So having seen this program I had to ask myself "what problem is it trying to solve?". It took me a while to come up with an answer, and it is a little underwhelming. It "solves" the problem of you loosing your card and someone picking it up in the street and using it online; it also solves the problem of someone copying the information on your card down. These people will not have access to your password (assuming you did not choose "password1").

As far as I can tell so far it does not help alleviate the problems of unscrupulous retailers, or man in the middle attacks.

Although I describe the problem being solved as underwhelming I would still, in theory, use it, defence in depth is important and it is an extra layer in the defence.

In a future post I will explain why I refuse to use Verified by Visa as implemented by my bank.


No comments: