I have considered for a while writing up my thoughts on Verified by Visa, in fact I have started and thrown several blog posts away. So here goes what I hope will be my last attempt.
Verified by Visa is a "new" scheme introduced by Visa to help combat internet credit card fraud. The system is "voluntary" although many banks are forcing their customers to enrol. The scheme essentially works like this:
- You enter your details onto a website to make a purchase.
- The website either redirects you to a website owned by your bank, or it does an include of the website owned by your bank. The include looks like it is part of the retailers website and while the content is generated by the bank it looks like part of the retailer website and you cannot see the banks certificate information.
- The new website presents some secret information you have previously agreed with your bank, to identify itself to you.
- You enter a "password" you previously agreed to use.
- You are redirected back to the retailed and the transaction goes through.
As far as I can tell so far it does not help alleviate the problems of unscrupulous retailers, or man in the middle attacks.
Although I describe the problem being solved as underwhelming I would still, in theory, use it, defence in depth is important and it is an extra layer in the defence.
In a future post I will explain why I refuse to use Verified by Visa as implemented by my bank.