Wednesday, 24 February 2016

Verified by visa - So bad, it's criminal

So, most of you have probably seem Verified by Visa or MasterCard secure or whatever it's called. You make a payment on your credit card and the site redirects you (or sometimes iFrames) a small dialog that asks you for a password. This is to secure your transaction against fraudulent use.

The ONLY thing that is correct is that by asking for something that a wallet thief won't know, you are less likely to have people buying stuff with your card online.

Everything else is rubbish and is doing a massive disservice to the end user, the merchant and the web security industry. Here are some of the problems:


  1. Verified by Visa doesn't seem to be a real company, more of a collaboration without any accountability. If there is an error with the system, who should you call? Your merchant? (can't help you), your bank? (can't help you), Verified by Visa? Sounds right but good luck getting hold of someone. I emailed them once and got an automatic reply about VbV did and no response at all about my complaint. Does everyone get the auto-reply and that's it or did somebody read the complaint and not be bothered to reply?
  2. Why on earth are companies allowed to iFrame payment providers? We've had the web commonly available for about 20 years and people still don't seem to know that it is easy to copy and paste HTML code and make a fake page. One of the best mitigations is the URL bar, especially with an EV https certificate but you don't see that in an iframe. Am I typing my password into a VbV window or just some hacker capturing passwords? No idea.
  3. There should always be a way of connecting into the organisation behind the technology. If I have a problem with a merchant, I call or email them and they help me with the problem but if I have a problem with VbV there is nowhere to properly query or complain and worse than that, I can't just go somewhere else, like I can if I don't like a merchant, it is part of my credit card process and unavoidable. How much money have merchants lost due to this debacle?
  4. There is no competition. A merchant cannot just say they don't want it because it's rubbish otherwise they incur higher transaction charges and potentially more charge-backs for fraud. They can't even say that they don't like VbV and want to use Acme Secure instead because the banks (or credit agencies) dictate what you have to do.
  5. I got a message on VbV because something failed, it gave me a phone number to call if I wasn't called back in 5 minutes (I wasn't!), but the timeout for the transaction caused the page to reload and I then lost the number so I had to attempt payment again to get the number, which was wrong (out of date). I called up the number had to enter my FULL CARD DETAILS on the phone (I mean, honestly?). Is that even legal? After that, the guy on the phone, who I guess works for my bank and picks up the calls because of my card number then asks for my card number again because it doesn't come through.
  6. Try resetting your password and it asks you for information from your wallet! Well done VbV, you must have written the procedure when you were in nursery school.
  7. Many companies, like mine, are burdened with PCI audits and the usual expense and hassle of proving your system is secure, yet VbV somehow gets their software through the audit without so much as a question as to its suitability.
  8. Try using it in Opera (at least I think that was the variable). You get an error due to iframe policy of SAME_ORIGIN but that isn't picked up by the user interface, it just sits there forever with that stupid animated gif that means nothing and you only see the error in the developer console or if the page eventually times out. Try passing that information on to your bank or merchant. Good luck with the response.
I mean, honestly, it is the smallest piece of functionality ever and its complete insecure, unaccountable crap. Visa and Mastercard, how about you do something useful with all that obscene amount of money you make each year for basically piggy-backing off the internet and software that you could probably rewrite in 10 minutes and make something that demonstrates good security practice, good UX practice and perhaps you could pretend that you at least partially care about the awful user experience that accompanies so many online payments!
Post a Comment