Is it worth going for Verified By Visa

As operated in the UK it is fundamentally flawed. It is vulnerable to man in the middle attacks, which means that your rogue retailer can easily get your password. The payment processors actually operate it in a way that equates to a man in the middle attack, in that they get the challenge phrase from Cyota (who actually run this and the MasterCard equivalent) and then present it as part of their web page. You basically have to trust them to actually submit the form data to Cyota, rather also relaying that back.

So, your challenge phrase is nearly always compromised by UK payment services and you need to have a good understanding of HTML and Javascript if you want to be sure that the password won't also be compromised.

For it to stand a chance of being secure, the challenge would have to be in a separate window, secured against your bank's SSL certificate, and you would have to check that certificate. The challenge phrase is never of any value, except if it is actually wrong.

It is about signing away your rights to make chargebacks, not about protecting you from rogue retailers. I believe that PayPal has a better system in that respect, and I suspect their latest advertising campaign might be based on increasing public knowledge of the flaws in 3D secure.

I think you find you *HAVE* to sign up for it. There is no way around it online, only way if you phone the online store up and place the order that way, but it is more of a risk.

I have it with my debit card and credit cards and had no problems at all.

Well you can often enter completely the wrong VbV password and still get successful sales, so that's always an option...

Jim.

I've put the wrong password in and it askes me to reset it before I make the sale.

If by that you mean "Does it give me any extra protection as a consumer" then the answer is "no".

I find it a complete PITA. I've given up using any card that requires it and rely on Amex for online purchases.

Tony

I recently purchased an item on-line and seemed to have managed to cancel the VBV screen yet still succeed with the purchase.

It makes it somewhat harder for someone else to fraudulently use your card details.

It makes it considerably harder for you to get your money back if they do.

Mark

Precisely! It's there to protect the credit card company, *not* the card holder!

No

It is safer for the bank as it makes it easier for them to deny a refund of any payment.

It is not at all safe for you as there is no easy way to determine whether or not the verified by visa iframe is a real one or a fake one.

That's the biggest problem. The verified by visa window has all the hallmarks of a phishing site.

Along with the information you give when purchasing something the extra information requested during verification makes your details less secure. Too much related information has to be given in one transaction.

I seem to remember one retailer posting to this forum, around a year ago, asking why so many sales were abandoned every time they turned on the "extra" card security.

Alan :

Another problem is that if you have more than one cardholder they share the same password. I don't think that's very clever. I have two joint bank accounts and neither of them require you to share a password.

I did it yesterday with a 900 purchase. All went through OK used my password and the purchase was confirmed. Did the order at am and by am I received a call from the supplier saying my card had failed.

It contains a phrase that you put in when you set it up.

In article , Mike Barnes writes

The Mastercard equivalent allows different profiles for each cardholder with different password. When verifying a transaction the user can choose the profile from a pulldown box. Don't know if VBV can do this.

"Phil Stovell" wrote

How do you think that helps?

Because if it was faked from a phishing site they wouldn't know your phrase.

"Phil Stovell" wrote

How do you know the phisher isn't "man-in-the-middle"? [Eg see David Woolley's post 14/12/2009 23:31.]

Yes, OK.

Cash under the bed it is.

And the phishing site would ask for the phrase and password!

Match that up with the card number, expiry date, security number, name, address and date of birth that you have entered previously on the retailers site which has been hacked and I'm sure that you feel a lot more secure.