Verified by Visa - is this optional???????

I spend ££££52 gazillion per year on web - Never really had problem
Of late Debit/Credit cards having been trying to persuade me to sign up for
some extra online security feature that will basically shorten my life by one hour everytime i buy something
So far there has been a box saying "not at this time" - which i click, finish my purchase and carry on with my otherwise pedestrian life
Just tried to buy game from Tesco, and after spending 3 weeks creating new account and entering all my card details, etc, yaaaaaaaaaawn! i tried to checkout and was greeted with:
"Authentication Required For Purchase" "Your card can be registered now for Verified by Visa - a new, free security service to help prevent unauthorised use of this card when shopping online. It is required for this purchase, which cannot be made without it."
"Complete the form below [...and die of boredom]"
Although the operative word is still in use here "card ****CAN*** be registered"
It wont let me complete the purchase without completing the form - so in fact they mean "card ****MUST*** be registered"
Slip of the tongue maybe - hope someone slips a mallet into the head of the poster of this big brother message
Question: Is online verification now compulsory or still supposedly optional?????????
P.S. Oh yeah - cancelled the purchase and bought game from play.com instead
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Mark Opolo wrote:

And not even the full password!
--
Kev


Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On Sat, 19 Jun 2010 15:50:05 +0100, "Ret." <xxx> wrote:

And if you get it wrong three times in a row they just ask you to supply a new one. The only security information they require is stuff on your card plus your date of birth (which is all they ask for in the first place).
So anyone who has stolen (or even just got a good look at) your card and knows your birthday and how old you are can sign themselves up for it and make purchases in your name.
As a security measure against fraud it's pathetic.
--
Max Demian

Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload


I'm asked so rarely I've forgotten it,
so then I have to go through the rigmarole of resetting it.
A right PITA
Of course, I could write it down :-(
tim
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload


ABCDEFG...:-)
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 6/19/2010 3:23 PM, Chris K wrote:

No. It's 'optional' on my site, but I have to pay a monthly fee to the merchant for that privilege - I figured I'd be better off not losing the sales...

Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Maria wrote:

I think the situation is that the 3D Secure operators will only give you a limited number of attempts to register before they will refuse to authorise, but the merchant always has the discretion to accept the transaction, even if 3D Secure is rejected by the customer.
Some have chosen not to use it at all, but others think the risk of having to fund the cost of fraud is too high.
If it had been implemented competently, I would have welcomed it, as it would have limited my liability to the value of one transaction, when dealing with a suspect trader (e.g. overseas). However, as implemented, it is simply a get out of debt free card for the banks.
Currently PayPal solves the problem of limiting risk to one transaction, but, apparently, their terms for merchants, particularly the time to payment, discourage a lot of merchants from using them.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Chris K wrote:

I believe you are only allowed to defer three (two?) times.
Please be careful with 3D Secure services, like this. Neither the banks nor the merchants seem to understand how to operate them securely.
Firstly, ignore the confirmation phrase that you supply, unless it really is wrong. It is a trivial man in the middle attack to obtain this. Next check that the frame or page really is coming from your bank.
On the second point, there are two problems. Firstly some banks use the US company, who operate the service's, domain name on the form page. As it is unlikely that your bank has told you this over a secure channel, and unlikely that their first line support people will understand the problem, you are on your own in ensuring that the source of the page really is trustworthy in relation to your bank.
The second problem is that some organisations, including, at least an one time, British Gas, and a major card processing service, really do go man in the middle, and send the form from their site. Unless you are an expert in HTML and Javascript, it will be difficult to be sure that what you submit has gone directly to your bank, and certain that someone other than your bank has had access to the confirmation phrase. You cannot rely on the fact that your browser says the form will submit directly to the bank, as this can be changed by scripting, after you press the script button.
Even where they don't embed the form in their own page, they will often try to obscure its origins using IFRAME, making checking a hassle.
My policy is that, if I am unable to verify that the form has come directly from the bank, or their known 3D Secure agents, I will either abort the transaction, or change the password, immediately after the transaction.
I believe the card processing service I mentioned, now does things properly.
Retailers tend to be held responsible for chargebacks if 3D Secure is not in effect, and customers tend not to be able to make them if it is in effect.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On Sat, 19 Jun 2010 15:47:40 +0100,

I have this problem - I have no idea where the problem lies but it's related to my card(s) because it happens to me on multiple different browsers on different machines and yet my girlfriend using my login at home managed to buy using her card without a problem.
But, I've found that provided you disable Javascript just before you "buy" then the VbV stuff does seem to work. GNER/National Express/East Coast has had this problem for ages - and now I've found that Ocado has the same problem.
It has also been carefully engineered to be indistinguishable from a phishing attack. In fact, I think the reason Ocado fails is because Firefox/NoScript blocks some of the Javascript thinking it's a cross site scripting attack. (I've only ordered from Ocado once, next time I'll watch more closely to see what happens)
Tim.
--
God said, "div D = rho, div B = 0, curl E = - @B/@t, curl H = J + @D/@t,"
and there was light.
  Click to see the full signature.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Chris K wrote:

What the fuck are you on about?
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

Just told you donkey
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Chris K wrote:

Depends on the internet retailer; some use it, some don't. I don't see any problem with extra security.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
johannes wrote:

As implemented, it doesn't add security, but does give the banks an excuse to reject claims that your card was used fraudulently. It could be secure, if they taught people how to use the security in their browsers properly and insisted that the form be served, unframed, directly from a site with an SSL certificate for the bank. However merchants like to present a seamless interface, where their payment agents and banks don't appear overtly.
The confirmation phrase is snake oil. Anyone with your basic card details can get it.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

One-off dynamic card numbers would do away with the whole thing?
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
wrote:

any

Exactly.

I could not agree more. In one case I only needed my birthday in addition to my card number to set a new VbV password.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
S wrote:

The popular use of DOB by many banks is REALLY stupid. Anyone determined can find out.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 6/19/2010 4:23 PM, johannes wrote:

It was optional to retailers at no cost until a few months ago - now it's only optional if the retailer pays extra monthly fee to the merchant bank. I guess that sooner or later it won't be optional at all.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

Great - so long as I steer clear of Tesco in future i wont get harassed - shame - i have used them loads times before and they'r getting competitive - oh hum
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 6/19/2010 10:44 PM, Chris K wrote:

It will be compulsory for everyone soooner or later.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

BeanSmart.com is a site by and for consumers of financial services and advice. We are not affiliated with any of the banks, financial services or software manufacturers discussed here. All logos and trade names are the property of their respective owners.

Tax and financial advice you come across on this site is freely given by your peers and professionals on their own time and out of the kindness of their hearts. We can guarantee neither accuracy of such advice nor its applicability for your situation. Simply put, you are fully responsible for the results of using information from this site in real life situations.