Verified by Visa - is this optional???????

I use Verification on my MasterCard and it adds 10 seconds to a purchase...........you just have to enter a password.

No. It's 'optional' on my site, but I have to pay a monthly fee to the merchant for that privilege - I figured I'd be better off not losing the sales...

I believe you are only allowed to defer three (two?) times.

Please be careful with 3D Secure services, like this. Neither the banks nor the merchants seem to understand how to operate them securely.

Firstly, ignore the confirmation phrase that you supply, unless it really is wrong. It is a trivial man in the middle attack to obtain this. Next check that the frame or page really is coming from your bank.

On the second point, there are two problems. Firstly some banks use the US company, who operate the service's, domain name on the form page. As it is unlikely that your bank has told you this over a secure channel, and unlikely that their first line support people will understand the problem, you are on your own in ensuring that the source of the page really is trustworthy in relation to your bank.

The second problem is that some organisations, including, at least an one time, British Gas, and a major card processing service, really do go man in the middle, and send the form from their site. Unless you are an expert in HTML and Javascript, it will be difficult to be sure that what you submit has gone directly to your bank, and certain that someone other than your bank has had access to the confirmation phrase. You cannot rely on the fact that your browser says the form will submit directly to the bank, as this can be changed by scripting, after you press the script button.

Even where they don't embed the form in their own page, they will often try to obscure its origins using IFRAME, making checking a hassle.

My policy is that, if I am unable to verify that the form has come directly from the bank, or their known 3D Secure agents, I will either abort the transaction, or change the password, immediately after the transaction.

I believe the card processing service I mentioned, now does things properly.

Retailers tend to be held responsible for chargebacks if 3D Secure is not in effect, and customers tend not to be able to make them if it is in effect.

And not even the full password!

What the f*ck are you on about?

I'm asked so rarely I've forgotten it,

so then I have to go through the rigmarole of resetting it.

A right PITA

Of course, I could write it down :-(

tim

Depends on the internet retailer; some use it, some don't. I don't see any problem with extra security.

I think the situation is that the 3D Secure operators will only give you a limited number of attempts to register before they will refuse to authorise, but the merchant always has the discretion to accept the transaction, even if 3D Secure is rejected by the customer.

Some have chosen not to use it at all, but others think the risk of having to fund the cost of fraud is too high.

If it had been implemented competently, I would have welcomed it, as it would have limited my liability to the value of one transaction, when dealing with a suspect trader (e.g. overseas). However, as implemented, it is simply a get out of debt free card for the banks.

Currently PayPal solves the problem of limiting risk to one transaction, but, apparently, their terms for merchants, particularly the time to payment, discourage a lot of merchants from using them.

As implemented, it doesn't add security, but does give the banks an excuse to reject claims that your card was used fraudulently. It could be secure, if they taught people how to use the security in their browsers properly and insisted that the form be served, unframed, directly from a site with an SSL certificate for the bank. However merchants like to present a seamless interface, where their payment agents and banks don't appear overtly.

The confirmation phrase is snake oil. Anyone with your basic card details can get it.

It was optional to retailers at no cost until a few months ago - now it's only optional if the retailer pays extra monthly fee to the merchant bank. I guess that sooner or later it won't be optional at all.

One-off dynamic card numbers would do away with the whole thing?

ABCDEFG...:-)

Exactly.

I could not agree more. In one case I only needed my birthday in addition to my card number to set a new VbV password.

I have this problem - I have no idea where the problem lies but it's related to my card(s) because it happens to me on multiple different browsers on different machines and yet my girlfriend using my login at home managed to buy using her card without a problem.

But, I've found that provided you disable Javascript just before you "buy" then the VbV stuff does seem to work. GNER/National Express/East Coast has had this problem for ages - and now I've found that Ocado has the same problem.

It has also been carefully engineered to be indistinguishable from a phishing attack. In fact, I think the reason Ocado fails is because Firefox/NoScript blocks some of the Javascript thinking it's a cross site scripting attack. (I've only ordered from Ocado once, next time I'll watch more closely to see what happens)

Tim.

Card issuers can turn it off. It's possible to have a card that skips the VbV/3DS step (the browser might bounce you to the VbV site, but it'll bounce straight back again to the website you were paying).

Theo

Just told you donkey

Great - so long as I steer clear of Tesco in future i wont get harassed - shame - i have used them loads times before and they'r getting competitive - oh hum

And if you get it wrong three times in a row they just ask you to supply a new one. The only security information they require is stuff on your card plus your date of birth (which is all they ask for in the first place).

So anyone who has stolen (or even just got a good look at) your card and knows your birthday and how old you are can sign themselves up for it and make purchases in your name.

As a security measure against fraud it's pathetic.

In message , johannes wrote

But it's not "extra" security for you. After giving all your details to a retailer a Verified by Visa phising page comes up asking for more details.