Verified by Visa - is this optional???????

I spend ££££52 gazillion per year on web - Never really had problem
Of late Debit/Credit cards having been trying to persuade me to sign up for
some extra online security feature that will basically shorten my life by
one hour everytime i buy something
So far there has been a box saying "not at this time" - which i click,
finish my purchase and carry on with my otherwise pedestrian life
Just tried to buy game from Tesco, and after spending 3 weeks creating new
account and entering all my card details, etc, yaaaaaaaaaawn! i tried to
checkout and was greeted with:
"Authentication Required For Purchase"
"Your card can be registered now for Verified by Visa - a new, free security
service to help prevent unauthorised use of this card when shopping online.
It is required for this purchase, which cannot be made without it."
"Complete the form below [...and die of boredom]"
Although the operative word is still in use here "card ****CAN***
be registered"
It wont let me complete the purchase without completing the form - so in
fact they mean "card *
***MUST*** be registered"
Slip of the tongue maybe - hope someone slips a mallet into the head of the
poster of this big brother message
Question: Is online verification now compulsory or still supposedly
P.S. Oh yeah - cancelled the purchase and bought game from instead

Reply to
Chris K
I use Verification on my MasterCard and it adds 10 seconds to a just have to enter a password.
Reply to
Mark Opolo
No. It's 'optional' on my site, but I have to pay a monthly fee to the merchant for that privilege - I figured I'd be better off not losing the sales...
Reply to
I believe you are only allowed to defer three (two?) times.
Please be careful with 3D Secure services, like this. Neither the banks nor the merchants seem to understand how to operate them securely.
Firstly, ignore the confirmation phrase that you supply, unless it really is wrong. It is a trivial man in the middle attack to obtain this. Next check that the frame or page really is coming from your bank.
On the second point, there are two problems. Firstly some banks use the US company, who operate the service's, domain name on the form page. As it is unlikely that your bank has told you this over a secure channel, and unlikely that their first line support people will understand the problem, you are on your own in ensuring that the source of the page really is trustworthy in relation to your bank.
The second problem is that some organisations, including, at least an one time, British Gas, and a major card processing service, really do go man in the middle, and send the form from their site. Unless you are an expert in HTML and Javascript, it will be difficult to be sure that what you submit has gone directly to your bank, and certain that someone other than your bank has had access to the confirmation phrase. You cannot rely on the fact that your browser says the form will submit directly to the bank, as this can be changed by scripting, after you press the script button.
Even where they don't embed the form in their own page, they will often try to obscure its origins using IFRAME, making checking a hassle.
My policy is that, if I am unable to verify that the form has come directly from the bank, or their known 3D Secure agents, I will either abort the transaction, or change the password, immediately after the transaction.
I believe the card processing service I mentioned, now does things properly.
Retailers tend to be held responsible for chargebacks if 3D Secure is not in effect, and customers tend not to be able to make them if it is in effect.
Reply to
David Woolley
I'm asked so rarely I've forgotten it,
so then I have to go through the rigmarole of resetting it.
A right PITA
Of course, I could write it down :-(
Reply to
Depends on the internet retailer; some use it, some don't. I don't see any problem with extra security.
Reply to
I think the situation is that the 3D Secure operators will only give you a limited number of attempts to register before they will refuse to authorise, but the merchant always has the discretion to accept the transaction, even if 3D Secure is rejected by the customer.
Some have chosen not to use it at all, but others think the risk of having to fund the cost of fraud is too high.
If it had been implemented competently, I would have welcomed it, as it would have limited my liability to the value of one transaction, when dealing with a suspect trader (e.g. overseas). However, as implemented, it is simply a get out of debt free card for the banks.
Currently PayPal solves the problem of limiting risk to one transaction, but, apparently, their terms for merchants, particularly the time to payment, discourage a lot of merchants from using them.
Reply to
David Woolley
As implemented, it doesn't add security, but does give the banks an excuse to reject claims that your card was used fraudulently. It could be secure, if they taught people how to use the security in their browsers properly and insisted that the form be served, unframed, directly from a site with an SSL certificate for the bank. However merchants like to present a seamless interface, where their payment agents and banks don't appear overtly.
The confirmation phrase is snake oil. Anyone with your basic card details can get it.
Reply to
David Woolley
It was optional to retailers at no cost until a few months ago - now it's only optional if the retailer pays extra monthly fee to the merchant bank. I guess that sooner or later it won't be optional at all.
Reply to
On Jun 19, 4:33 pm, David Woolley wrote:
I could not agree more. In one case I only needed my birthday in addition to my card number to set a new VbV password.
Reply to
On Sat, 19 Jun 2010 15:47:40 +0100,
I have this problem - I have no idea where the problem lies but it's related to my card(s) because it happens to me on multiple different browsers on different machines and yet my girlfriend using my login at home managed to buy using her card without a problem.
But, I've found that provided you disable Javascript just before you "buy" then the VbV stuff does seem to work. GNER/National Express/East Coast has had this problem for ages - and now I've found that Ocado has the same problem.
It has also been carefully engineered to be indistinguishable from a phishing attack. In fact, I think the reason Ocado fails is because Firefox/NoScript blocks some of the Javascript thinking it's a cross site scripting attack. (I've only ordered from Ocado once, next time I'll watch more closely to see what happens)
Reply to
Tim Woodall
Card issuers can turn it off. It's possible to have a card that skips the VbV/3DS step (the browser might bounce you to the VbV site, but it'll bounce straight back again to the website you were paying).
Reply to
Theo Markettos
Great - so long as I steer clear of Tesco in future i wont get harassed - shame - i have used them loads times before and they'r getting competitive - oh hum
Reply to
Chris K

And if you get it wrong three times in a row they just ask you to supply a new one. The only security information they require is stuff on your card plus your date of birth (which is all they ask for in the first place).
So anyone who has stolen (or even just got a good look at) your card and knows your birthday and how old you are can sign themselves up for it and make purchases in your name.
As a security measure against fraud it's pathetic.
Reply to
Max Demian
In message , johannes wrote
But it's not "extra" security for you. After giving all your details to a retailer a Verified by Visa phising page comes up asking for more details.
Reply to

Site Timeline Threads

BeanSmart website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.