Verified by Visa - is this optional???????

It will be compulsory for everyone soooner or later.

Reply to
Maria
Loading thread data ...

The popular use of DOB by many banks is REALLY stupid. Anyone determined can find out.

Reply to
johannes

It depends upon who issues your card. Some insist upon you using 3D secure (Verified by Visa is one such scheme), some make it entirely optional, while some allow you to defer it a certain number of times, then insist upon it. However, anyone who does not choose to activate 3D secure at the first opportunity is an idiot. If anyone gets hold of your card details, they can create a password, lock you out of using your card online and run up huge bills on your card. It is the online equivalent of chip and PIN and any retailer who gets a 3D secure verified card is very unlikely to question the purchase, as they are not responsible if the transaction is fraudulent.

Colin Bignell

Reply to
Nightjar

I lost around 35% of sales when I turned it on - it's been off ever since!

Reply to
Maria

"Nightjar wrote

That's a bit strong. You could just as validly say: "anyone who chooses to keep a card which is eligible for 3D secure (whether activated or not) is an idiot".

"Nightjar wrote

They can do that even if you *have* activated 3D secure, as long as they know your DOB (they just say they've forgotten your password, and reset a new one).

"Nightjar wrote

No it's not, because you can't bypass C&P by just using details printed on the card & DOB...

Reply to
Tim

In message , Maria wrote

I often abandon purchases if these "verification" pages take too long to come up or if they look more suspicious than usual.

I have an on-line account associated with my credit card that allows me to change any details and make payments etc. Nowhere on the site is there a facility for setting up a password or other information required for the verification pages. If the credit card companies are not interested in allowing customers to go to known and trusted site to configure this extra information then it tells me they are not really interested in this security measure.

Reply to
Alan

There is a significant difference between a security feature not being offered by the card issuer and not using one that is.

A bit difficult to get that from a card cloning device though.

Well, if you prefer, the card issuers state it is the online equivelant of chip and PIN. From a retailer's point of view, both transfer the cost of fraudulent transactions to the card issuer.

Colin Bignell

Reply to
Nightjar

Maria wrote: ...

3D secure is complusory for any merchant who accepts Maestro.

Colin Bignell

Reply to
Nightjar

In message , "Nightjar "@?.?.invalid> wrote

Surely it's an attempt to pass the cost back to the individual customer? If a Verified by Visa screen has had the correct information entered it must have been done by the card holder.

Reply to
Alan

Each time I was told I had to do this I simply went to a trader that didn't buy into this game. Now, without exception, I am no longer asked to verify the card. Clearly the retailer is not pleased when customers give up the purchase in preference to compling with further invasive security measures.

Turk182

Reply to
Turk182

As I pointed out earlier, if the legitimate card holder has not set up

3D secure, then anyone who gets the card details, for example by cloning, then that person can set up the 3D secure password and have all subsequent transactions verified.

While it is very much less common to come across suspicious transactions since 3D secure came in, it still does happen and sometimes with full authorisation of the card.

Colin Bignell

Reply to
Nightjar

In message , "Nightjar "@?.?.invalid> wrote

If someone doesn't ever use their card on-line, or doesn't even have a computer or Internet account, they will never be given the opportunity to set up 3D secure.

With my card the _ONLY_ time I was offered the chance to set up the verification password/phrase was the first time a retailer wanted the verification process (during a purchase).

3D is thus making the card less secure for the user!
Reply to
Alan

If someone who has never bought online suddenly starts to do so, even legitimately, they will get a telephone call from the card issuer's anti-fraud section. Even though I am a regular online buyer, I get them if I change my pattern of buying.

It is not making the card any less secure than it was before 3D secure, but creating a password does make your card more secure. I know from personal experience as an online retailer, that it has also significantly reduced the incidence of people even trying to make fraudulent purchases online.

Colin Bignell

Reply to
Nightjar

In message , "Nightjar "@?.?.invalid> wrote

Reply to
Alan

In message , "Nightjar "@?.?.invalid> wrote

It is making the card less secure!

A rouge trader could set up his own 3D secure type phishing page and obtain many more details of my card account and personal information in one hit. It is the ideal means for obtaining details for card fraud.

One of the biggest issuers of cards has no facility on the their web site to set up such a password. They obviously don't think the system is secure.

What you may be seeing is abandoned purchases which were not necessarily fraudulent in the first place. These days customers get very suspicious being redirected away from a retailer's secure paying page to some third party pop-up page.

The system may reduce your financial risk but it doesn't make my transaction any safer.

Reply to
Alan

If you are worried about that, don't buy online. It is the only certain way of avoiding a phishing site. However, you are very unlikely to find any bogus trader who manages to get both a dynamic PCI compliant logo on their site and an extended validation SSL certificate on their secure pages.

I simply don't see the same type of transaction as I used to before 3D secure, abandoned or not. Fradulent transactions generally stand out due to significant differences from genuine transactions. Before 3D secure, I used to get about one a week and, if in doubt, I didn't take the money and didn't send the goods. Nobody complained, while genuine customers always do if they don't get their goods within a couple of days and we haven't told them about a delay. Since 3D secure, I see, perhaps, one fraudlent transaction attempt a year.

That must severely limit the sites they can use, as many sites legitimately divert to Sage Pay or similar. In any case, how do you know you are not being diverted to a third party site when there is not a pop-up window? A page using Sage Pay iframe, for example, will not appear any different from any other secure page on the site, but the data entry boxes are actually on the Sage Pay server.

I disagree.

Colin Bignell

Reply to
Nightjar

Which is why the man in the street is so vulnerable to phishing attacks. The legitimate traders use origin obscuration techniques to a level that would do any phisher proud. Most people don't understand the real protection provided by SSL certificates, and this sort of trick gives them no chance to learn. Those who do understand, are just totally frustrated by the way that they are compromised into near uselessness, or need to go through whoops to track down the real players in the transaction, and keep track of all the legitimate payment services, even when they rebrand themselves, as I think Sage Pay did recently.

Worst of course is where a trader using their ISP as the card handler. One is then presented with an SSL certificate for a complete unknown, with no known ability to authenticate their clients.

Reply to
David Woolley

I abandon such purchases because I start of with Firefox and NoScript, allow the purchasing site, then go to a third party pop up and either I fail there or fail on the return to the purchasing site. When I've been desparate (try paying for something on the Land Registry site) I've resorted to IE.

Reply to
AnthonyL

And therein lies the next problem to do with the card-issuing authorities' anti-fraud measures: firstly, their pattern recognition methods of detecting unusual activity is not particularly accurate: I have been rung up for merely buying something in person from a shop's branch in a town I was visiting for a short time, when I had previously successfully bought things from branches in my home-town before. I was also questioned when I withdrew money from an ATM at Heathrow Airport when I returned from China on a stay there which I had informed them about.

In both cases, they demanded the usual weak security test of my name and date of birth, etc before they would do anything else, and yet reacted with complete surprise and incomprehension when I told them that I would not be giving them that information before I could satisfy myself that they were who THEY said they were. We were in stalemate, and the only way of resolving it was me to ring up the bank on a phone number I found independently and asked to be put through to their anti-fraud department to ask whether they had tried to ring me up, and, on hearing that they had, I then allowed them to continue to ask about the transactions they thought were fraudulent.

The bank assured me that them using date of birth and other easily- obtained information was not sensitive, but I pointed out to them that they had made it so by relying on it solely in phone calls from them, verified by visa, and so on, which means one could not respond to a claim and a demand for date of birth in the way they suggested was safe from an unsolicited phone call from an either withheld phone number or one which was completely unknown to me or other people. Of course, I was talking to deaf ears, except that they did warn me that calls might be recorded, and it did strike me that, having been warned of their security shortcomings, then it might protect me if they then tried to wriggle out of any obligations in the future if I was unlucky to have fallen for such a demand in an unsolicited phone call claiming to be from my bank.

One cannot easily deal with this by changing banks, because it seems to me that they all suffer from this loophole and issue of one-sided security measures. They need to be sure they are speaking to the right person, and we as customers need to be sure we are really speaking to the claimed authorities for there to be true well-working authorities. At the moment, we cannot be.

Reply to
Zhang Dawei

BeanSmart website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.