Illegal activities of Equifax through Verified by Visa crap


7

7

Illegal activities of Equifax through Verified by Visa crap
-----------------------------------------------------------

I've had the unfortunate experience of locked out
of Verified by Visa today.

When I went to check, they said its because the system
has been changed and I did not answer all the questions
correctly.

I insisted I did.

Worse, I also insisted I did not share answers with them
at any time for them to be asking questions to me
like do I have property in Yorkshire, Cornwall and Hatfield.
Also I do not know if a person named Paul ever stayed
at the house that I stayed.

I pointed out I got through the first questions, and the screen
went to second one asking me which phone I supplier I had.
I answered correctly and it failed it there and then.

So in telling this tale, Verified by Visa immediately
disowned their new system and blamed Equifax who they
said were posting the questions.

WTF????

Who the ****** is equifax and what rights do they
have to ask me questions for which I HAVE NEVER SHARED
information with them????

Merely answering the question
is extremely illegal as its fishing for answers.

The database is full of inuendos gathered
from god knows where.

Computationally correct answers such as who might
have stayed at the house that I stayed WILL NEVER be
humanly correct, and even more inappropriate if I did
reveal some answer to which Equifax is not entitled to.

So where do I complain?

Do I complain to Database Registrar?
Do I complain to the financial services ombudsman?
Do I complain to the banking ombudsman?

I am really pissed off as this is the second time
this has happened in a month.
 
Ad

Advertisements

D

David Woolley

7 said:
Who the ****** is equifax and what rights do they
They are one of the two main UK credit reference agencies.
have to ask me questions for which I HAVE NEVER SHARED
information with them????
It sounds like they are using data that they gathered in building your
credit rating and that of other people at your address.

Sounds like e-commerce outside of Paypal and Amazon is going to get even
more difficult if people actually care about password security.
 
D

David Woolley

David said:
7 wrote:


They are one of the two main UK credit reference agencies.
As credit reference agencies, they have a statutory right to certain
government collected data that is not available to normal businesses,
e.g. they have access to the un-edited version of the electoral roll,
and I think they may have access to the true addresses of directors.
 
F

Flop

Illegal activities of Equifax through Verified by Visa crap
-----------------------------------------------------------

I've had the unfortunate experience of locked out
of Verified by Visa today.

When I went to check, they said its because the system
has been changed and I did not answer all the questions
correctly.

I insisted I did.

Worse, I also insisted I did not share answers with them
at any time for them to be asking questions to me
like do I have property in Yorkshire, Cornwall and Hatfield.
Also I do not know if a person named Paul ever stayed
at the house that I stayed.

I pointed out I got through the first questions, and the screen
went to second one asking me which phone I supplier I had.
I answered correctly and it failed it there and then.

So in telling this tale, Verified by Visa immediately
disowned their new system and blamed Equifax who they
said were posting the questions.

WTF????

Who the ****** is equifax and what rights do they
have to ask me questions for which I HAVE NEVER SHARED
information with them????

Merely answering the question
is extremely illegal as its fishing for answers.

The database is full of inuendos gathered
from god knows where.

Computationally correct answers such as who might
have stayed at the house that I stayed WILL NEVER be
humanly correct, and even more inappropriate if I did
reveal some answer to which Equifax is not entitled to.

So where do I complain?

Do I complain to Database Registrar?
Do I complain to the financial services ombudsman?
Do I complain to the banking ombudsman?

I am really pissed off as this is the second time
this has happened in a month.

The problem is that VbV is insecure:

http://www.cl.cam.ac.uk/~rja14/Papers/fc10vbvsecurecode.pdf

Why anyone should use a pop-up - the most dangerous carrier of viruses -
is beyond me

Flop

ps if you are using Firefox, you need to 'accept all third party'
cookies in Tools/Options/privacy. Another great loophole for security!!
 
F

Flop

VbV uses iFrames, not popups.


I don't. And yet VbV still works.
nuff said.

perhaps I should have added "if you are ' having difficulties' using
Firefox....."

Flop
 
W

Willy Eckerslyke

Flop said:
nuff said.

perhaps I should have added "if you are ' having difficulties' using
Firefox....."
Perhaps you should have said "if you don't know how to use Firefox..."

Hint: you can specify which sites to accept cookies from.
 
T

Trust No One®

Willy Eckerslyke said:
Perhaps you should have said "if you don't know how to use Firefox..."

Hint: you can specify which sites to accept cookies from.
Even better still you can accept all cookies and choose to bin them all when
you close the browser.

That particular feature is simply pure genius on the part of Firefox!
 
A

August West

The said:
Even better still you can accept all cookies and choose to bin them all when
you close the browser.

That particular feature is simply pure genius on the part of Firefox!
Genius they pinched from Opera...
 
M

Mike Barnes

Trust No One® said:
Even better still you can accept all cookies and choose to bin them all when
you close the browser.
Even betterer still you can accept all cookies and choose to bin them
all *except for sites you trust* when you close the browser.
 
D

David Woolley

Huge said:
On 2012-02-28, Flop <Flop@flop.knot.me.uk> wrote:
VbV uses iFrames, not popups.
At one time, at least, one of the major payment processing companies
went man in the middle, rather than iframe :-(
 
M

Mark

At one time, at least, one of the major payment processing companies
went man in the middle, rather than iframe :-(
Even within an iframe it's not easy to check the vbv box is legit.
 
C

Chris Blunt

Even within an iframe it's not easy to check the vbv box is legit.
How would you know anyway? Do you have a comprehensive list of trusted
URLs, or would you just see if it looks about right?
 
D

David Woolley

Chris said:
How would you know anyway? Do you have a comprehensive list of trusted
URLs, or would you just see if it looks about right?
If it were designed by someone who understood security, it should be
done as a separate window, with full chrome, and should be served from a
domain belonging to the card issuer. The only further complication is
checking that the SSL certificate is from a reliable source, given the
proliferation of signers pre-installed and pre-enabled in browsers. For
Firefox, a certificate that turns the address green should be fairly
reliable. (The same issuer will use different levels of authentication
before issuing different classes of certificate.)

The important thing to remember is that anyone can find out the
authentication phrase, given the information you have just given the
trader, so you should not rely on that.

If the certificate belongs to the trader or payment service, they have
gone man in the middle and you probably shouldn't trust it. As this was
almost inevitable at one stage, I changed password whenever it happened

The other problem is banks who use Cyota's URL and certificate. The
general public has no idea who Cyota is, and ought to abandon the
transaction at that point.

Of course, all the iframe and man in the middle stuff is because web
sites don't like their branding diluted.
 
C

Chris Blunt

If it were designed by someone who understood security, it should be
done as a separate window, with full chrome, and should be served from a
domain belonging to the card issuer. The only further complication is
checking that the SSL certificate is from a reliable source, given the
proliferation of signers pre-installed and pre-enabled in browsers. For
Firefox, a certificate that turns the address green should be fairly
reliable. (The same issuer will use different levels of authentication
before issuing different classes of certificate.)

The important thing to remember is that anyone can find out the
authentication phrase, given the information you have just given the
trader, so you should not rely on that.

If the certificate belongs to the trader or payment service, they have
gone man in the middle and you probably shouldn't trust it. As this was
almost inevitable at one stage, I changed password whenever it happened

The other problem is banks who use Cyota's URL and certificate. The
general public has no idea who Cyota is, and ought to abandon the
transaction at that point.

Of course, all the iframe and man in the middle stuff is because web
sites don't like their branding diluted.
But this system is designed to be used by ordinary people who just
want to buy stuff online. Most of them would be completely baffled by
all this. Refining things in the way you suggest may satisfy a few
geeks and techies but it would make no difference to the vast majority
of people. Normal people haven't a clue what an SSL certificate is,
let alone how to check it was issued by a reliable source.
 
M

Mike Barnes

Chris Blunt said:
How would you know anyway? Do you have a comprehensive list of trusted
URLs, or would you just see if it looks about right?
The only sensible solution (AFAICS, knowing not much about it) is to
abandon this idea of using a general-purpose browser for financial
transactions. A dedicated program would be rather easier to secure,
surely?
 
C

Charlie+

But this system is designed to be used by ordinary people who just
want to buy stuff online. Most of them would be completely baffled by
all this. Refining things in the way you suggest may satisfy a few
geeks and techies but it would make no difference to the vast majority
of people. Normal people haven't a clue what an SSL certificate is,
let alone how to check it was issued by a reliable source.
Your right - Im an ordinary user and have no idea what you guys are
talking about - I would think along with a great majority of others!! I
have seen the Verfy by Visa box a couple of times and each time never
got through the Visa system successfully even though I give all this
information which makes me feel very uncomfortable - especially as the
transaction isnt successful. A real PITA!
So I use PayPal exclusively and just wont buy from any website that
doesnt use it!
How exactly do you check if a Verifiy by Visa box is genuine? These
poker game people seem to be able to start firefox pages without any by
your leave even though all popups, referred pages, historic cookies etc
are turned off - so why not a fake Verify by Visa box to harvest most
private account information?
 
M

Mark

But this system is designed to be used by ordinary people who just
want to buy stuff online. Most of them would be completely baffled by
all this. Refining things in the way you suggest may satisfy a few
geeks and techies but it would make no difference to the vast majority
of people. Normal people haven't a clue what an SSL certificate is,
let alone how to check it was issued by a reliable source.
Just because most people don't understand it doesn't mean that it is
OK for it to be broken.

There's much better ways than vwv/3ds to add some more security .
 
M

Mark

The only sensible solution (AFAICS, knowing not much about it) is to
abandon this idea of using a general-purpose browser for financial
transactions. A dedicated program would be rather easier to secure,
surely?
But who would write this and ensure it was secure? ;-)
 
Ad

Advertisements

C

Chris Blunt

Just because most people don't understand it doesn't mean that it is
OK for it to be broken.
But the proposed "fix" was to open the VbV box as a separate window so
the customer could check the domain and verify the certificate. A few
people might actually know how to do that, and for them security may
be enhanced. For the vast majority doing that kind of thing is way
above them and hell will freeze over before they come close to
understanding those kind of issues. Ordinary people just want to shop
online without having to fry their brains to make sure what they're
doing is safe.
There's much better ways than vwv/3ds to add some more security .
No argument with you there.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top