Illegal activities of Equifax through Verified by Visa crap


C

Chris Blunt

But who would write this and ensure it was secure? ;-)
Perhaps it could be produced by the banks and supplied directly to
their customers. Everybody trusts banks, don't they? :)

Chris
 
Ad

Advertisements

M

Mark

Perhaps it could be produced by the banks and supplied directly to
their customers. Everybody trusts banks, don't they? :)
I think I would prefer using a browser. At least you can do some
checks yourself and are not totally reliant on the bank.

But we need to move away from simple schemes and use something a lot
more secure that does not just rely on "something you know".
 
D

David Woolley

Chris said:
be enhanced. For the vast majority doing that kind of thing is way
above them and hell will freeze over before they come close to
understanding those kind of issues. Ordinary people just want to shop
online without having to fry their brains to make sure what they're
doing is safe.
Which means that 3D Secure is fundamentally broken, as the vast majority
of people (including, unfortunately, the banks' marketing people) are
unable to operate a system that is predicated on being certain that you
are actually talking to the card issuer, rather than the trader, in a
way that gives any guarantee that that is being achieved!

The way they pretend that you confirm this just does not work.

Actually this is why the whole SSL system doesn't work. It has been
mis-sold as providing encryption, when the actual design, and the reason
people pay lots of money to Verisign, and the like, is actually about
authentication. Authentication is actually needed to ensure the
security of an encrypted system.

Even if only a few people know how to use https securely, allowing them
to do so increases the chances that a rogue will get caught before too
much damage is done.
 
D

David Woolley

Mike said:
The only sensible solution (AFAICS, knowing not much about it) is to
abandon this idea of using a general-purpose browser for financial
transactions. A dedicated program would be rather easier to secure,
surely?
Only if it ran on dedicated hardware. The security needed for the
problem 3D secure is trying to address could be achieved by using an
ordinary browser, but with only one root certificate, that for the card
issuer.
 
D

David Woolley

Mark said:
But we need to move away from simple schemes and use something a lot
more secure that does not just rely on "something you know".
In terms of achieving the objective of the bank, to be able to deny the
possibility that it wasn't you that made the transaction, the card
reader based system used by some banks would be better. The critical
processing for that is performed on a tamper resistant system, the card
itself.
 
C

Chris Blunt

In terms of achieving the objective of the bank, to be able to deny the
possibility that it wasn't you that made the transaction, the card
reader based system used by some banks would be better. The critical
processing for that is performed on a tamper resistant system, the card
itself.
I wonder if it might be possible for the banks to provide access to
online shopping using their own internet banking services as a
gateway. The customer could log into his internet banking service as
normal, but there would be an "online shopping" area alongside the
other services there. The connection to the various retailers sites
would originate from the bank's own systems, which would act as a kind
of proxy. All transactions and payments could then be processed
securely, with the bank retaining a full audit trail of any
transactions made.

Chris
 
D

David

Charlie+ wrote in uk.finance
about: Re: Illegal activities of Equifax through Verified by Visa crap
Your right - Im an ordinary user and have no idea what you guys are
talking about - I would think along with a great majority of others!! I
have seen the Verfy by Visa box a couple of times and each time never
got through the Visa system successfully even though I give all this
information which makes me feel very uncomfortable - especially as the
transaction isnt successful. A real PITA!
So I use PayPal exclusively and just wont buy from any website that
doesnt use it!
I'm not sure that I would trust PayPal all that much more than I would
Veriphied by Visa.. :-(

Since Veriphied by Visa (and its twin, MasterCard SuckerCode) was
introduced, I've actually done much *less* online purchasing, as I refuse
to accept the liability shift scam that these schemes entail, but sadly
it is becoming increasingly hard to find commercial websites that you
can use without having to sign your rights away (meaning that Amazon is
pretty much the only site that I shop at online at present).

I have a horrible feeling that unless Visa/MasterCard get a *proper*
clue, I'm going to have get a second credit card, solely for use on
contaminated sites, so as to ensure that my main credit card remains
free of VbV guff..

From what you say above, PayPal (obviously) doesn't use 3D-Insecure at
the time you pay for goods, but is it possible to credit your PayPal
account without falling into a VbV/MCSC spiked pit trap at that point?
(And is PayPal actually trustworthy nowadays? I have heard so many bad
tales about it in the past..)


What I don't understand is why more sites don't allow payment by bank
transfer (It's much more common as a method of online payment in
countries where credit cards are less common, such as Germany). With
Faster Payments, payment to UK companies is usually same-day and if I'm
ordering something online and having to wait for delivery anyway, then
waiting for them to clear the bank transfer isn't really an issue for
me.


David.
 
D

David Woolley

David said:
I'm not sure that I would trust PayPal all that much more than I would
Veriphied by Visa.. :-(
With PayPal, you can, at least, verify that you are sending you password
to them, without going through hoops, even if even what is needed to do
that is too difficult for the general public.
Since Veriphied by Visa (and its twin, MasterCard SuckerCode) was
introduced, I've actually done much *less* online purchasing, as I refuse
They are actually both operated by the same company.
From what you say above, PayPal (obviously) doesn't use 3D-Insecure at
the time you pay for goods, but is it possible to credit your PayPal
account without falling into a VbV/MCSC spiked pit trap at that point?
I don't believe you can pre-pay PayPal from plastic. I think you have
to do that by direct debit.
What I don't understand is why more sites don't allow payment by bank
More sites accept it than advertise the fact. I managed to arrange a
payment using it with one company when their payment service was going
man in the middle to 3D secure (outbound only, but checking that the
form submits directly is very difficult).

I suspect one problem is getting people to put he correct reference on
payments.
transfer (It's much more common as a method of online payment in
countries where credit cards are less common, such as Germany). With
It is the only method in some cases. I had to find another supplier
once when a German one was the best source, because an international
bank transfer would have cost about as much as the product.
 
C

Charlie+

Charlie+ wrote in uk.finance
about: Re: Illegal activities of Equifax through Verified by Visa crap


I'm not sure that I would trust PayPal all that much more than I would
Veriphied by Visa.. :-(
Well I know what you mean! But I had already tried out PayPal with a
pre-paid credit card for safety and not had any problem and SO easy to
use, a single password needed for any transaction. so PP seems the
lesser trouble, a lot of merchants will only accept PPal so it is
useful. If and when there is a problem, we will see, so far so good. C+
 
C

Charlie+

On Wed, 07 Mar 2012 07:23:34 +0000, David Woolley

snip
With PayPal, you can, at least, verify that you are sending you password
to them, without going through hoops, even if even what is needed to do
that is too difficult for the general public.
Thats of interest - if something raises a suspicion while doing a
transaction it would be ueful to know how to check that the PayPal page
is genuine, could you give simple instructions as to how to achieve
this? C+
snip
 
M

Mike Barnes

Charlie+ said:
On Wed, 07 Mar 2012 07:23:34 +0000, David Woolley

snip

Thats of interest - if something raises a suspicion while doing a
transaction it would be ueful to know how to check that the PayPal page
is genuine, could you give simple instructions as to how to achieve
this? C+
Check that the address displayed at the top of the browser window begins
with (exactly)

https://www.paypal.com/
 
D

David Woolley

Mike said:
Check that the address displayed at the top of the browser window begins
with (exactly)

https://www.paypal.com/
To get further confidence, in case some trick has been played to make a
different URL look right, or a certificate has been obtained from one of
the weaker certifiers trusted by the browser, you should also check the
certificate (lock icon on Firefox). It should be issued to Paypal Inc
(Organization) and should be signed by VeriSign Class 3 Extended
Validation SSL CA (Common Name). If you look at the details, it should
have PayPal's business address in the details.

The certificate should have current dates.

With recent versions of Firefox, the address bar should turn green. This
indicates that the certificate is one where there is a relatively high
level of certainty that the signer has correctly authenticated the
identity of the site. Note that VeriSign issue certificates with
varying levels of authentication. For financial payment services you
want their class 3 certificates, or one of a similar level from one of
the other reputable signers.

The signer may change in the future.

Noting the subject of the this thread, I would point out that, by
default, Firefox trusts Equifax to authenticate web sites! Anyone who
is paranoid about Equifax should probably disable those certificates,
although that will deny access to some web sites.
 
C

Charlie+

On Wed, 07 Mar 2012 22:07:31 +0000, David Woolley

snip
To get further confidence, in case some trick has been played to make a
different URL look right, or a certificate has been obtained from one of
the weaker certifiers trusted by the browser, you should also check the
certificate (lock icon on Firefox). It should be issued to Paypal Inc
(Organization) and should be signed by VeriSign Class 3 Extended
Validation SSL CA (Common Name). If you look at the details, it should
have PayPal's business address in the details.

The certificate should have current dates.

With recent versions of Firefox, the address bar should turn green. This
indicates that the certificate is one where there is a relatively high
level of certainty that the signer has correctly authenticated the
identity of the site. Note that VeriSign issue certificates with
varying levels of authentication. For financial payment services you
want their class 3 certificates, or one of a similar level from one of
the other reputable signers.

The signer may change in the future.

Noting the subject of the this thread, I would point out that, by
default, Firefox trusts Equifax to authenticate web sites! Anyone who
is paranoid about Equifax should probably disable those certificates,
although that will deny access to some web sites.
Thank you, that is very helpful information! Im afraid laziness with
informing myself about certificates and how they all work has been my
fault completely!
C+
 
C

Chris Blunt

The problem is that VbV is insecure:
7 March 2012 Last updated at 09:43 GMT

Card fraud falls to its lowest level for 11 years

http://www.bbc.co.uk/news/business-17273097

The amount of money lost due to fraud on credit and debit cards fell
last year by 7% to £341m - its lowest level for 11 years.

The drop from 2010 was mainly due to a 41% fall in fraudsters
impersonating people to obtain or use credit cards.

There was also a 24% fall in the amount of fraud from cards being
faked.

The UK Cards Association said it was the third year in a row that card
fraud had fallen, with a drop of 44% since losses peaked in 2008.

It brings card fraud to its lowest level since 2000 when £317m was
lost through fraud.

The association credited the improvement to the increased use of
anti-fraud measures.

Among them were online card verification software, such as Verified by
Visa and MasterCard SecureCode, and the increased use of chip-and-pin
technology abroad.

Melanie Johnson, chair of the UK Cards Association, said: "This is...
clear proof that our endeavours to fight fraud are packing a punch."

"Customers have also played their part in driving down losses by
taking heed of advice about looking after their personal and financial
details," she added.

Losses falling

Card fraud rose during the past decade to reach its peak, in 2008, of
£610m.

Although the adoption of chip-and-pin technology, largely replacing
signatures, had helped to rein in fraud in the UK, there was a revival
in the fraudulent use of cards abroad.

However, this has now dropped as well, with fraud abroad falling by a
further 15% last year to £80m.

That was its lowest level in 12 years, and nearly two-thirds down from
the peak of foreign card fraud in 2008, when it stood at £230m.

Overall, the most common losses last year were due to cards being
improperly used to order items over the phone, by post or over the
internet - so-called "card not present" fraud.

This accounted for £221m - nearly two-thirds of all card fraud losses.

Meanwhile counterfeit card fraud, once the second-largest category of
loss, has slumped in the past five years, down by three-quarters since
2007.

The biggest areas of card fraud loss in 2011 were:

Cards not present: £221m
Lost or stolen cards: £50m
Counterfeit cards: £36m
Card ID theft: £23m
Cards stolen in the post: £11m
DCI Paul Barnard, who leads the police cheque and plastic crime unit,
said with more sophisticated anti-fraud technology now in use,
criminals had returned to simpler forms of fraud.

"Many scams involve customers being conned into handing over their
cards and Pins, or their telephone banking security details by someone
calling, pretending to be their bank or police," he pointed out.

"Be wary of any unsolicited phone calls or emails - never hand over
your card and Pin or bank security details in full as neither your
bank or the police will ever ask you for these."

Meanwhile, fraud losses against online banking accounts fell by 24%
last year to £35m, while fraud losses involving telephone banking rose
by 32% to £17m.
 
J

js.b1

It is interesting to note that a lot of europe has one-use credit card
numbers for online purchases.

The credit card number lives for the duration of the transaction, and
that is it. It would be quite useful re domestic cost centres, medical
bits, IT spending, food spending, DIY project X, DIY project Y.

Credit cards could actually vanish, but that is another post...
 
B

brightside S9

It is interesting to note that a lot of europe has one-use credit card
numbers for online purchases.

The credit card number lives for the duration of the transaction, and
that is it. It would be quite useful re domestic cost centres, medical
bits, IT spending, food spending, DIY project X, DIY project Y.

Credit cards could actually vanish, but that is another post...
Cahoot used to do one. but it appears they no longer issue it.
 
7

7

Flop said:
The problem is that VbV is insecure:

http://www.cl.cam.ac.uk/~rja14/Papers/fc10vbvsecurecode.pdf

Why anyone should use a pop-up - the most dangerous carrier of viruses -
is beyond me

Flop

ps if you are using Firefox, you need to 'accept all third party'
cookies in Tools/Options/privacy. Another great loophole for security!!

The *DUMB* system did it again today!!!

Perfectly correct answers and its locked the card out with another half
hour of calls to sort it out.

The same double act again - the card company disowns the system
and blames Equifax who have no legal responsibility for their failed
databases.

The card company just doesn't get it.
If they hired some soothsayers who consult with tea bags
for an answer, and they decided the tea bags indicate payment should
not be made today, then its still
the card company that is at fault for not using
a proper verification system. The soothsayers are not legally
responsible for their consultations with tea bags and the
answers the tea bags have given them!!!!

For **** SAKE!

You go to Equifax web site and there is nothing
on their crap broken site about registering a complaint. They just want
to sell you credit reports. ****** their credit reports, just put
up a link for verified by visa crap complaint and then we'll see.

I am going to demand under the data protection act
they divulge all the questions they are ever likely to ask
and all the answers they have recorded against those questions
for the given card.
They are making a profit with this information, so they should have the
answers for immediate dispatch I assume, and if they don't, they
can shut down their servers and go out of business.
 
D

David Woolley

7 said:
You go to Equifax web site and there is nothing
on their crap broken site about registering a complaint. They just want
to sell you credit reports. ****** their credit reports, just put
up a link for verified by visa crap complaint and then we'll see.

I am going to demand under the data protection act
they divulge all the questions they are ever likely to ask
and all the answers they have recorded against those questions
for the given card.
I presume they are using the contents of the credit history file that,
as a licensed credit reference agency, they hold on you, so I presume
that they way they would provide the information you are asking of them
is by selling you your credit report! I believe that companies are
allowed to charge up to £10 to provide the information they hold on you.

As they are one of the three official UK credit reference agencies, they
will have found that handling data protection requests was a very normal
part of their business, so I think they have just built on that by
actively marketing the provision of data to the data subject, in the
form of their credit reports.

I very much doubt that they will tell you all the possible questions, as
that is not personal information, and would help fraudsters.
 
C

Chris Harris

My online transactions have started to fail in the same way. I used to
provide VbV with selected letters from a password, but now it wants me
to answer questions to which it has the wrong answers....I'm not so
old that I cant remember the counties in which I have lived. Neither
Visa nor Barclays (card issuer) will do anything to sort the problem.
Barclays Indian call centre (I thought they had gotten rid of these)
even suggested that I get a report form Equifax and correct it, I cant
see doing that being a no cost option. Dreadful as the security of VbV
is, the thing that really annoys me is that Visa and/or Barclays have
farmed the service out to a 3rd party but are unwilling to sort out
the problems that the 3rd party is giving to their customer. Talking
to them has been like an lesson on how not to do customer service.
 
Ad

Advertisements

Joined
Apr 23, 2013
Messages
1
Reaction score
0
>>I've had the unfortunate experience of locked out of Verified by Visa today.
>>When I went to check, they said its because the system has been changed

I was also locked out after my bank changed from 'Verified by Visa - Password' to 'Verified by Visa - Equifax'...
question 1 .. "who is your mortgage with', could answer ok
question 2 .. "when did you take out mortgage", could answer ok after scratching my head for a few mins
question 3 .. "which of these addresses are you associated with", non relevant so selected 'None' . I suspect one of those addresses is related to previous tenants/owners of my property.

Lock out, phoned number displayed and spoke to someone who unlocked.

'Verified by Visa - Password' worked well for me perfectly for a couple of years.

Rang bank - they said 'we're getting a lot of these complaints about unrelated questions, we can't do anything, we can't change you back to Verified by Visa-Password, contact Equifax'
Rang Equifax - they said 'sign up for credit report to check details'

Talked to mate who has Nationwide Visa credit card - he said that he's only ever seen 'Verified by Visa - Password'
Rang Nationwide (Tue 23 April 2013) - they said 'We have only every used 'Verified by Visa - Password' and have no intention/haven't heard of 'Verified by Visa - Equifax'

Might be time for a new credit card ....
 
Ad

Advertisements


Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top