Verified by Visa: tied to the card-number or to the account?

[David M]

I have ceased making internet purchases by bank card [1] since Verified by
Visa was introduced, as there is simply *no way* I'm going to sign up to
that liability-shifting scam.

[1] Fortunately the internet businesses I currently use are wise enough
to accept other means of payment.


Unfortunately, I will need to make some internet purchases in the near
future with businesses where I suspect that non-card payment methods will
not be an option. Does anybody know whether the Verified by Visa trap is
associated with a particular bank card number or with the underlying
account, irrespective of what the actual card number may be from time to
time?

If the latter, I can only make 3 more internet purchases - *ever*, unless
I open a new bank or credit card account on a regular basis.

If the former, in order to preserve my security, I guess it would be
unfortunate if I were to clumsily lose my bank card periodically, and
have to ask for a new card, with a new number, and reset the VbV timebomb..

Does anybody know for sure which way the system works in this regard?

Thanks,


David.

 

[Mike Barnes]

Does anybody know whether the Verified by Visa trap is
associated with a particular bank card number or with the underlying
account, irrespective of what the actual card number may be from time to
time?

What I can tell you is SWMBO has a second card on my Visa account, and
they share a password. Stupid.

In my opinion Verified By Visa is a cruel joke.

 

[Tim Woodall]

What I can tell you is SWMBO has a second card on my Visa account, and
they share a password. Stupid.

In my opinion Verified By Visa is a cruel joke.

Verified by Visa was designed by Phishers to look identical to a
phishing site in all respects, thus softening people up to phishing
attacks that will be indistinguishable from this sort of thing.

Can you tell if https://www.securesuite.co.uk/ is a valid banking site
or not?

What about https://secure1.securesite.co.uk/ ?

And what with all the redirects when you visit one of the verified by
visa sites, not working properly (or at all) with Javascript turned off
etc, it's a complete mess.

Tim.

 

[Jim Alexander]

I have ceased making internet purchases by bank card [1] since Verified by
Visa was introduced, as there is simply *no way* I'm going to sign up to
that liability-shifting scam.
ditto

Does anybody know whether the Verified by Visa trap is
associated with a particular bank card number or with the underlying
account, irrespective of what the actual card number may be from time to
time?

I think it depends on the card issuers implementation.

You can avoid VbV for the next few weeks with a Co-operative Bank card and
for longer if there is an additional card on the account.

Inexplicably Co-op Bank are intending just to enroll everybody using the
very same Memorable Word used to authenticate telephone and internet
banking. Plumbing the depths of cynical banking stupity they are not
implementing the Personal Assurance Message feature of VbV. However for
what might be an obvious reason due to their mandated use of an existing
Memorable Word they will not currently be enrolling multiple cards on a
single account. So there is a answer of sorts to your question in this
case.

Jim A

 

[Chris Blunt]

Verified by Visa was designed by Phishers to look identical to a
phishing site in all respects, thus softening people up to phishing
attacks that will be indistinguishable from this sort of thing.

Can you tell if https://www.securesuite.co.uk/ is a valid banking site
or not?

What about https://secure1.securesite.co.uk/ ?

What does it matter whether or not you can tell whether either of
those sites is genuine?

When you make a transaction with Verified by Visa you're presented
with a pop-up web page from your credit card company which displays
the passphrase you previously agreed with them. If you recognise the
passphrase it a genuine site, if you don't, it isn't. Seems simple
enough to me.

Chris

 

[Mike Barnes]

Verified by Visa was designed by Phishers to look identical to a
phishing site in all respects, thus softening people up to phishing
attacks that will be indistinguishable from this sort of thing.

The first time I was confronted with Verified By Visa I phoned the
retailer to check whether it was genuine or not. They said they'd never
heard of it.

 

[Mike Barnes]

When you make a transaction with Verified by Visa you're presented
with a pop-up web page from your credit card company which displays
the passphrase you previously agreed with them.

That isn't my experience. I've (reluctantly) used VbV many times over
the years. I've never been asked to agree a pass-phrase for use in the
way you describe.

If you recognise the
passphrase it a genuine site, if you don't, it isn't. Seems simple
enough to me.

Recognising it as a genuine site isn't the full extent of a problem. I
really don't want there to be another password that I am required to
memorise and must share with the other cardholder.

 

[google]

What does it matter whether or not you can tell whether either of
those sites is genuine?

When you make a transaction with Verified by Visa you're presented
with a pop-up web page from your credit card company which displays
the passphrase you previously agreed with them. If you recognise the
passphrase it a genuine site, if you don't, it isn't. Seems simple
enough to me.

I've never agreed a passphrase. And unless "Welcome to verified by
visa" or something else like that is my passphrase then there's no
passphrase at all. There also appears to be no way to change any
passphrase.

And, AFAICT, all you need to know is someones date of birth and you
can change their password anyway - so it offers no protection to
anyone who has their wallet or handbag stolen and has their driving
licence in there as well

Tim.

 

[google]

What does it matter whether or not you can tell whether either of
those sites is genuine?

Because one of them is the site that I'm redirected to when I shop at
Tescos. As I'm using a mainstream mastercard, I'd expect any page to
either be related to my card supplier or to tescos. Instead I'm linked
to a site that appears to be something to do with CYOTA inc, which
AFAICT is an American company - I'm slightly concerned about all my
details, passphrase (that I don't have?), DoB, card number being
shared with an American company that appears to be nothing to do with
me, my card supplier or Tesco.

The IP appears to be owned by:
netname: CYOTA-NET
descr: Cyota
descr: New York
country: GB

Now there are several New Yorks in GB, but the primary contact is:
person: Anupam Kunwar
address: Cyota
address: 8 West 38th, 11th Floor
address: New York, NY 10018
address: United States

It all looks very suspicious to me.

Despite that, I'm expected to trust this site and put in any details
it asks for (and I've never been told what to expect this site will
ask for - I do know that nobody will ask for my pin, but if it started
asking for my DoB (it does if you say you've forgotten your password),
mothers maiden name, or anything else like that I'd have no way of
telling if it was genuine or not) but if I get an email from someone
calling themselves (e-mail address removed) saying there's been suspicious
activity on my account and to go to <somewhere> I'm expected to
realize that it's dodgy and I shouldn't follow the link.

Tim.

 

[Tim]

And, AFAICT, all you need to know is someones date of
birth and you can change their password anyway - so it
offers no protection to anyone who has their wallet or
handbag stolen and has their driving licence in there as well

Easy solution to that, then : don't carry your driving licence with you!

[One of the credit reference agencies actually recommends
that you don't generally carry your driving licence around
with you, and should "leave it safely at home" instead!]

 

[Jim Alexander]

What does it matter whether or not you can tell whether either of
those sites is genuine?

When you make a transaction with Verified by Visa you're presented
with a pop-up web page from your credit card company which displays
the passphrase you previously agreed with them. If you recognise the
passphrase it a genuine site, if you don't, it isn't. Seems simple
enough to me.

If only it was. Read my post. Although part of VbV when Visa explain it
and is included in most card issuers implementations, Co-operative Bank are
not implementing that feature.

Jim A

 

[Chris Blunt]

That isn't my experience. I've (reluctantly) used VbV many times over
the years. I've never been asked to agree a pass-phrase for use in the
way you describe.

Have you previously registered your card with your card company to use
VbV? If not then perhaps that's why its not working as it should.

I have several Visa cards from different banks, all registered for
VbV, and with every one of those I see a pop-up window displaying the
personal message I registered and asking me to input a password. It
works exactly as shown in Step 3 of the demo here:

http://www.visaeurope.com/personal/onlineshopping/verifiedbyvisa/shoppingdemo.html

Chris