Verified by Visa?

[Mogga]

Was it just me who's had problems getting this to allow me to sign up?
After two wasted shopping attempts, on my second phone call I was
finally told my card had been locked ... we couldn't work out why
until at some point down the line she said something about opening a
new window in internet explorer. I'd been using firefox. Apparently
verified by visa doesn't work with firefox. Everything else, just not
firefox.
Anyway after much time and effort she assisted my registration so that
visa could verify my online shopping by requesting a password and
using my passphrase to reassure me I was on a secure site.
Hurray! (Obviously for physical sales there's the security of online
allowing deliveries to the cardholders address, but I spose for
service and digital services some sort of extra security might
possibly be a good thing...)

Anyway about 2 mins after finally ordering what I wanted - during
which process I did not get asked for my VBV password or get any
security reassuring message) my mobile went.
Didn't answer it in time. So home phone goes. No one there. Then it
rings again. Ahhh it's a nice call centre lady from the other side of
the planet. Can I tell her my DOB as she's from my bank.
Yeah right. I refused. Instead I asked her to confirm to me digits
from my DOB. After much grumbling she did it. So anyway by now she
wants to confirm I've just used my visa card online to buy something
as they were watching incase of fraud online.
So I told her ALL about my nightmarish two days attempting to get some
shopping online. She finally got to ask me if I'd just shopped online
and I again pointed out that I'd just spent two days trying to get
verified by visa so that this sort of online shopping situation could
be eliminated. So then she wants me to confirm the other recent
purchases. Gosh. I'd made those in person using my top secret pin
number which is supposed to be really really secure so that only
someone with my pin can use my card.
She wasn't very interested in me not getting asked for the VBV
password as it's not what she does.

Amazing what ideas they come up with to drive us mad.

Have you verified your visa?

 

[Colin Wilson]

Have you verified your visa?

If it's any consolation, I find it a worryingly bad idea and pain in
the ass too.

The popup window has no host name displayed, so you can't verify that
the popup actually IS from a legit company - and per a recent
verified* scam on ebay, scammers have been able to set up a webserver
(IIRC) on the target dummys' machine to display false details despite
visiting a legit website to check on the status of the goods
(effectively it subverted the results given by the legit site and
added incorrect data to make it look even better)

*it was mentioned in the last 2-3 weeks over at theregister.co.uk

 

[Tim Woodall]

If it's any consolation, I find it a worryingly bad idea and pain in
the ass too.

The popup window has no host name displayed, so you can't verify that
the popup actually IS from a legit company - and per a recent
verified* scam on ebay, scammers have been able to set up a webserver
(IIRC) on the target dummys' machine to display false details despite
visiting a legit website to check on the status of the goods
(effectively it subverted the results given by the legit site and
added incorrect data to make it look even better)

*it was mentioned in the last 2-3 weeks over at theregister.co.uk

If you turn off javascript (or use a browser that doesn't support
javascript at all - tesco.com is much much easier to use with javascript
turned off) you do get the address in the url.

But eventually (because I have absolutely no idea what my code is) I get
a screen where I have to enter my card number but within a couple of
seconds it redirects to:
https://secure.barclaycard.co.uk/barclays/user_login/fp_get_pan.jsp?cycfg_no_js_ind=true

You cannot access this page.

This may be due to one of two reasons:

1. The FI you are trying to access is deactivated

2. The access to the FI is restricted for specific IP
addresses, and your address is not one of them.


So I had to give up with the mastercard and use my natwest one card
instead which redirects me to "www.securesuite.co.uk" (_obviously_
this looks exactly like a fraud but a google on cyota shows that it was
acquired by RSA security in 2005/06 so presumably it is legit)
[email protected]:~$ whois securesuite.co.uk

Domain name:
securesuite.co.uk

Registrant:
cyota

Registrant type:
Unknown

Registrant's address:
8 west 38th street
new york
ny
10018
US

Registrar:
Register.com Inc [Tag = REGISTER-DOT-COM]
URL: http://www.register.com

Relevant dates:
Registered on: 09-Jun-2002
Renewal date: 09-Jun-2008
Last updated: 09-Apr-2006

Registration status:
Registered until renewal date.

Name servers:
ns0.eu.dedicatedserver.com
ns1.eu.dedicatedserver.com

WHOIS lookup made at 22:46:25 31-Oct-2007


But fortunately, this site says "sorry but we don't work without
javascript" and just lets the order go through.

I can't believe these jokers haven't been hauled through the courts via
the DDA by now.

Incidentally, domains like securesute.co.uk, securesiute.co.uk,
securesuit.co.uk are all available. Did these guys deliberately set
themselves up to be "done" by phishers?

Tim.

 

[Rosie Dandew]

Mogga said.....

Have you verified your visa?

Yes. Then a few weeks ago I used a site that says its transactions are
VbV but I wasn't asked for any of the VbV security details or passed
through to a VbVs pop-up screen. So I queried it by email with world
pay and got this slightly astonishing reply from their Technical
Support mob in India:
"Thank you for your email. I'm afraid I'm unable to verify why you
were not presented with the VbV screen to authenticate the transaction
on this occasion. However, I can confirm that this merchant is enrolled
for VbV. This should not be a concern to yourself as a shopper as this
scheme is more designed to protect merchants from fraud - shifting the
liability to yourself - by verifying that you are the genuine
cardholder. Your card details are processed securely by our system
regardless of whether the transaction is authenticated or not."

 

[Chris Blunt]

If it's any consolation, I find it a worryingly bad idea and pain in
the ass too.

The popup window has no host name displayed, so you can't verify that
the popup actually IS from a legit company

The Personal Assurance Message that you agreed with your credit card
company when you first registered should be displayed in that popup. I
thought the whole point of that was to reassure you that the window
does actually originate from them.

Chris

 

[Greg Rozelle]

Mogga said.....

Yes. Then a few weeks ago I used a site that says its transactions are
VbV but I wasn't asked for any of the VbV security details or passed
through to a VbVs pop-up screen. So I queried it by email with world
pay and got this slightly astonishing reply from their Technical
Support mob in India:
"Thank you for your email. I'm afraid I'm unable to verify why you
were not presented with the VbV screen to authenticate the transaction
on this occasion. However, I can confirm that this merchant is enrolled
for VbV. This should not be a concern to yourself as a shopper as this
scheme is more designed to protect merchants from fraud - shifting the
liability to yourself - by verifying that you are the genuine
cardholder. Your card details are processed securely by our system
regardless of whether the transaction is authenticated or not."

Maybe it is different in the states.

When the popup, come up.

It suppose to show your special phrase and your banks website.


Greg Rozelle

 

[Graham Murray]

I'd been using firefox. Apparently verified by visa doesn't work with
firefox. Everything else, just not firefox.

Verified by Visa works fine for me using Firefox

 

[Mogga]

Verified by Visa works fine for me using Firefox

The registration process?

 

[Graham Murray]

The registration process?

Yes, I did that using firefox as well. I can't remember but I think I
may have had to enable popups on the site which prompted me to
register.

 

[Mark Goodge]

Yes. Then a few weeks ago I used a site that says its transactions are
VbV but I wasn't asked for any of the VbV security details or passed
through to a VbVs pop-up screen. So I queried it by email with world
pay and got this slightly astonishing reply from their Technical
Support mob in India:
"Thank you for your email. I'm afraid I'm unable to verify why you
were not presented with the VbV screen to authenticate the transaction
on this occasion. However, I can confirm that this merchant is enrolled
for VbV. This should not be a concern to yourself as a shopper as this
scheme is more designed to protect merchants from fraud - shifting the
liability to yourself - by verifying that you are the genuine
cardholder. Your card details are processed securely by our system
regardless of whether the transaction is authenticated or not."

At least they're honest.

Mark

 

[Tim Woodall]

The Personal Assurance Message that you agreed with your credit card
company when you first registered should be displayed in that popup. I
thought the whole point of that was to reassure you that the window
does actually originate from them.

I've never agreed a message and I don't see anything that looks even
vaguely like something I might have agreed. I think it does say
something like MRWOODALL617 or something similar somewhere on the popup
but whatever the digits are they mean nothing to me and MRWOODALL seems
a bit too obvious to be some sort of security phrase.

Tim.

 

[Tim Woodall]

I've never agreed a message and I don't see anything that looks even
vaguely like something I might have agreed. I think it does say
something like MRWOODALL617 or something similar somewhere on the popup
but whatever the digits are they mean nothing to me and MRWOODALL seems
a bit too obvious to be some sort of security phrase.

No, I was wrong, that's my "Login" whatever that is (The numbers are
different). My personal greeting is "Welcome to SecureCode". Is that
meant to be something I've agreed with someone somewhere? I'd never
really noticed it before.

Tim.

 

[Chris Blunt]

No, I was wrong, that's my "Login" whatever that is (The numbers are
different). My personal greeting is "Welcome to SecureCode". Is that
meant to be something I've agreed with someone somewhere? I'd never
really noticed it before.

Perhaps your card company has implemented Verified by Visa differently
to mine. I have Visa cards from Barclays and HSBC, and in each case
when I first registered for the service I had to choose both a
password and a memorable phrase which I would recognise. That's the
phrase which Visa call the "Personal Assurance Message".

When I purchase something from a merchant that uses Verified by Visa I
get a popup window containing my bank's logo, details of the amount of
the transaction and merchant's name followed by the memorable phrase I
registered. I don't see anything marked "Login". Apart from that
there's just a box to enter my password into.

Chris

 

[Mogga]

Yes, I did that using firefox as well. I can't remember but I think I
may have had to enable popups on the site which prompted me to
register.

I think some of my problem was attempting to have done it the day
before when visa seemed to have died (They couldn't access any cc
details when I rang up and at the local supermarket they were having
to manually put through CC stuff apparently)