Excellent, must modify my keyboard-snooping trojan to particularly record that data and send it back to me, then...

(Reply to this) (Thread)

The 'not optional' is a new one on me. But Verified By Visa is run by Visa, not the banks. I believe different banks have the option of participating or not, but Visa is really pushing it on the industry.

MasterCard has a similar program called 'SecureCode' which works in pretty much the same way.

(Reply to this) (Thread)

I've never encountered this with American Express. (Blue, in this case.) That doesn't help with Visa/MC-only joints, though.

(Reply to this) (Thread)

I recently had to book a flight on the phone - and incur a $10 charge - because I couldn't defeat the verified by visa step on the northwest airlines site. None of my passwords worked, and the "remind me" function was broken - it just displayed a box with no form fields in it.

I have nothing useful to add, but I share in your hate of this useless "feature".

(Reply to this) (Thread)

I work for an online retailer.... here's the low down.

Verified by Visa is implemented by the banks... some require that you sign up for it, some don't even offer it. So you can change banks, but Visa is pushing it as an industry standard so you will keep changing banks forever.

Mastercard has the same sort of thing called secure code. I have never heard of a problem with that. Not one. So it's either been implemented really well or not at all.

There's also a trick that seems to work for some merchants... hit the Cancel button on the VbV screen. It seems to work great.

(Reply to this) (Thread)

You're going to have to find a bank that doesn't support Verified by Visa to avoid it, and nearly all do since it reduces their liability. AFAIK, you can't opt-out of it if your bank supports it, but merchants won't (currently) refuse a transaction if your bank says it's not supported.

All of the enrolling and verification should take place on your bank's servers. If not, it's possible that it's a phishing scam (or, as I found out, a third-party company that your bank contracts with).

(Reply to this) (Thread)

Bank of America gave me the option to turn it on, and I did. It hasn't come up often enough to annoy me, but if it did I would PRESUME that there's a way to turn it off through them.

(Reply to this) (Thread)

Are you seriously whining about this? I mean *come on*.

(Reply to this) (Thread) (Expand)

The first time I saw this shit was about 2 weeks ago on TigerDirect.com, I think. I'm pretty sure it's mandatory and there's nothing you can do about it except completely avoiding purchases on the interwebs.

(Reply to this) (Thread)

It reminds me of the child safety caps on aspirin. "For your protection" means "impossible to actually use".

(Reply to this) (Thread) (Expand)

Bizarrely enough, the only place I've encountered "Verified by Visa" is AllofMP3.com. Great, I'm glad they're making sure no-one but the Russian mob can charge my card.

(Reply to this) (Thread) (Expand)

...and some Mastercard companies turn it down. I'd already certified with Mastercard and my bank so I was switched to that first, gave them the info, and then was switched back to the Ritz Camera site which didn't have any way to put in which card you were using. The site mentions CyberSource Internet Fraud Screen enhanced by Visa, which may be a variant of what you had to deal with.

(Reply to this) (Thread)

I encountered this particular e-commerce-lectric-fence while trying to perform an emergency domain renewal with a shared spousal credit card. Since it's in my wife's name, I had to pretend to be her through this dizzying array of password idiocy. Of course, the whole time I thought it was some sort of cross-site scripting fraud (it didn't help that my registrar all but dumped me into the site of its merchant bank without so much as an enclosing frame to provide context). It wasn't until I punched in a number and got back our personal information that I started to relax a little.

But I still couldn't convince the thing to play nice, and the card got a hold put on it. I switched cards and we spent time on the phone with the bank to get the hold taken off.

It probably doesn't help that the only time I buy anything from a Web site is to renew my domains.

(Reply to this) (Thread)

I just saw this too for the first time last week, when renewing my domain with GANDI. I was mad at them, because I assumed it was something they were requiring. The lack of explanation on the page was frustrating -- I bailed on the transaction twice before finally giving up and going through with it. Mandatory things that are worded as if they are optional, sans a NO button, are both bizarre and annoying. So the consensus is that this is actually a result of the particular credit card, and not the online vendor?

(Reply to this) (Thread) (Expand)

This is actually a good idea. I've always been offended that all you need to charge something to a credit card is the credit card number, which is the same number you give to merchants and flash around all over the place. The CCV isnt even worth mentioning as a fraud protection measure - it's just more numbers.

I've never dealt with that system, but it sounds like the merchant never sees the password (the authorization happens through Visa's site), which is a step in the right direction. I won't be satisfied until credit card transactions are based on strong cryptographic protocols, though. Mandatory ones.

Reducing fraud is in your best interest. It makes it less likely you'll have to contest unauthorized charges, and if the credit card issuer loses less revenue to fraud, their marketing department will have more cash to fund promotions (i.e. give you free money).

(Reply to this) (Thread) (Expand)

All of my online purchases for the past few years have been through MBNA's ShopSafe trick . . . they allow cardholders to generate a new CC number for every purchase. Once the card is charged, it's locked to the charging vendor, reducing the reusability of a stolen number.* User specifies the spending limit on the card at creation time, with an option to raise it later. Assuming Flash is installed, I haven't yet encountered an OS on which it doesn't work, and I've tried OS9, OSX, Windows and Linux. I don't think I've seen a Verified by Visa thing yet.

* This breaks when trying to book airfare—the airline and the travel company count as different vendors.

(Reply to this) (Thread)

http://usa.visa.com/personal/security/visa_security_program/vbv/shop.html looks like it might be required by some shops in addition to just the banks.

http://usa.visa.com/personal/security/visa_security_program/vbv/card_issuers.html but hey you look up your bank to see if they have it--once you've already signed up that is.

ug.

(Reply to this) (Thread) (Expand)

As has been noted by others, using something other than Visa is the only way to avoid VbV. And I don't think it matters whether your issuing bank is part of the scheme or not - that comes down to the merchant.

I'm told that the way this is being foisted on the merchants is through revised internet merchant agreement which holds the merchant liable for losses from any fraudulent transactions which weren't "Verified by Visa".

So the merchants are big on it to avoid getting assraped.
Visa is big on it since they look proactive about internet fraud, while neatly overlooking the fact that CVV/CV2 was meant to serve the exact same purpose, and VbV does nothing to reduce fraud through other Cardholder Not Present transactions (eg, mail/phone ordering).
The banks are big on it so they can claim they're doing something while trying to avoid being caught in the middle of the Shafting Zone.

(Reply to this) (Thread)

Using the same password at every website you visit is a security risk; this bookmarklet lets you use one “master” password to create unique, complex passwords for each website you visit.


http://labs.zarate.org/passwd/

(Reply to this) (Thread) (Expand)

Underlying intrinsic/internal contradictions in a social arrangement must, of necessity, bubble to the surface, expose themselves, and invoke a revo^H^H^H^H resolution.

In other words: Duh, what'd you expect? That whole system to actually work?

-t

(Reply to this) (Thread)

I don't know how required it is. I have a Visa Check Card, and I remember seeing Verified by Visa... once, while I was going through a transaction. I declined signing up for it, and now I never see it. In fact, I can't figure out how to get back to the controls for it so I can activate it! I was in a rush so I didn't have time to read about it then. Anyway, maybe there's a way on the VbV page to opt out?

--Quentin

(Reply to this) (Thread)

My MasterCard has had this "feature" since December 2004.

Five years ago my company made it policy for all company passwords to be stored in a Palm-compatible device, using GNU Keyring for Palm OS.

They subsidized a crappy little Visor that I still use to this day pretty much just for that. I've got 230 passwords in it, all generated strongly randomly. I sync a backup to my Mac but I don't ever type the master password on the Mac so an attacker that gets the backup has to brute-force it. The remaining dangers are a virus on the Palm, or shoulder-surfing my Graffiti master password and then stealing it from me, neither of which seems very likely.

I don't have any throwaway passwords anymore. Anyone who gets one of my passwords gets its authorization and no others.

It's still annoying to have to dig the MasterCard super-duper password out of the Palm whenever a vendor asks for it -- and yes it is clearly designed to protect the corporation and not me and that really sucks -- but at least it takes less than 20 minutes.

(Reply to this) (Thread)

FWIW, VbV was (and should still be) opt-in for MBNA cards. I never bothered to set up a password, so when Newegg mentions VbV, I just ignore it. Never had a problem.

When you said you "called Visa" I'm gonna assume you called the bank who owns the card (MBNA, or Chase, or whoever), because that's who you really should contact. I just looked at the help files for my bank, and while they tell you how to enroll, they don't tell you how to cancel it. :( I did like this part of the FAQ, tho:

Why should I use Verified by Visa/MasterCard SecureCode?
Each time you use Verified by Visa/MasterCard SecureCode to confirm your identity, you're helping us protect your account against unauthorized online charges. While other programs protect you against fraudulent charges that appear on your statement, this service can actually prevent fraud before it happens.

What other protections do I have when I shop online?
You are still afforded the same Customer protection available to you when you shop in person, including Visa/MasterCard Zero Liability.

So not only is it useless to us, we're helping the credit card companies in their difficult job of taking our money. Oy.

(Reply to this) (Thread) (Expand)

I haven't run into this one yet, but if I do, I'll probably just write the password on the back of the card with a sharpie. I'd do the post-it note on the monitor, but since I switched to an LCD, there's not a lot of space.

(Reply to this) (Thread)

Newegg.com is one of these merchants.

I use one of my debit cards to make charges online. VbV was implemented by Newegg a couple of years ago. I was recently prowling for a hard-to-find way-overpriced high-end video card and I spotted it one day on Newegg. Of course, I rushed to order it, as they sell out of stock very quickly and I had been waiting for a few weeks.

I fat-fingered my password on the VbV login page a few times, guessed a few more of my common passwords, and was finally locked out. That was a problem. I was deathly afraid that my order would be voided because it couldn't be charged. A few seconds later the site forwarded me back to the merchant's site, and I had the "Order Completed" page. I phoned the support number and the fool on the phone guided me through password reset. I asked him what would happen to the order, and he said the charge would be rejected. I logged into my online banking site and found that the $1600 charge (I was putting together a new rig) had reached the bank. As I was on the phone with the guy, the vendor emailed me a few times through the various steps of confirmation, including notification that my card was successfully charged. I worried, but went to bed.

The next morning the bank had posted the transaction, debited the money, and the vendor had begun to pack my order.

Way to go! Glad I wasted my time with that colossal piece of shit. It DIDN'T WORK AT ALL.

Granted, it could've been a weak implementation on the part of the vendor. Perhaps VbV doesn't actually block the transaction, perhaps it merely politely tells the vendor "this checked out okay." and Newegg thought it had that message. One thing is for sure. It didn't fucking protect me one bit.

(Reply to this) (Thread) (Expand)