Have you been Verified by Visa?
Credit card companies would like shoppers to feel more secure when using their credit cards online, but does the Verified by Visa programme achieve that, or does it create even more uncertainty? And is there a better solution?
Card fraud costs billions each year, a burden carried by the retailers, and since the introduction of Chip and Pin, the bulk of card fraud now occurs as "Customer Not Present" transactions, by mail order and over the internet. When you buy things online using your credit card, as well as entering the credit card number, you are asked for the three digit CVV code printed on the back of the card. This is intended to prove you really have the card in your hand but clearly if a fraudulent website can ask for your card details and misuse them it can just as easily ask for the CVV code off the back of the card. Asking for the CVV just doesn't add anything to the security. It's just window dressing.
So the brains at the credit card companies came up with a new plan. What if each card had a password set by the card holder themselves and used by them when buying online to prove they really are the card holder? The glaringly obvious problem here is that it's still no more secure than the CVV. If a site with criminal intentions can deceive you into typing in your CVV then it can just as easily deceive you into entering your personally chosen password, but that problem is quietly ignored by the card companies.
The way that the Verified by Visa is being presented to the public is also concerning. I first encountered it months ago when completing an online order. A pop-up Window offered me the chance to sign up to the scheme and enter a personal password along with my credit card details. I'd never heard of Verified by Visa, the pop-up had no address bar so no obvious way of knowing who I was talking to or whether it was secure, and it looked so much like a phishing scam that I closed the window and cancelled my order. It was only much later that I discovered this was the Verified by Visa programme and the retailer was, in fact, a bona-fide participating retailer.
I have since read that if you three times decline to sign up to the programme then some banks regard this as suspicious activity and freeze your credit card. Even more worrying, I have read numerous reports from people who had forgotten their password and discovered you can simply sign up again and choose a new password with the only security question being to ask for your date of birth. What obstacle is that to a determined thief?
The worst aspect of Verified by Visa is that it allows the banks to argue that you, the card holder, authorised the transaction, in just the same way that you authorise it with a signature or a PIN number. Visa says "Retailers who sign up to Verified by Visa are protected against liability if the cardholder denies making the purchase". Now since the banks are not going to foot the bill themselves for fraudulent transactions, it follows that they intend to use Verified by Visa as "proof" that you made the disputed purchase and avoid making a refund. As a credit card user, I find this very worrying indeed.
But is there a better way? One option is to have a device which generates a unique authorisation code every time it is used, like a six digit CVV that changes every time you use the card. Such devices already exist and are far more secure than Verified by Visa, although still not bullet-proof, and are slightly inconvenient because you need a code generator device to go with each credit card you use. Now, an Australian company, Emue Technologies, has built the generator right into the card itself, putting a touch-sensitive keypad and LCD display onto the back of the card and a computer and a battery inside it. Amazingly it is flexible and no thicker than a plain plastic card, but when you type in the PIN for that card, it displays a one-time code which you can use to "sign" your online transaction, (as illustrated in the video). Banks in Italy, Switzerland and Israel and most recently the MBNA bank in the UK are taking part in a limited trial of the technology.
Video: http://lab.emue.com/videos/scenario1_2.wmv
23rd November 2008
This article comes from the SKILLZONE email newsletter, published monthly since January 2008, and covering topics related to technology and the internet. All articles and artwork in the SKILLZONE newsletter are orignal content.