Verified by Visa is training people to get phished. Searching for “Verified by Visa” on Twitter produces an endless stream of complaints. I don’t think I’ve ever heard anyone say anything good about it—and it certainly doesn’t make anything more secure. Presumably there’s some kind of legal liability benefit to it, though I imagine it benefits the card issuers rather than the consumer.
Sign in with 
OpenID
I assume it's similar to the legal liability benefit (to the card issuer and retailer) that Chip & PIN has over signatures in the real world.
If someone steals my credit card and forges my signature to make a transaction, it's the retailer's fault for not checking my signature as carefully as they're supposed to. But if someone steals my card and finds out my PIN somehow, then it's my fault for failing to keep my PIN secure.
AFAIK there is no legal liability issue (at least in UK), many merchants were forced into the scheme but not all of them.
It's just a commercial move, VISA wanted visibility in the space and increased control on the transaction process.
Giacomo - 11th November 2009 12:12 - #
In the UK, using 3DSecure systems shifts the liability from the vendor to the card issuer so its of massive benefit to vendors to use it. In some cases it means you incur smaller charges on transactions as well.
That being said, it is bollocks for so many reasons and Im not sure what makes the card issuers think that it makes things secure enough to take legal liability.
AFAIK when you sign up for verified by visa, the terms and conditions you agree to basically shift a bunch of the liability to you i.e. if a fradulent transaction includes a VBV it is 'more your fault'. I can't remember exactly how far the responsibility moves, but as I understand it it is a way of them taking less risk.
As for the phishing, my VBV has a personalised greeting (that I chose) so I know it has come from them - but I completely agree it still looks dodgy as hell, and I hate it because it's another barrier to purchasing and I can never remember the super strong password I set up on it.
Alistair Hann - 11th November 2009 15:53 - #
I am using Barclaycard for my business and basically, you have no rights but to enable it for your payment page (if you let them process the input of the card information). It is effectively theoretically shifting the liability from the merchant to the card owner when used but as a card owner you can always skip the step.
In fact, this month all my customers skipped the step... and you are back on square one with the liability on your shoulders.
All in all, from my point of view (the merchant) I see no benefits and only possible drawbacks.
See page 13 of this Barclays reference documentation for the details of the liability shift.
Yeah, I called my bank and complained repeatedly, and refused to sign in with that horrible UI. They kept promising to do something but then pleading ignorance, and I'm ashamed to admit I gave in and used it a couple of times. I refuse to use it on any site which I don't use frequently, though -- no way I would use it on some random e-commerce site.
Joshua Allen - 12th November 2009 16:16 - #
I blogged about something similar, a while back: http://seancoates.com/a-weak-web-of-trust
(I talk about Verified by Visa near the end)
This is a real problem, and VbV needs to go away.
S
MasterCard/Maestro's SecureCode is as bad if not worse. It redirects to "securecode.com", which sounds more like a phishing site to me than anything else - obviously they chose the URI on the basis of "gives stupid people the warm and fluffies" rather than "contains information".
Further, the first time I encountered it was actually on a retailer site - no prior notice, they just demanded I sign up to complete my transaction. Unfortunately, the application process took so long it timed out, and I was left with a semifunctional signup, and then the application went down.
I had to spend 20 mins in a call centre queue to get through to "support", which reset the super secret password without really asking any questions (security!), by which time the airline tickets I was buying had gone up sharply. The whole sorry affair cost me £150 or thereabouts.
Since then, I've noticed another thing - it's used so rarely that you don't get the opportunity to know the password instinctively, so lots of resets (or else, write down the pwd like a numpty).
If possible, I will avoid using retailers who impose this security-fart-fucking-a-usability-nightmare-in-an- iframe on me.