Verified by Visa: British banks phish their own customers

Security expert Ben Laurie has a scorching indictment of the "Verified by Visa" program used by British banks. This system is basically the perfect system for phishers and identity thieves, and conditions honest people to behave in foolish ways that leave them vulnerable to having their life's saving taken off of them.
"Frame inline displays the VbV authentication page in the merchant’s main window with the merchant’s header. Therefore, VbV is seen as a natural part of the purchase process. It is recommended that the top frame include the merchant’s standard branding in a short and concise manner and keep the cardholder within the same look and feel of the checkout process."

Or, in other words: Please ensure that there is absolutely no way for your customer to know whether we are showing the form or you are. In fact, please train your customer to give their “Verified by Visa” password to anyone who asks for it.

Craziness. But it gets better - obviously not everyone is pre-enrolled in this stupid scheme, so they also allow for enrolment using the same inline scheme. Now the phishers have the opportunity to also get information that will allow them to identify themselves to the bank as you. Yes, Visa have provided a very nicely tailored and packaged identity theft scheme. But, best of all, rather like Chip and PIN, they push all blame for their failures on to the customer

More Banking Stupidity: Phished by Visa


  1. Many Canadian banks have subsidiaries which are insurance companies. My bank’s insurance company has called me at home many times (they get the calling list from my bank…sigh), asking for financial information (yearly income, value of assets at home, etc).

    I can’t tell you how many times I’ve said “I do not give out any financial information in a phone call that I did not initiate”, only to have them follow that up with “Ok, so, what’s your yearly income?” Rinse, repeat…

    I’ve told them, over and over: “You’re training your customers to exhibit bad, no DANGEROUS behaviour”. (In case I have to draw a diagram: Add some questions about number of occupants, ages, work schedules. You already have the phone number, you can get the address. With the address and a rough approximation of the value of assets in a house and the occupants’ schedules, you can ‘case joints’ remotely.)

    Same as with Ben Lauries example above…

    (My guess is that Visa has employed the same ‘experts’ that sooo many companies have used who have told them: “No, you don’t need to encrypt all of our customers’ personal data that’s on the company laptops… They protected by the Windows password..”)

  2. It’s worse than that.

    I don’t even bother remembering my VbV password, since it takes only a few seconds to click the ‘forgot password’ option, and enter my date of birth/standard security question, and reset the password – faster than setting a secure password.

    So, you’re also handing over info that could be used to commit fraud on a massive scale on any individual.

    It has to be the most asinine bit of security on the web.

  3. My bank (HSBC) in Britain has called me several times and asked me for my date of birth, second and third digit from my ‘security number’ etc.

    When I explain to them that I might also need to verify who they are, and insist on calling them back, I get redirected to another department which doesn’t know why they called me, and usually tries to sell me a more expensive account or offer me credit insurance.

    The last time this happened, my debit card was cut off because, ironically, the call was in fact about suspected fraud on the account.

    HSBC has a lot of customers in the UK. I’d guess that a con artist would only have to call about 60 households at maximum before he got someone willing to do exactly what the bank itself asked them to do quite recently.

  4. I’m with Lloyds TSB. Was buying something online the other day and didn’t know what to think when I was confronted with this very thing. I spent about 30 minutes looking all over the internet to make sure I wasn’t being scammed. It turned out to be legit, but did make me think about the millions of gullible britons who will type their details into any form unless explicitly and repeatedly told not to do so by their bank.

  5. I work for a large online business based here in the UK (which has an even bigger operation in the US). Last year, we were made to implement Verified by Visa and Mastercard SecureCode for our customers on our UK point of sale.

    We looked at Visa’s UI guidelines (such as they are) and were appalled. We swiftly concluded that despite some favourable terms for us in the case of fraud perpetrated despite of the use of VbV, this idiotic process was going to lose us orders – and lose us serious money.

    We have so far managed to postpone the introduction of VbV pending being forced at gunpoint by the card operators to do so. If we net out lower because of this crap, we will be seeking compensation.

  6. I wondered about this system to, having booking two aspects of a trip to London/Paris on a US visa card, being faced by this intermediate screen both times, and then being called on the day I was leaving the US to be told that credit card was now cancelled due to fraudulent activity. It was either the Eurostar or a hotel, but I suspect the hotel. I wasn’t planning to use that card while on vacation (and I haven’t even bothered to use the replacement they send me when I got back to the US) but it could have been a lot worse if the autosystems hadn’t been tripped and I was actually in the UK when they realised.

    Mastercard also have a system exactly like this too which has popped up on occasion…which in the past has made me end the transaction. Not worth the trouble for fake security.

  7. Most Finnish banks have a nice web service for paying bills etc.

    The problem with this is that the banks have became de facto identity verifiers in all web services. The system does redirect you to another (mostly empty) site where you give up your banking username and password, but a lot of good that does. Who’s going to notice if the url is a bit odd and the page look is trivial to mimic.

  8. My US based Chase card has this VbV program. I just had to use it for purchasing airline tickets from Northwest and Air Canada.

  9. I’ve set up internet merchant accounts and payment systems for employers several times, and it’s all very scary.

    There is a layer of shady companies set up to act as proxies for the CC companies. Merchants deal with them instead of with with anything real. I always suspected they were liability sponges to protect banks from any responsibility for the systems’ inherently dismal security.

    Then there is/was a layer of resellers, which further insulate stuff up the chain.

  10. I have worked for a one of the largest credit card companies in the world in the ‘exceptions’ department, and let me tell you that there is no other single method of payment more open to fraud than the credit card.
    All you need is name, number and expiry date. This will suffice to make transactions.
    And if you are actually in possession of the card itself, and you know what you’re doing, you can go on making transactions which will be detected, and marked as fraudulent, but will be written off as risk expenditure on the account of the credit card company untill the card expires.

    Of course, I am not at liberty to say how.

  11. I used to use to buy computer hardware.

    They introduced “Verified by Visa”. Within days of the next time I bought something on Dabs, my card was defrauded.

    I’m not saying for sure that this had anything to do with VbV, or Dabs (who have been really great in the past), but it struck me as weird.

    A relative then ordered a computer from Dabs with a brand new card. To my knowledge, it was the first transaction made with that card. Within days, it too was defrauded.

    I went to the VbV website to find out more, and there, held high as an example of why the scheme works so well, was Dabs.

    Again, I’m not saying either VbV or Dabs had anything to do with it, but it certainly rattled me (and now I use neither).

  12. The fact that identity theft is still a viable criminal activity is something that continues to get me angry.

  13. Usually when this comes up during a purchase it is optional and I have always bypassed it. The last time there did not seem to be the option and I, cannot recall exactly but managed to get past it again, may even have been the Dabs site, so read the screen carefully and look for any option to ignore.

  14. At least in Switzerland, the VbV scheme is not using iframes but redirecting properly to the issuers page and redirecting back to the merchant after the verification has been done. It still sucks though.

  15. I’d prefer a scheme where I paid the merchant, rather than the merchant debiting my account. Have the merchant give me a merchant account ID number and a transaction/invoice number. I go to my bank’s Web site through my own bookmark for them, enter the merchant account ID, transaction number and amount, and my bank transfers the money from my account to the merchant’s. It should be simple, banks already have the funds transfer network in place, all they need is to allow customers to initiate transfers from their own accounts.

    It’s not perfect, it’s still vulnerable to someone cracking my bank site password. But it’s less vulnerable to phishing and fraud, because one never has to provide any of your own information to the merchant.

  16. The Nat West Mastercard version has a “No Thanks” button that I habitually click and it has never once caused me a problem. The first time I saw it a long, long time ago I did “sign up” and had problem remembering the password (well it MUST have been me who was wrong, right?) and it messed up a couple of transactions so (I forget how) I eventually opted out and have totally ignored it ever since. Glad to hear now that this was a more sensible course of action.

    Banks are utter pants!

  17. Hmmm – My UK bank account is with NatWest, who are part of RBS. They use their own, similar system called WorldPay. However, the WorldPay authentication screen is always SSL-authenticated, and they never ask for the entire password, only for three randomly-selected characters from it, so even if a phisher managed to completely replicate their screen, they wouldn’t be able to get enough information to fraudulently use the card.

    It makes for an interesting contrast.

  18. I have in recent weeks seen this Verified by Visa thing twice when purchasing online.

    Both times I was startled and left wondering ‘what the hell?’ and closed the frame without providing any data.

    The transactions completed just fine.

    I was startled that something announcing itself as my bank was asking through some merchants site for priviledged information that should only be communicated between myself and my bank.

    I had never HEARD of this verified by Visa thing before and would never contemplate for a moment in the process ofbuying something giving out more than the absolutely minimally relevant data.

    Visa is being very foolish. This has tremendous potential to bite them.

  19. Curiously, the Norwegian implementation of VbV requires an RSA token in addition to a password. It’s not entirely perfect – if someone picks up your current key and password, they have 60 seconds to spend as much as possible with it. I’d say it’s a step up, though.

  20. simple answer… boycott those cards… switch accounts to ones that don’t use them… and make sure your friends know about this problem… spread the word… use the internet to get the message out…

    they’ll only fix the issue when things affect their bottom line negatively

    they only care about profit… and how much it could cost if they got sued… it’s why manufacturers don’t recall things unless the cost of being sued exceeds the cost of recall…

  21. This all depends on the implementation. First, it’s always been obvious to me that VbV is a measure performed by the bank.

    Second, it’s disingenuous to say that there’s no possible way for you to authenticate the form. My bank uses VbV, and they authenticate themselves to me by showing a prearranged secret (for example, “Hi Matt! Spending money again? Tsk, go on then.”) on the VbV form so that I know that it’s not fake or phishing.

  22. I have a Mastercard, which has a very similar system (“3D-Securecode”). It makes a point of showing a secret phrase to me before I enter any information, to demonstrate that it is a genuine page from the credit card people. I believe that VbV does the same.

    It is a sensible way of doing things, but of course assumes that customers notice the importance of this secret. I’m sure that many don’t ever check it.

    The scheme as a whole makes sense, IMHO. Because the password for the scheme is never disclosed to a retailer, it means that the credit card company knows that an order does come from me, and not from a retailer who has decided to reuse my details. Admittedly, given the guarentees about refunds for fradulent use, this is of rather more benefit to the credit card companies than it is to consumers…

  23. Lets face it, the banks dont give a hoot about fraud, if they did we would all have those rsa token things for every account.

    Its crazy when my most secure account is my WOW one. No-one gets there hands on my gold!

  24. I work for an online merchant, and this stupid VbV thing causes more confusion with customers. The smarter ones wind up calling us, but all we can do is refer them to the contact info on the page. Definitely training internet shoppers to be less critical.

  25. @25:
    The “secure message” seems like a good idea – you provide card details, then the bank “authenticates” itself to you by showing your secret message, and finally you authenticate with them by entering your VbV password. However, I can’t see any way for this to avoid a man-in-the-middle attack. You enter your card details to buy from EvilCo’s web shop. Behind the scenes, they feed these to NiceGuy’s web shop, get back the VbV secret message and show that to you. Everything looks legitimate so you enter your VbV password and then they have everything they need to impersonate you.

  26. i’m with lloyds and even using my debit card is causing this problem. The vbv pop up window looks unprofessional and I was very concerned and unwilling to enter my information.

    previously, i could click ‘enrol later’ however last night whilst trying to use my virgin mastercard to book train tickets, it came up with the usual 3d secure screen and ‘activate now’. There was no option to enrol later.

    I travel alot and use my mastercard as an expenses card so was unwilling to use my personal debit card on such a large purchase.

    I wasn’t happy about this but was in a rush; did a google to check it was valid (as much as you can i guess) and entered my information. It asked for d.o.b, last three numbers on card and the name on the card.

    apparently i entered these wrong (i hadn’t) so it cancelled my card payment. I tried again and was told my card had not been verified, i was not allowed to use this card for the transaction and FUTHERMORE my card had been suspended for fraudulent activity.

    I called Virgin and discovered my d.o.b is incorrect on the computer system. So because of their system my card had been suspended by an internet ‘security’ add on that i did not want.

    I can’t opt out either so I’m waiting for the card to be unblocked whilst my cheap eurostar tickets become unavailable :(

    This system needs to leave or be opt in

  27. Mastercard SecureCode looks so dodgy, i hate using it. i also refuse to remember the password, setting up a new one each time. i do this so that they might one day realishow dumb the system ise

  28. VbV is corporate phishing and must be stopped.

    I never ever use that,and when a vendor pops that crap up during a purchase, I immediately feel “phished”.

    Visa get a clue this is your own business you are wrecking.

  29. A slight aside – does anyone here have evidence that getting you to enter some random characters from your password is actually more secure than entering the entire password? Sure, any potential fraudster won’t get your entire password without making a large number of attempts, but doesn’t it lower the bar for any individual hacking attempt when you only have to crack what amounts to a 3-character password? Assuming case-insensitive alphanumeric (at least one of my online banks won’t allow you to put symbols in your password), that’s not a large solution space. It’s always seemed odd, and this latest idiocy doesn’t cast it in ant more of a positive light…

  30. a security question for creative lazy web speculation: a la recent Chinese Ghost Web revelations over taking over microphone inputs via trojans for spying; can touch sensitive display screens work by picking up air vibration in a room (like the old window/laser spy gimmick)? Anyone know? Can your own monitor be a spy microphone?

  31. #34

    My bank uses a 6 digit pass number for telephone banking and asks you for 3 digits. This is indeed crap security, the idea presumably being that on each try the potential fraudster is reduced to square one, in that any given previous failed guess can’t be written off as wrong, even if it’s 3 identical digits.

    On more than one occasion I have got one number wrong, and the well meaning call centre person has told me which one it was…


    Superb idea. Invoked the image of Gene Hackman playing the saxophone in his comprehensively ransacked apartment at the end of The Conversation.

  32. Yes, why is this supposed to be less secure than handing out your name, billing address, credit card number, expiry date, and CSV code direct to the online merchant in the first place?

  33. @29: Man in the middle might work if you’re phishing one or two people, but if you do it large-scale, then it’s obvious to VbV/3DS that one IP is requesting hundreds of different forms a day, and that account gets closed. Each new account will need to be linked to a real bank account (and not just any old bank account, a merchant one), so it’s not really practical to do that kind of attack.

    So.. you’re kinda right, but I don’t think it’s a big threat.

  34. I also hate this system, I bank with Alliance and Leicester and each time I use either my debit or credit card online it never remembers my password (I initially only used memorable passwords but as you can’t use the same password twice I make up something different each time, and yes the irony that they can remember previous passwords for that isn’t lost on me!) so I end up having to enter a new one each time showing how easy it is for anyone to do this. Recently it has also been rejecting the card details I enter … as they are right in front of me I know I’m entering them correctly. I find this system so frustrating that I’m actually considering moving bank accounts.
    Calling customer services annoys me even more as they imply that it is me getting it wrong! When did the customer stop being right? I’m really not that stupid that I can’t enter card details that aer right in front of me accurately.
    Incidentally a few times after using VbV I will receive a spam email asking me to verify my account details by following a link, it is blatantly a phishing scam so I ignore but it really concerns me the timing of these emails comes within half an hour of using VbV …

  35. I had three fraudulent transactions online by some one who registered my HSBC card for Vbv themselves. Though bank knows it is fraudulent and blocked my card as there was a series of transactions, they are holding me responsible only because it went thru VbV.
    Infact, VbV is the most insecured as you can re-register for VbV if you know details like name, card number, date of birth and cvv which can easily obtained either from a lost card or noted by someone when you handover the card at a gas station. Date of birth is plenty online.
    I’m not getting a chance to inform this to Visa though it is a serious problem hence decided to leave visa.

  36. Just experienced this for the first time. When using a Deutsche Bank Visa card at 2Checkout, I unexpectedly got a badly-designed form after clicking-off on a payment. The form had some text detailing the apparent benefits of this system and below this asked for my DOB and bank account number, without explicitly stating that this was an enrolment form. Was in German, although I was checking out in English. No opt-out or enrol-later or anything. The URL wasn’t 2Checkout’s, Visa’s, Deutsche Bank’s, or that of the company I was paying money to (a small webhost, which should know better). Clicked it away then had no idea if the payment had gone through (it hadn’t).

    Went to enrol in the program via the Visa site and was presented with the same form at the same unfamiliar URL, which I then Googled because I was still unsure.

Comments are closed.