Skip to main content

Verified by Visa: Everything We Tell Folks to Avoid

Phishing is defined by F-Secure as:
"Fraudulent e-mail or website claiming to be legitimate seeking indentifiable information. Phishing is an attempt to steal your personal data."
When I recently attempted an online purchase from WalMart using my VISA card, being a security wanta-be, I immediately thought phishing when redirected to verifiedbyvisa.com and saw this dialog:

Seriously, these folks have to be kidding. You're asking for my personal data during a transaction and claim that's its a service "...at no additional cost." Wow! Thanks...but absolutely not, you jokers. As a malicious thief, I can go a long way with this data.

This is exactly the type of experience which aids malfeasance and the folks trying to steal personal data / identities. How long have we been working to educate folks to avoid providing this type of data under these type of circumstances? Years. And we're just now starting to turn the corner.

VISA, get rid of this! When folks submit to this lunacy (more often because they don't know any better), they only become softened against the threat of phishing. Personally, I'm refusing to submit to this and will leverage another card to complete my purchase.

Comments

mcollier said…
First, let me start by saying that I'm no fan of "Verified by Visa". I've had problems with them before, and likely will never use the "service" again.

But, I kind of disagree with the claim that the page could be viewed as somewhat like a phishing attempt. First, the page is not asking for your full SSN or full card number. Without those things, I think (but I'm certainly not a security expert) it would be pretty darn difficult to do anything harmful. If the site asked for that data, then yes, I too would be very skeptical. There are other phishing things to be aware of for a site other than the data it is asking for - for instance, what is the domain (URL)? Are they asking for my full card info (instead of last 4 digits)?
Jeff Hunsaker said…
Care to share the last 4 of your SSN? ;-)

First, it's an out-of-band experience. Who's to say verifiedbyvisa.com is legit? I was dealing with Walmart.com. This event alone should throw off the red sirens.

Secondly, even if we concede this process is beneficial, why SSN? SSN shouldn't be used as an identifier or verifier. It's too accessible and too potentially damaging. Why can't I provide a VISA username and password?

Next, let's assume for a moment the Walmart.com site has been compromised. They've set it to prompt for my SSN and Visa code. So, the malicious person now knows my credit card number, my name, my address, my phone number, and now they'll know the credit card code and the first 4 of my SSN. That's a significant amount of information with which to compromise one's finances.

Finally, my primary point though is this process/"service" runs counter to anti-phishing education relayed over the past 5 years. Make sure your transaction stays on the same URL is perhaps #2 behind ensuring an SSL connection. We're taking a step backward in securing and educating folks (for example) like my parents.

Oh, and did I mention there's no limit to the number of attempts at entering the correct SSN? VbV on wikipedia. Boo.
Rich said…
Just ran across this on Newegg. I am fairly sure it's "legit" but I won't be entering any part of my SSN on principle. I have (touch wood) avoided being scammed online and I intend things to continue that way.

Popular posts from this blog

TFS Error | The type initializer for 'Microsoft.TeamFoundation.Build.Server.BuildInformationNodeBinder' threw an exception.

Posting this one for the search engines. If you ever receive the exception "The type initializer for 'Microsoft.TeamFoundation.Build.Server.BuildInformationNodeBinder' threw an exception.", more than likely, your drive space is at 0 on your TFS application tier box.

I encountered this at a client recently. The root cause was that IIS logs had filled up the OS drive (C:\). I switched IIS logging to the applications drive (D:\) which cleaned up the OS drive and resolved the issue.

Detailed message:


TF53010: The following error has occurred in a Team Foundation component or extension:


Date (UTC): 6/7/2011 4:18:53 PM

Machine: TFSATBOX

Application Domain: /LM/W3SVC/8080/ROOT/tfs-1-129519118182628600

Assembly: Microsoft.TeamFoundation.Framework.Server, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a; v2.0.50727

Service Host: 7ecfbd77-b386-4d75-b038-b05474782696 (DefaultCollection)

Process Details:

Process Name: w3wp

Process Id: 3676

Thread Id: 5752

Ac…

Windows 10 Creator's Update and Office Conflicts

Recently, Microsoft pushed the "Creators Update" out to Windows 10. It was available in April but it seems to have been force-pushed in the past 2 days. On my mother-in-law's computer, Creator's caused Excel to render a "Bad Image" message when attempting to start declaring "MSVCP140.dll is either not designed to run on Windows or it contains an error". I attempted the SFC and DISM repairs as advised on Tom's site to no avail. When I attempted an Office repair, Office disappeared completely. At this point, I definitely started to panic.

Fortunately, I noticed a pending reboot due to an install/update. Allowing Windows to install that update and rebooting twice brought Excel and Office back to life. I did have to re-register the software but all is well now. If you encounter this issue, stop what you're doing and install/restart Windows. Anecdotally, I've since hear of many folks encountering similar issues.