Sunday, November 30, 2008

Verified by Visa: Everything We Tell Folks to Avoid

Phishing is defined by F-Secure as:
"Fraudulent e-mail or website claiming to be legitimate seeking indentifiable information. Phishing is an attempt to steal your personal data."
When I recently attempted an online purchase from WalMart using my VISA card, being a security wanta-be, I immediately thought phishing when redirected to and saw this dialog:

Seriously, these folks have to be kidding. You're asking for my personal data during a transaction and claim that's its a service " no additional cost." Wow! Thanks...but absolutely not, you jokers. As a malicious thief, I can go a long way with this data.

This is exactly the type of experience which aids malfeasance and the folks trying to steal personal data / identities. How long have we been working to educate folks to avoid providing this type of data under these type of circumstances? Years. And we're just now starting to turn the corner.

VISA, get rid of this! When folks submit to this lunacy (more often because they don't know any better), they only become softened against the threat of phishing. Personally, I'm refusing to submit to this and will leverage another card to complete my purchase.


mcollier said...

First, let me start by saying that I'm no fan of "Verified by Visa". I've had problems with them before, and likely will never use the "service" again.

But, I kind of disagree with the claim that the page could be viewed as somewhat like a phishing attempt. First, the page is not asking for your full SSN or full card number. Without those things, I think (but I'm certainly not a security expert) it would be pretty darn difficult to do anything harmful. If the site asked for that data, then yes, I too would be very skeptical. There are other phishing things to be aware of for a site other than the data it is asking for - for instance, what is the domain (URL)? Are they asking for my full card info (instead of last 4 digits)?

Jeff Hunsaker said...

Care to share the last 4 of your SSN? ;-)

First, it's an out-of-band experience. Who's to say is legit? I was dealing with This event alone should throw off the red sirens.

Secondly, even if we concede this process is beneficial, why SSN? SSN shouldn't be used as an identifier or verifier. It's too accessible and too potentially damaging. Why can't I provide a VISA username and password?

Next, let's assume for a moment the site has been compromised. They've set it to prompt for my SSN and Visa code. So, the malicious person now knows my credit card number, my name, my address, my phone number, and now they'll know the credit card code and the first 4 of my SSN. That's a significant amount of information with which to compromise one's finances.

Finally, my primary point though is this process/"service" runs counter to anti-phishing education relayed over the past 5 years. Make sure your transaction stays on the same URL is perhaps #2 behind ensuring an SSL connection. We're taking a step backward in securing and educating folks (for example) like my parents.

Oh, and did I mention there's no limit to the number of attempts at entering the correct SSN? VbV on wikipedia. Boo.

Rich said...

Just ran across this on Newegg. I am fairly sure it's "legit" but I won't be entering any part of my SSN on principle. I have (touch wood) avoided being scammed online and I intend things to continue that way.