Skip to main content

Verified by Visa: Everything We Tell Folks to Avoid

Phishing is defined by F-Secure as:
"Fraudulent e-mail or website claiming to be legitimate seeking indentifiable information. Phishing is an attempt to steal your personal data."
When I recently attempted an online purchase from WalMart using my VISA card, being a security wanta-be, I immediately thought phishing when redirected to verifiedbyvisa.com and saw this dialog:

Seriously, these folks have to be kidding. You're asking for my personal data during a transaction and claim that's its a service "...at no additional cost." Wow! Thanks...but absolutely not, you jokers. As a malicious thief, I can go a long way with this data.

This is exactly the type of experience which aids malfeasance and the folks trying to steal personal data / identities. How long have we been working to educate folks to avoid providing this type of data under these type of circumstances? Years. And we're just now starting to turn the corner.

VISA, get rid of this! When folks submit to this lunacy (more often because they don't know any better), they only become softened against the threat of phishing. Personally, I'm refusing to submit to this and will leverage another card to complete my purchase.

Comments

Unknown said…
First, let me start by saying that I'm no fan of "Verified by Visa". I've had problems with them before, and likely will never use the "service" again.

But, I kind of disagree with the claim that the page could be viewed as somewhat like a phishing attempt. First, the page is not asking for your full SSN or full card number. Without those things, I think (but I'm certainly not a security expert) it would be pretty darn difficult to do anything harmful. If the site asked for that data, then yes, I too would be very skeptical. There are other phishing things to be aware of for a site other than the data it is asking for - for instance, what is the domain (URL)? Are they asking for my full card info (instead of last 4 digits)?
Jeff Hunsaker said…
Care to share the last 4 of your SSN? ;-)

First, it's an out-of-band experience. Who's to say verifiedbyvisa.com is legit? I was dealing with Walmart.com. This event alone should throw off the red sirens.

Secondly, even if we concede this process is beneficial, why SSN? SSN shouldn't be used as an identifier or verifier. It's too accessible and too potentially damaging. Why can't I provide a VISA username and password?

Next, let's assume for a moment the Walmart.com site has been compromised. They've set it to prompt for my SSN and Visa code. So, the malicious person now knows my credit card number, my name, my address, my phone number, and now they'll know the credit card code and the first 4 of my SSN. That's a significant amount of information with which to compromise one's finances.

Finally, my primary point though is this process/"service" runs counter to anti-phishing education relayed over the past 5 years. Make sure your transaction stays on the same URL is perhaps #2 behind ensuring an SSL connection. We're taking a step backward in securing and educating folks (for example) like my parents.

Oh, and did I mention there's no limit to the number of attempts at entering the correct SSN? VbV on wikipedia. Boo.
Rich said…
Just ran across this on Newegg. I am fairly sure it's "legit" but I won't be entering any part of my SSN on principle. I have (touch wood) avoided being scammed online and I intend things to continue that way.

Popular posts from this blog

Get Your Team Foundation Server Hate On!

[Google ranking skyrockets... ;-)] I'm a big fan of TFS/VSTS. However, there are a good pocket of folks who take issue with the way TFS handles or implements a certain feature. Well this is your chance to vent! I'm planning a presentation around the "Top 10 TFS/VSTS Hates and How to Alleviate Them"...or something along those lines. But I need your help. Post a comment below detailing your dislike. If it's legitimate, I'll highlight it in the presentation and [hopefully] provide an alternative, resolution, or work-around. Thanks in advance! Update 7/19/2008: Version Control and Microsoft

Rollback a Ooops in TFS with TFPT Rollback

Rhut roe, Raggie. You just checked in a merge operation affecting 100's of files in TFS against the wrong branch. Ooops. Well, you can simply roll it back, right? Select the folder in Source Control Explorer and...hey, where's the Rollback? Rollback isn't supported in TFS natively. However, it is supported within the Power Tools leveraging the command-line TFPT.exe utility. It's fairly straightforward to revert back to a previous version--with one caveot. First, download and install the Team Foundation Power Tools 2008 on your workstation. Before proceeding, let's create a workspace dedicated to the rollback. To "true up" the workspace, the rollback operation will peform a Get Latest for every file in your current workspace. This can consume hours (and many GB) with a broad workspace mapping. To work around this, I create a temporary workspace targeted at just the area of source I need to roll back. So let's drill down on our scenario... I'm worki

Shrinking WSS (Sharepoint) SQL Server Log Files

Yesterday, while migrating a source repository from StarTeam to TFS, I received the following error: "TF30042: The database is full. Contact your Team Foundation Server administrator." Excuse you? Sure enough, my 100+ GB drive was full on the server. But I'd only migrated around 1000 items. Surely SQL wasn't consuming 100MB per file. Turns out (yes, there was a lot of crud on the drive but...) the majority of the space, almost 40GB was being consumed by the Windows Sharepoint Services WSS Content data and log SQL Server files. Huh? I still need to investigate and understand why this portal, which is 100% unused, grew so large. Regardless, here's what I did to resolve: Since this is not yet a production database, I flipped the SQL recovery option from Full to Simple for WSS Content and several other databases. Detail here and here . Executed the maintenance plan for all the databases to get backups and clear out some of these files. That didn't help much. T