Skip to main content

Verified by Visa: Everything We Tell Folks to Avoid

Phishing is defined by F-Secure as:
"Fraudulent e-mail or website claiming to be legitimate seeking indentifiable information. Phishing is an attempt to steal your personal data."
When I recently attempted an online purchase from WalMart using my VISA card, being a security wanta-be, I immediately thought phishing when redirected to and saw this dialog:

Seriously, these folks have to be kidding. You're asking for my personal data during a transaction and claim that's its a service " no additional cost." Wow! Thanks...but absolutely not, you jokers. As a malicious thief, I can go a long way with this data.

This is exactly the type of experience which aids malfeasance and the folks trying to steal personal data / identities. How long have we been working to educate folks to avoid providing this type of data under these type of circumstances? Years. And we're just now starting to turn the corner.

VISA, get rid of this! When folks submit to this lunacy (more often because they don't know any better), they only become softened against the threat of phishing. Personally, I'm refusing to submit to this and will leverage another card to complete my purchase.


Unknown said…
First, let me start by saying that I'm no fan of "Verified by Visa". I've had problems with them before, and likely will never use the "service" again.

But, I kind of disagree with the claim that the page could be viewed as somewhat like a phishing attempt. First, the page is not asking for your full SSN or full card number. Without those things, I think (but I'm certainly not a security expert) it would be pretty darn difficult to do anything harmful. If the site asked for that data, then yes, I too would be very skeptical. There are other phishing things to be aware of for a site other than the data it is asking for - for instance, what is the domain (URL)? Are they asking for my full card info (instead of last 4 digits)?
Jeff Hunsaker said…
Care to share the last 4 of your SSN? ;-)

First, it's an out-of-band experience. Who's to say is legit? I was dealing with This event alone should throw off the red sirens.

Secondly, even if we concede this process is beneficial, why SSN? SSN shouldn't be used as an identifier or verifier. It's too accessible and too potentially damaging. Why can't I provide a VISA username and password?

Next, let's assume for a moment the site has been compromised. They've set it to prompt for my SSN and Visa code. So, the malicious person now knows my credit card number, my name, my address, my phone number, and now they'll know the credit card code and the first 4 of my SSN. That's a significant amount of information with which to compromise one's finances.

Finally, my primary point though is this process/"service" runs counter to anti-phishing education relayed over the past 5 years. Make sure your transaction stays on the same URL is perhaps #2 behind ensuring an SSL connection. We're taking a step backward in securing and educating folks (for example) like my parents.

Oh, and did I mention there's no limit to the number of attempts at entering the correct SSN? VbV on wikipedia. Boo.
Rich said…
Just ran across this on Newegg. I am fairly sure it's "legit" but I won't be entering any part of my SSN on principle. I have (touch wood) avoided being scammed online and I intend things to continue that way.

Popular posts from this blog

Get Your Team Foundation Server Hate On!

[Google ranking skyrockets... ;-)] I'm a big fan of TFS/VSTS. However, there are a good pocket of folks who take issue with the way TFS handles or implements a certain feature. Well this is your chance to vent! I'm planning a presentation around the "Top 10 TFS/VSTS Hates and How to Alleviate Them"...or something along those lines. But I need your help. Post a comment below detailing your dislike. If it's legitimate, I'll highlight it in the presentation and [hopefully] provide an alternative, resolution, or work-around. Thanks in advance! Update 7/19/2008: Version Control and Microsoft

Rollback a Ooops in TFS with TFPT Rollback

Rhut roe, Raggie. You just checked in a merge operation affecting 100's of files in TFS against the wrong branch. Ooops. Well, you can simply roll it back, right? Select the folder in Source Control Explorer and...hey, where's the Rollback? Rollback isn't supported in TFS natively. However, it is supported within the Power Tools leveraging the command-line TFPT.exe utility. It's fairly straightforward to revert back to a previous version--with one caveot. First, download and install the Team Foundation Power Tools 2008 on your workstation. Before proceeding, let's create a workspace dedicated to the rollback. To "true up" the workspace, the rollback operation will peform a Get Latest for every file in your current workspace. This can consume hours (and many GB) with a broad workspace mapping. To work around this, I create a temporary workspace targeted at just the area of source I need to roll back. So let's drill down on our scenario... I'm worki

Installing the .Net Framework 3.0 SP1 on Windows 2003 Server

I'm building an [automated] build server requiring the .Net 2.0 and 3.0 runtime. Unfortunately, at my client, they leverage a proxy server. The standard .Net 3.0 SP1 framework redist is really just a bootstrapper. Logged in as a local admin on the box, I didn't have the opportunity to authenticate the installation EXE with my domain credentials. So, the install kept timing out. Finally, I found this helpful post from Aaron Ruckman on how to download the very elusive, full framework package. It's here , BTW (x86). I finally get the full installation EXE downloaded to a fileshare, re-run the install and wham--" XPSEPSC: XPS must be installed..." Excuse you? This isn't an XPS's a VM. I found a few MSDN posts here and here outlining the problem. I'm still not clear on what XPSEPSC does (Google yielded little) but you can download it here (x86) . After installing XPSEPSC, the framework installed without issue. Update : Somewhat related, there i