karen2205: Me with proper sized mug of coffee (Default)
Karen ([personal profile] karen2205) wrote2008-12-05 11:40 am
  • Add Memory
  • Share This Entry
  • Current Mood: calm

Groan

What's the current geek take on Verified by Visa and Mastercard secure code?

I've now encountered Egg putting a block of some description on my card after I didn't sign up for Mastercard secure code while doing some online shopping a couple of weekends ago. I've now just tried to buy something else online and encountered a Mastercard secure code screen without a cancel function, got back to a screen to enter different card details and it took me to a verified by Visa screen.

I'm currently skeptical about the benefits of either scheme and don't see what else they add in terms of security and am pretty pissed off at retailers removing the ability to skip the screen. What do you think? Are they a useful security feature? Am I going to end up signing up for them on the basis of the process of least resistance in order to be able to do some shopping?
Flat | Top-Level Comments Only
bob: (Default)

[personal profile] bob 2008-12-05 11:57 am (UTC)(link)
the retailers dont a have a choice. the banks and credit card companies are basically forcing them to use it. if they dont they become liable for fraud.

[identity profile] thehalibutkid.livejournal.com 2008-12-05 11:59 am (UTC)(link)
Not that I qualify as a geek in this context but I hate them. I'm not sure they add anything either. Just another level of hassle.

But then i've also never been ID thefted and so am less worried about it.
toothycat: (Default)

[personal profile] toothycat 2008-12-05 12:05 pm (UTC)(link)
They add a step during which you are communicating directly to the bank, not going via the retailer. This makes it harder for a malicious retailer to make unauthorized withdrawals, and also makes it harder for you to deny a transaction that involved the use of your security code. This is obviously of benefit to the bank, and so is indirect benefit to you since the bank spends less to recoup its fraud losses and can afford to charge you less / pay you more; how much direct benefit to you there is is debatable (some would even go so far as to say you are worse off, as if your security code is stolen it is harder for you to deny the transactions).

[identity profile] hilarityallen.livejournal.com 2008-12-05 12:18 pm (UTC)(link)
I've given in in order to get some shopping done. IMO, it doesn't add to the security (resetting the password takes a trivial amount of data that frankly lends itself to the malicious hands of pissed-off ex-partners or a moderately competent hacker). It adds to the faff. Mastercard SecureFaff has at least added a feature so you can be reasonably sure that the redirect is taking you to where it should, and not to some hijacked connection.

[identity profile] olithered.livejournal.com 2008-12-05 12:57 pm (UTC)(link)
Has it really changed so you can tell where you are connected to?

All the times I've seen it up to now you get an embedded frame with no way of telling what/who you are typing your password into other than a (trivially forwarded) bank logo.

I do not understand who thought that would be a good idea rather than a clear https://mybank.com/etc visible in the URL bar!

[identity profile] hilarityallen.livejournal.com 2008-12-05 01:11 pm (UTC)(link)
You can input a 'Greeting' which is displayed when the redirect is made. If you don't make it a generic 'hello' or similar, you have more reassurance that you're going where you think you are. It's not fool-proof, but it's a lot better than it was.

[identity profile] olithered.livejournal.com 2008-12-05 02:25 pm (UTC)(link)
I'd say that was only a tiny bit better - anyone intercepting the logo can intercept the greeting!
ext_8103: (Default)

no way of telling

[identity profile] ewx.livejournal.com 2008-12-05 02:56 pm (UTC)(link)

Browsers can generally be persuaded to tell you where each frame comes from; but in practice I would not expect most users to even realize that they need to ask the question, much less explore probably unfamiliar bits of their browser's UI to find the answer.



Even if the URL used was actually visible I'd worry that many users wouldn't look there anyway.



I think a better answer would be where you look at the price, and then separately visit your online banking and charge up a one-time CC number with the required amount and then enter that CC number.



This would be fiddly at first but in principle you could integrate supporting features into the browser, though it'd be important to arrange that you could not emulate said feature using a web page.



(IIRC there are in fact CCs that have this property though I never got around to investigating further. They could only significantly reduce online fraud if they were actually required for online shopping though.)

calum: (Default)

[personal profile] calum 2008-12-05 02:46 pm (UTC)(link)
Its becoming mandatory. Sooner or later, you will have to use it for all online transactions.

lovingboth: (Default)

[personal profile] lovingboth 2008-12-05 07:38 pm (UTC)(link)
See The Register for various geeky stories on it.

Flat | Top-Level Comments Only