Is verified by visa actually of any use to customers?

Angilion

Angilion

Angilion

Man of Honour
Joined
5 Dec 2003
Posts
21,063
Location
Just to the left of my PC
I haven't bought anything online for ages other than through Amazon (which doesn't use VbV, or at least not for existing customers). I'm local to OcUK and it's cheaper and less fuss to go there than to arrange a delivery. so I usually just go there. The combination of DHL and free delivery is a winner, though, as if the delivery fails I can collect from the DHL depot down the road.

So, I've just ordered some stuff and hit the VbV for the first time.

Looking into it and how it's being implemented, the only reasons for it that I can see are (i) stage security, i.e. just there to look like something is being done and (ii) making it easer for card issuers to blame the customer in the case of fraud. I don't see a benefit to the customer.

I'd like to point out that I'm not blaming OcUK. It isn't their scheme and it's effectively mandatory for vendors (because they'll be held liable for fraud if they choose not to use this "optional" scheme).

It's certainly putting me off buying online. If it wasn't for the fact that I am about to switch to a different credit card from a different card issuer, I probably wouldn't have used it.
 
It has never bothered me, using Visa or MasterCard, it’s just another bit of security when purchasing.
 
If someone nicked your card, they wouldn't be able to use it online using VbV or MasterCard Securecode, as it's a piece of information that's not written on the card itself. It probably does add to security.
 
It's ostensibly meant to provide protection to cardholders, but that's not the whole story.

Traditionally, if your card was used without permission online you would perform a chargeback, this would in turn lead to money being taken from the merchant which often left them without products, without payment and (with some merchant accounts) a fine of £10.

3D Secure (the name for VbV and MCSC) was developed to "shift" liability away from merchants and back to the banks, which seems quite charitable of them. I'm positive that in the future once everyone is on-board and "educated" about not revealing your password to other people the banks will try shifting liability to the cardholder.
 
simulatorman said:
It has never bothered me, using Visa or MasterCard, it’s just another bit of security when purchasing.
Click to expand...

Alternatively, it's less security for the customer and more security for the card issuer. It's considered secure and it isn't, so it's a prime target for fraud. It results in people being redirected to another site where they enter details regarding financial transactions - something that people have been told not to do because it's a common phishing technique. The password is easy to reset, so it isn't much use as a password. It's card number and date of birth, right? So if you have someone's card number and date of birth, you can change their VbV password and therefore "prove" that you are them, thus making defrauding them much easier. I think its main purpose is to enable card issuers to shift liability for fraud from themselves to the cardholder as much as possible. I phish you, I reset your VbV password, I buy stuff on your card...your cardholder denies it was fraud because it was verified by this additional security check.
 
Actually its more security for all, if you buy online, through a shop that doesn't have it, essentially the shop could alter the payment details, like how much, before sending the request into the bank. AT that point, the bank only has one copy of the transaction, they wouldn't know it wasn't real as they have the right numbers,dates, name etc, and you wouldn't be aware the price had changed(yet) even infact, shops could add on 20p and 99% of people wouldn't notice, but it would add up a little eventually.

This way, the shop gets the details, puts through the transaction but you essentially get another layer of security, not only can you double check the details that are being passed to the bank, the right price, you get to put in an extra password, which IS more security, but you get to put that password in on the banks server, rather than give another password to the store. It means the store, with your 3 number code, expiry, name, card number doesn't ever see that password and if the security is implemented everywhere it makes it harder for anyone to use your details.

Plus, if anyone did get your password, they would be breaking through the banks security, making them liable, meaning zero trouble getting your cash back and the banks have direct access to details to help them find who did it.

While I would imagine legally they have no right to access, say OCUK's internet logs to see where they might have been comprimised.

The only time you'd get to a fake version through phishing is, if you buy from a store , and the site itself sends you to a fake authorisation page. IN which case, boom, you already know the store that defrauded you, the bank has the details of the transaction anyway as they still have to put something through to the bank to actually get any money.

Its not like a e-mail scam, please log in to change your password at random time, its only directly from a transaction you can do it, and you clearly know if you're currently paying for something.

Its better, all around, for everyone, customer, bank, store.

Essentially before, contact with store, store trusted to do right with your details and that transaction, but thats it, they can do anything they want at this point tbh.
Now, you have contact with the store, pay through store, but confirm direct with the bank you did intend to want to make that payment for that amount. I fail to see how that can be anything but an improvement.
 
Last edited:
I use it. I guess it makes it harder for other people to use my card.

Still, not many places seem to do it, in my experience.
 
It's already a target for phishing.

It isn't necessary to break through the bank's security to get your password - it's far easier for the thief to change your password instead.
 
Angilion is completely correct. The passwords are ridiculously easy to reset because the banks don't want obstructions to their cards being used but want to be able to say they've done everything to stop fraud. if your card is used online and a password is supplied - even if it's just been reset through only knowing incredibly easy data to get - you can't avoid liability. The banks sit there in their ivory towers demanding everyone does everything possible to prevent fraud - for details, check out the requirements for becoming PCI compliant - but avoid doing anything themselves.
 
I thought it was a bit rubbish when it was implemented and I'm not much happier with it now, I recently bought something and had forgotten my password (or so the system said), asked for a reminder and within 30 seconds had the reminder and could change the password. It isn't any more secure but it takes up a bit of extra time and as has been mentioned allows the banks to claim they're doing their best to prevent fraud when all they've really done is throw up another layer that is tranparantly not going to help.
 
The technology is fine but implementation as always has gone to the dogs.

If they just made two changes to it - 1) post your password to you, you forget it you get another posted to you just like pins. 2) stipulate how the 3D-secure page should look and send pictures and a guide to customers (hey, they can put it in the envelope with their password).

Currently nobody knows about it, anyone can reset it with details found in your wallet and the banks staff have no idea what it is at all - if your banks 3D-Secure server goes down you just have to wait for it to come back because you've no hope of speaking to anyone who knows about it.
 
the password is just for the sake of a password, its not necessary.

As I said its this simple, its so they can match a request of say £100 payment from ocuk, and directly match it to a request direct to the bank, NOT from the retailer, for the same amount, to check they match. Thats it.

Thats all its for and stops that particular type of fraud, so thats completely fine. You purchase £100 of stuff, OCUK sends request for £125 to the bank you're £25 out. Same situation but with this added, their £125 request is now accompanied by a record of you talking direct to your bank, saying the order was only £100, payment stopped. Thats ALL it is.

THe problem with the people that see a problem is they are looking at this as an all encompassing, supposed to be infallable all fraud protection, its not. Its only meant to do what it does, and it does it perfectly. To a certain degree we're all vunerable to having our details stolen, but you tend to know when it happens. Yes the password can often be reset with date of birth and card details, however most people know when they've lost their cards and have them stopped. This is only supposed to stop those people, normally not the OCUK's, but when you buy some one off thing from a random store you hadn't heard of before and stops them using your details to take lots of money before making a run for it.
 
Why on earth the ONLY way to reset the password is not done via normal online abnking or branch methods i really dont know.

You should simply phone your bank and prove your identity ( as normal ) then set your vbv password. The only way to chage it is to do the same OR go into a branch and do the same.

Having the vbv online password reset feature is just stupid and moronic.
 
AtreuS said:
Why on earth the ONLY way to reset the password is not done via normal online abnking or branch methods i really dont know.

You should simply phone your bank and prove your identity ( as normal ) then set your vbv password. The only way to chage it is to do the same OR go into a branch and do the same.

Having the vbv online password reset feature is just stupid and moronic.
Click to expand...

On the contrary, it makes perfect sense when you know what vbv is really for.

You're assuming it's "stupid and moronic" because you're assuming that the purpose of vbv is to reduce "cardholder not present" types of fraud, i.e. person A acquiring person B's card details and using those details to buy stuff with B's credit. The ease with which a vbv password can be reset ruins that potential fraud protection. So it would be "stupid and moronic" if the purpose of vbv was to prevent that type of fraud. Obviously, it is not. It's to reduce the liability of the card issuers in the event of fraud, not to reduce fraud. The card issuers are simply lying to customers, as is to be expected. Tell the suckers it's for their own good, then put the real point in the lengthy terms and conditions that hardly any customers will read and understand. So it would be "stupid and moronic" for card issuers to make the 3D secure system actually useful for preventing fraud. Doing so is very obviously not the point of 3D secure and it would reduce the profits of the card issuers because customers who forget their complex password will not be able to buy things. That's a direct loss of business for the card issuer and it would probably result in some temporary bad publicity.

In a similar way, card issuers make it mandatory and claim it's optional. Another lie to make it easier to impose.

The reason for lack of knowledge of 3D secure in general, even amongst the employees of banks and card issuers, plus the lack of standardisation in forms, plus the fact that customers need not even be told where the form is being served from, is less clear. It could be the ignorance and confusion common in very large businesses, when key information is never passed from those who make decisions through the long chain to those who implement them. It could be that card issuers want to keep people confused for a while, so that 3D secure becomes a fait accompli while most people know nothing about it. It could be that card issuers don't want informed customers, just ones who will accept agreements without reading them and enter financial details on whatever form pops up on a screen from anywhere.
 
I like it, adds a detail to the process which isn't printed on, or found with the card. Of course this is useless as it's not compulsory.
 
All I know for us VBV sucks as everytime (8+ times) me or the misses tries to buy stuff at tesco we have to create a new password as the old one isnt accepted even though we wrote it down ffs!
 
You must log in or register to reply here.
Back
Top Bottom