Tuesday, January 10, 2012

Verified By Visa - a security joke. But, by the way, their normal UK landline is 0247 684 2063


If you use a credit or debit card online you’ll probably have come up against Verified by Visa or MasterCard’s equivalent.  It’s a scheme to have a frame in a browser page managed by the credit card provider (instead of the retail outlet) to do a password check.
I’ve always thought it security theatre.
It pretty much is.
Today a card of mine was compromised.  I performed a legitimate online transaction at easyJet at 12:02, with a card that has not been used online (other than at the Bank’s own banking site, and the DVLA) in over three months, or in an ATM since 25th October – it’s specifically for riskier online transactions which are few and far between for me.  Within a few minutes someone had my card details and the following transactions were attempted
  • 12:04pm (2 minutes later!!!) £5 at a wildlife park – this went through
  • At 12:07 just under £2k to a Barclaycard account (not mine) – this was blocked
  • At 12:20 86p at Experian – this went through
  • At 12:36 a second attempt at the Barclaycard account – still blocked
As this is the second time a card has been compromised so soon after using easyJet I’ll leave it to your imagination what I think of them.  Of course it is conceivable that some other route to compromise may have occurred – but this is the *second* time exactly the same thing has happened with a rarely used card used at easyJet.  So I know where I think it’s happening.
However, whilst this was going on I received an email from Verified By Visa at 12:35 saying my password had been changed – and if not to contact them on a premium rate number (which various internet reports indicate an extension hold time for profit).   See below (a couple of details removed) - would you think this was a genuine email or a scam?  Note especially the unmatched domain name, and the over 2 years old BT call fee statement!
So I binged the number (0870 156 6485) and found a normal landline number to call (and also verified it at Barclays own website).  The double advantage of the 0247 number is that I can use free mobile phone minutes as well.
The net result was that the card was eventually blocked.  But honestly – what is the point of a secondary layer of security on a system that can be completely compromised by someone with only the already used credit card details?
OK, receiving the email did give me a prompt that something was up, but very poorly due to the format, content and address.  But the fraud detection at the bank had already done that in effect by blocking transactions.  Shouldn’t the reset of the password at least require email confirmation or a known fact BEFORE completing?
FWIW the security question at the bank’s call centre were better – they picked a random DD or 2 that I pay and made me confirm details about the recipient/amount.  Now that was sensible.
Hacked off.

No comments: