

Verified by Visa and MasterCard SecureCode: or, How Not to Design Authentication - bensummers
http://www.cl.cam.ac.uk/~rja14/Papers/fc10vbvsecurecode.pdf

======
dangrossman
VbV and MCSC are terrible. They take everything banks tell consumers not to do
(don't enter your password on unfamiliar sites, check that the URL in the
address bar matches the site you think you're on, don't give out your social
security number to unfamiliar sites) and then make you do it all to complete a
simple purchase. You get redirected to a 3rd party site, with a 1998-era
design, have to enter your social security number and credit card details,
etc.

I honestly believe ecommerce would be in a better place if all payments had to
go through a PayPal-like company. Rather than a million individual site owners
ticking off boxes saying they know something about payment security without
actually complying with PCIDSS, consumers would register with a smaller number
of well-known payment providers and use them to checkout without ever typing
payment information into individual stores' sites.

Really, the card brands could launch a PayPal alternative of their own.

~~~
CWuestefeld
The first time I encountered VbV, a few years back, made bells ring in my
head. So I actually called my bank and asked them if it was on the up-and-up.
The bank (and I talked to a few supervisors in their customer service
department) couldn't figure out themselves what the story was.

If they're going to do something like this, they really ought to be able to
explain it to their customers.

------
auxbuss
I presume that the word 'not' in the title is making the assumption that these
changes were made by the banks to reduce fraud.

Why would they do that? I know they say that's what they are trying to do, but
they have little vested interest in doing so, because not only are they not
the losers in fraudulent transactions, but they actually profit by them.

The loser in a fraudulent card-not-present transaction is, usually, the
merchant. If not, the card-holder.

No only are the funds removed from the merchant's account, often including the
additional fee that the bank makes for fraud checks, but they are then charged
an additional fee for the "charge back".

The system sucks and always has done. The banks have it wrapped up to avoid
any loss.

The only way that fraud will be reduced -- and it is easily eliminated, in all
honesty -- is to make the banks 100% liable for the losses.

Governments could do this tomorrow, if they chose to.

~~~
tptacek
One problem here is that there are a lot of collusive merchants who act as
fences for stolen transactions, both directly and by paying affiliate fees.
Since you presumably don't buy many herbal supplements, you haven't come into
contact with them, but they're out there.

Between the merchants, consumers, and banks, it's the consumers who have the
least control over transaction authentication. On the other hand, without the
threat of any penalty, merchants are incentivized to optimize for conversions
at the cost of security

It does not make sense to me that the banks should be ONE HUNDRED PERCENT
liable for losses.

------
rakkhi
Similar arguments to what I was making
[http://rakkhi.blogspot.com/2010/07/fixing-verified-by-
visa.h...](http://rakkhi.blogspot.com/2010/07/fixing-verified-by-visa.html)

Good article but would have liked a bit more detail especially with how they
think it is easy to do a man int the middle attack on a TLS secured
transaction

------
petercooper
Several months back I noticed that I was reading a "Argh, I hate Verified by
Visa!" tweet at least once a week so I rigged up a silly Twitter page at the
time to show all the Verified by Visa hate in one place ;-)
<http://horrifiedbyvisa.no.gd/>

------
rakkhi
Would be really interested in HN readers views on how VbV could be improved,
maybe in a position to implement some of these suggestions

