Then you go and spoil it all by saying something stupid like “Verified By Visa”

Author profile picture
dermdaly

Every time I see “Verified by Visa” I shudder

I was attempting to purchase some equipment this morning. As I went to the online checkout, I was brought to the “Verified By Visa” page. Cue shuddering.

Here’s the problem: It is far more likely to prevent me from purchasing rather than protecting me from fraud. The loser here is the merchant – Because I’ll look for the product elsewhere with a supplier who won’t use the “Verified by Visa” programme..and I’ll still use the card, so the Bank are unlikely to care.

This morning, I decided I’d persevere. I’ll finish out this process dagnammit. It took a phone call to get through the process, and a couple of false starts. What should have been 2 minutes was about 20 (including the rant down the phone I suppose).

I was given the e-mail address of the fraud team at AIB. Here’s the mail I’ve just sent. I’ll be interested in how they choose to respond:

Subject: Feedback Re: “Verified By Visa” programme
Dear Fraud Team,
I’ve been referred to yourselves as the people to provide customer feedback regarding the “Verified By Visa” programme operated when carrying out purchasing online using my AIB Credit card. There are a number of points I would like to bring to your attention, and I’d appreciate it if you could provide me with some feedback. I am a holder of 2 AIB credit cards.

Please note, I understand the concepts behind Verified By Visa, and the claims it makes, however I feel it falls short for practical reasons.

In the last number of times I’ve encountered verified by visa, it has prevented me from finishing a sale, and been the reason I chose to shop elsewhere.

This morning, I attempted to purchase some equipment from my company, and was brought to the verified by visa page. I decided that I would persevere and get through this for once. Here’s what happened:
1. I knew the card I was using was not enrolled, so I chose to enroll it.
2. It asked for CVV, date of birth, and credit limit. – I thought I put in the correct details, but I didn’t; As it turns out I didn’t know my credit limit (it is a new card).
3. I called the number on screen and spoke to a customer service advisor who unlocked it and told me my correct limit. I put this in
4. Now I was asked to supply a password. I supplied a secure password I use for specific sites only (it contains letters, digits, etc.)
5. Now I was told I had used this before. This may well be the case, as I have a personal AIB Visa however as far as I understood it, I was creating a new identity for a new card, so this surprised me – in fact, I could suggest that this is a security breach in its own right – separate cards should have separate identities but this may be an attempt at convenience.
6. I put in a different password.
7. It told me this was not good enough, and I had to adhere to guidelines as set out by the system.
8. I added some digits to the password and finally my purchase completed.

I also understand the verified by visa is an attempt to prevent fraud. I don’t buy this; I also know that verified by visa reduces transaction rates to merchants, and puts the responsibility of fraud to the card holder – this isn’t fraud prevention, it is merely shifts any loss to the end-user.

The net effect to me is this: If I come across a site which requires the verified by visa programme, I will shop elsewhere – I understand you guys don’t loose out – I’ll still use the same card, however your Merchants will. If it becomes ubiquituous, I’ll seek out a credit card supplier that avoids 3d secure programmes and use them instead.

The verified by visa system is rubbish – rather than preventing fraud, it prevents commerce and 9 times out of 10 causes me to abandon a purchase.

So…here are my questions
1. In who’s world is this a convenient way to purchase? This is insane.
2. The site I was doing all of this was “securesite.co.uk” – I checked this was ok to the people on the phone, however here’s what’s happening there: I am giving details about my account to a third party and I do not know what they are doing with them. This flies in the face of all anti-phishing advice on your own sites.
3. There is no added security of not allowing re-use of password
4. There is no added security of making a password meet YOUR criteria.

Note:
On 2 above you know this, and I know this: Trust is not associative – If you I trust AIB and AIB trust securesite.co.uk, this does not mean I should inherently trust securesite.co.uk. In fact the 3D secure system is meant to specifically ensure that PINs etc. are not captured by the merchant but rather given directly to the bank. If you use a service provider, then we’re not achieving this anyway.
On note 3 and 4 above; there’s well known research that suggests that by imposing rules such as those above results in less secure passwords as people are more likely to write down passwords and so leave them open to being copied.

I’d appreciate AIB’s official position on this ludicrous system.

Kind regards,
Dermot Daly