17 October 2017

A Single Customer View

Michael Fuller - None

6Posts 30,012Views 39Comments

3D, 2D or 1D Secure?

08 November 2008  |  5265 views  |  3

Thanks to all those who responded to my earlier comments about card security. It seems there are different implementations of Verified by Visa and MasterCard SecureCode. Some issuers request only a number of characters from your password to verify the transaction whereas others ask for the full password.


Some issuers also annoyingly set certain password standards so a password may have to include both upper and lower case letters as well as numerals and characters.  While they think that this makes the password more secure in fact the reverse is true. The more complex the password the more likely the user will have to record it thus making the additional complexity self defeating.


Passwords aside I received a disturbing letter from the Co-operative Bank this week about their implementation of Verified by Visa.  It said that they were going to register me for VbV in a month's time and would set my established "memorable name" as the password. While I'm happy that they are joining VbV I'm not happy about the way they're doing it.


Firstly my "memorable name" isn't really secure since I have to speak to a member of Bank staff to set it. Secondly, and I called Co-op to raise my concerns about this, there seems to be no stage in the process where I can set a validation phrase or personal message. This means that whenever I use Verified by Visa I have no way of confirming that the VbV window I am using is genuine and not spoofed. The employee I spoke to kept saying that it was OK because I would be diverted to the Co-op's website to input my password. She couldn't understand that without a validation phrase displayed I couldn't be sure that this was their site and wouldn't be entering any password!


In theory 3D Secure is a good system but it seems to me that the various ways in which banks are implementing it leave it open to fraud.



Comments: (4)

A Finextra member
A Finextra member | 09 November, 2008, 00:37

The conclusion?

It just isn't secure, it is not easy to use and the customer just gets confused.


Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Paul Penrose
Paul Penrose - Finextra - London | 09 November, 2008, 11:06

Couldn't agree with you more Michael. it's a total lash-up with different rules and conventions applied by different banks and merchants. This kind of haphazard introduction smacks of desperation and panic measures. Where are the standards when you need them?

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
A Finextra member
A Finextra member | 10 November, 2008, 15:34

The real problem is that a lot of bank employed security people are little more than electronic door lockers and badge checkers.     

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Michael Fuller
Michael Fuller - None - London | 19 November, 2008, 16:48

Well Visa have now responded to my concerns saying:

"The Verified by Visa service is offered to Cardholders and Merchants by Visa's Member banks and financial organisations. Please note that Visa Europe does not regulate the data standards that members use. We recommend best practise but ultimately at this moment in time issuers are able to decide which data elements they hold and are therefore able to use in this process. Different issuers use different type of data to authenticate."

So I've now asked them why if the service bears the VISA brand they don’t set standards for security the same way they no doubt do for branding. So far silence…..

The VISA response holds out a little hope though in referring to “at this moment” which suggests they may regulate data standards.

Come on VISA (and MasterCard) the time is now!

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)

Latest posts from Michael

Who I am and not what's my limit?

26 September 2011  |  3771 views  |  0 comments | recomends Recommends 1 TagsSecurityRetail banking

3-D Insecure -possible heresy

28 January 2010  |  6365 views  |  12 comments | recomends Recommends 0 TagsCardsSecurity

Citi Cards UK direct debit failure

01 January 2010  |  5958 views  |  0 comments | recomends Recommends 1 TagsCards

Convenience Store ATM Fraud

19 November 2008  |  5243 views  |  5 comments | recomends Recommends 0 TagsCardsSecurity

3D, 2D or 1D Secure?

08 November 2008  |  5265 views  |  3 comments | recomends Recommends 0 TagsCardsSecurity

Michael's profile

job title Former Retail Banker
location London
member since 2008
Summary profile See full profile »
Since 1997 I have left the financial sector and am Company Secretary for a large national Housing Association with responsibilities which include regulatory reporting from our data warehouse.

Michael's expertise

Member since 2008
6 posts39 comments
What Michael reads
Michael writes about
CardsSecurityRetail banking
Michael's blog archive
2011 (1)2010 (2)2008 (3)

Who's commenting on Michael's posts