Verified by visa

[ewx]

I had my first "verified by visa" popup today.

If this means nothing to you, what happens is: you try buy something online with your credit card. When you hit the submit button in whatever online shop it is, a popup window appears and asks you to confirm the amount. The idea is that the popup is securely connected to your credit card provider, so that they can have confirmation of the order direct from you rather than through the merchant. You enter a password so the provider knows that it's you they're talking to and they approve the transaction. A few days later your new toys arrive and several weeks later you have to pay for them.

I find myself unconvinced by the current implementation.

At least in the case of the place I was buying from the popup turned off all the window furniture and embedded the output from the card provider in a frame. That is to say, you didn't get to see the URL displayed by the web browser: you just had the text of the web page. So you can't tell from that that you're really talking to your card provider. (Any idiot can copy a web page.)

The mechanism includes a workaround for this: when you register you choose a password that the provider uses to authenticate themselves to you. But a crooked merchant could make the same request your web browser does, and redisplay the results to you with the numbers changed to what you expected, and then send your answer back to the card provider. (This is harder for a crook to do, but they only have to do it once.)

As far as I can see the only thing preventing such a man-in-the-middle attack on this protocol is the user checking the origin of the popup, which (i) has been made maximally inconvenient (ii) you're not told to do (iii) it uses a different URL from your bank anyway. (The same hostname turns up when you register so you do have something to compare with - but will it be the same in 12 months time?)

(I'm assuming that comparing apparent URLs is a sound thing to do, which is probably optimistic.)

I have a chip and PIN card too, now, but haven't been asked for the PIN yet, despite having gone to the effort of remembering it, and despite having shopped at at least place which visibly had the kit for it.

Comments

[senji.livejournal.com]

"you're told not to do"? !!

I've used my (chip &) PIN on two out of 5 cards so far. I suspect the other three probably won't get it...

[ewx.livejournal.com]

No - "you're not told to do".

[senji.livejournal.com]

senji -- 6/10 for reading comprehension. D'oh.

[timeplease.livejournal.com]

Chip&PIN: not being asked for the PIN is really unusual if you're in a place that has the kit for it. We have a Chip&PIN terminal; if someone presents a card and claims they can't remember the PIN we have to go through an exception procedure (involving presenting the "supervisor card" to the terminal) to get it to fall back to signature mode - and even that is going to be turned off in January.

(Even now it refuses to fall back to magstripe mode if there's a dead chip in a card - we had one of those today and had to ask the customer to pay with a different card.)

[ewx.livejournal.com]

For all I know the kit I saw might have been installed but not enabled, or broken, or misrecognized by me.

[womble2.livejournal.com]

Recent versions of IE and Firefox show the domain or URL for every browser window. It's still moronic design for the page to request that it not be shown, though.

[gerald_duck]

Does it draw any distinction between cards that aren't enabled for Chip and PIN, and cards that are enabled but where the customer declines to enter a PIN for whatever reason?

I deliberately don't have my cards enabled at the moment, and that's the way I intend to keep things for as long as possible — ideally indefinitely.

[timeplease.livejournal.com]

Does it draw any distinction between cards that aren't enabled for Chip and PIN, and cards that are enabled but where the customer declines to enter a PIN for whatever reason?

Yes. Chip&PIN and Chip&Signature cards are different. As I mentioned, there's an override procedure for Chip&PIN cards to fall back to accepting a signature at the moment; this involves a couple of keypresses at the PIN prompt and a swipe of the terminal supervisor card. I believe this feature is due to be removed in January.

[liv]

I actually hate chip and PIN. It seems to me simple logic that the more often you have to type in your PIN, the more chances you are creating for someone to steal it. I tend to trust ATMs on the basis that it is so much in the banks' interests to keep them as secure as possible. I don't necessarily trust any random shop with their little card-reading machine. The danger of an unscrupulous trader cloning a card already existed, but it seems like such crooks are now going to have a much easier time using a cloned card if they don't even have to try to forge a signature, but can steal the PIN as well.

A more minor problem, but one that still bothers me, is that the new system means that my brother have to reveal his PIN to all his carers. He can't sign very well, but at least with a signature he has to be present in person to authorize transactions. There may not be very many people who don't have the physical dexterity to type in a PIN number, but there are certainly some.

I'm tempted to start insisting on paying for everything by cheque.

[gerald_duck]

Right — but Chip&Signature cards will continue to work? If so, I'm sorted!

[timeplease.livejournal.com]

Yes. The trick is persuading your bank to give you a new one when your current one expires.

[timeplease.livejournal.com]

Officially it will continue to be possible for banks to issue chip and signature cards. They are going to be reluctant to do this, because they like chip and PIN, but if you argue with them enough they should relent.

[liv]

it will continue to be possible for banks to issue chip and signature cards
That's interesting to know, thanks. I get the impression from what you're saying that retailers are phasing out the technology to accept them, though? I shall try pestering my bank (Smile / Co-Op), but they do seem to be terribly gung-ho about how wonderful and amazing the chip and PIN technology is.

[timeplease.livejournal.com]

No; retailers will continue to be able to take magstripe-only and chip and signature cards. (Consider visitors from other countries that don't support chip and PIN.)

[imc.livejournal.com]

a popup window appears and asks you to confirm the amount

We don't need no steenking popup windows. I'm still at the stage of being rather disappointed when sites make me use JavaScript.

(Though, tangentially, I seem to have found a site which can circumvent Mozilla's popup-blocker by using Flash to open the new window.)