The more complicated you make security arrangements the less likely they are to be secure.

Which does have one wondering what are we securing and why? For IT is maybe not worth the Bother and Cost in concealing ITself.

I looked at this a while ago, thought it might be a good idea. The ts & cs state (IIRC) that once you've signed up to the verification thing, any transaction that goes through cannot be repudiated. This is good for Visa, good for the merchant and very, very, bad for you if someone manages to pull off a scam. Also, you can bet that if someone pulls a scam off, the card people, ombudsmen, regulators, police and the rest of the idle parasites will say "it can't happen, the system is secure, you're a crim". Who needs that sort of crap?

This book: http://www.cl.cam.ac.uk/~rja14/book.html gives you the general idea.

<quote>And Bank of America customers are, of course, more likely to fall for the ruse than those who aren’t.</quote>

At first I read this as a gratuitous slur on BoA customers, but on reconsideration, anyone who falls for this scam that isn't a BoA customer shouldn't be allowed a credit card as they are clearly too stupid.

Only today I was directed to the alledged enrollment site (*) for NatWest's Maestro card version of this scheme (Mastercard SecureCode), whilst attempting to make an online payment.

Of course, as it didn't use any of their recognised domain names and the SSL certificate was not in the name of the bank either, I certainly wasn't going to re-input my details (including extra ones than a merchant never asks for).

Another own goal by the banks.

(* www.securesuite.co.uk, in case you're wondering. The SSL Certificate is registered to Cyota, who I happen to know are in the business of fraud behaviour detection, but I'm not going to encourage sloppy practices in SSL and domain usage. Someone else has written about this, in the past, at http://ambrand.com/2006/09/06/is-securesuitecouk-a-phishing-scam/)

They already do this with Chip & PIN. I was scammed abroad and got stonewalled by every single fraud department with "the chip proves the card was there, the pin proves you were there".

Well, if you can prove you were somewhere else this might show the bank it was unauthorised, I have had one recent transaction which was unrecognised, and a few words with my bank, and a new card was issued, and a dispute was set up and hopefully the transaction will be refunded or has been, I can't check as I don't have access to the on line banking system although in such circumstances, it might be worth while checking out http://www.chipandpin.co.uk to see whether they can help or speak with the Financial Services Ombusman for advice.

I have direct contacts with people in this area, and APCAS so any issues can be raised directly with them and normally sorted or answered very quickly.

If you don't need credit cards, get rid of them. Took me a long while to work how I can mange without them and work around things, but in the bin they went, all the accounts closed down. I got written confirmation that I was no longer responsible for the accounts and they are closed, just in case the bank leaves the details in a dustbin out back! I still have debit cards, but the accounts are more closely monitored these days than ever before.

It's just a sad fact of life that the banks can't be trusted to help us anymore, they only care about profit at our expense, so we have to spend more time looking after ourselves, even if that means going without certain things or opportunities.

Several years ago when I was making an online purchase at a reputable website I got redirected to the Verified by Visa programme. I was extremely skeptical at the time, although it did turn out to be genuine. The concept seems to be that if you use the card at a VbV-participating (on-line) retailer, then you have to jump through the additional security hoops to use your card at that retailer. Seeing as it's not compulsory, and thousands of other (including potentially less scrupulous) sites don't require VbV, I fail to see how it offers much "protection". Banks are shooting themselves in the foot by launching such schemes which desensitise people to what should be perceived as abnormal behaviour (for precious little benefit - unless someone can enlighten me). At the very least, in the first instance the Bank should have announced the Verified by Visa scheme with a leaflet alongside my account statement which arrives in the post. I did speak to my bank about it at the time, but I don't think they "got it"...

-------

Verified by Visa is a legitimate service that adds an additional layer of security to online credit card transactions.

------

That's just not true, all this (and the Mastercard equivalent) really provides is a way for the banks/merchants to say "actually - YOU got scammed, therefore it's YOUR fault". It's just a way to switch the responsiblity for being a victim of fraud to the customer - "security" with banks is not dissimilar to "protection" with the mafia it seems.

For what it's worth, I had the same suspicions and concerns as James about SecureSuite, but I checked with Capital One, and they confirmed that it was genuine. It could certainly do with better branding though, it looks more like a phishing site than some "real" phishing sites do!

I got a phone call from a number coming up as "Private" with the person on the line saying "hello I'm Mary from "XYZ" bank am I speaking with John Browne", I say "yes", She says "do you have a few moments to talk about our new services", I say "yes", she says, "Can you confirm your account number, address and date of birth". Immediately alarm bells started to ring, so I said " You called me so you should know who your calling, I don't want to give out personal and bank details to someone claiming to be from "XYZ" bank, especially an unsolicited call". Now Mary had the sound of weary call center worker in her voice but without breaking stride gave me the banks phone number and her full name and said If I had any questions to give her a call.

The same bank has a policy on it's website that advises it's customers not to give out personal details to callers, But I suppose it's ok if it's actually your bank calling, but how are you supposed to know that.

In the end I googled the phone number Mary gave me and it turned out to be the Bank and I rang her back and was talking to her subsequently, but the number she gave me is different from the numbers on the bank statements or the online or phone banking numbers.

Of course if it was a scam It would be all my fault and the bank would not be liable.

A friend had an email from securesite.co.uk, inviting her to click on a link, and she did.

I chastised her that clicking links in emails is a ridiculous thing to do, and any security service would not encourage it.

I called up Barclaycard's anti-fraud centre (2 days of waiting and giving up), who were allegedly the card company inviting her to use securesite, and they couldn't confirm who securesite were, and if it was legitimate or not, but just gave me a general assurance that it was probably alright and they were doing something or other with VBV.

It seems that it was genuine, but there was no way, even as an informed member of the public that I could verify that. (And certainly not quickly)

Why do they still encourage users to click links in emails?

... and this site is certainly taking a while to load (3.30pm) - almost as though it's on a noddy windows server, rather than a decent cluster...

I've just been trawling old email and happened to stumble across a Verified by Visa phish from April 2005!

See below:

[ Verified by Visa logo graphic ]

Dear Visa customer,

Before activating your card, please read this important information for cardholders.

You have been sent this invitation because the records of Visa USA/Canada indicate that you are current Visa cardholder and your Visa Card is not registered with our Verified by Visa Services. To ensure your Visa Card security, it is important that you protect your card with a personal password.

Our Verified by Visa Service adds extra security features when you shop online at the participating stores, pay your bills or receive incoming transfers from third parties.

Please take a moment and activate your Verified by Visa facility now.

Registration is fast and simple, and does not cost you a penny.

Once your card is activated, your card number will be recognized whenever you purchase at participating online stores. You will enter your password in the Verified by Visa window, your identity will be verified, and the transaction will be completed. In stores that are not yet participating in Verified by Visa, your Visa card will continue to work as usual.

To Register Your Visa Card, Please [Click to Enter Verified by Visa Site]

Sincerely,

Visa USA/Canada Customer Center

Need to make a payment ?

Go to the banks website. Click 'create transaction'

Enter the amount of money in the transaction, and which of your accounts it needs to come from.

A number is generated that only holds that amount of money. No more , No less.

Go to merchant website. Type in that number. Merchant gets paid. Merchant can not grab more money, and the number is one-time use only. So even if it 'leaks' no harm done. i believe that those temporary numbers are also valid only for a limited time. if the money is not claimed within a certain period the number is destroyed and the funds re-enter your account.

To get into the bank website you have a 'calculator style' (securicard) authentication pass.

You go to website of the bank : type in your username and password. Website shows a 'magic number' : you type this in on the 'pocketcalculator' and the little thing gives you an answer code. You have 1 minute to enter the response. if correct you get access to your accounts through SSL connection.

A friend of mine has such a card through a bank in the Netherlands. Every transaction is done using such system. He logs in , authenticates using this securecard , requests a one time number : transfers money to it , logs off at bank. Goes to merchant website and uses one-time number to pay.

Worst that can happen is someone grabbing the number and claiming the money. But they cant grab your entire account !

But i think you can enter already in the bank the name of the merchant. So if someone else tries it doesnt work.

Open a separate checking account, and keep it at an empty balance (or like $10). When you want to buy something online, make a transfer of the amount from a regular checking account, or your savings, or whatever, then purchase the item online. I do this and if anyone gets my online card info, I could care less. I'm out $10, so what.

This also will help you cut down on impulse purchases, if you're mentally weak, and 1am drunk purchases, like, um, I did once... :)

It's amazing what a little thinking can do!

Like John Browne, I've been called out of the blue by someone claiming to be from my bank. They probably wanted my date of birth or something to start with, but the further details they asked for after that raised my heckles, and I refused to proceed. When I asked "how do I know you're from [my bank]?" he laughed. We reached stalemate. The caller was very cagey about why he'd called, giving evasive answers to questions as to whether it was basically a marketing call or something more personal... I think he said "let's just say I'm not calling everyone about this". Very weird. The Caller Display number didn't match any recognised number of the bank.

Much Googling established that the number they'd called from has been cited as originating numerous "suspicious" calls, claiming to be from various banks. After calling the bank on their usual numbers and general timewasting I eventually established that the call (probably) was genuine - I failed to be 100% convinced by the bank's call-centre-droid assurances. Gathering evidence it seems that the bank sub-contracts some (marketing) calls to this other company. IMHO that company was very silly to claim they *were* my bank (rather than calling *on behalf of* my bank). My bank had a seemingly "don't care" attitude when pointed out that this calling-company does not give a good impression, and has previously raised internet-suspicion to boot.

We need an agreed telephone protocol. If the bank has called you on a number they have on their records, it really shouldn't require more than a confirmation of name and DoB to have a high degree of confidence that they're talking to the right person. If it is basically a marketing pitch then they can phase their spiel in such a way that it doesn't give away too much personal information... and then *maybe* only require further confirmation of ID *if* the customer decides to act on the offer (9 times out of 10, they won't). If they tell you what the offer is, if interested you can at least call back on a familiar number and request the offer.

Grrrrrrrr...

My credit card statement invites me to check my account online here:

http://www.abbeycreditcard.com

- this redirects immediately to:

http://www.applyonlinenow.com/uk/abbeyna_jmp/abbeyna_jmp.htm

...this presents an option "click here to access www.abbeycreditcard.com" - but it actually sends you to...

https://www.bankcardservices.co.uk/NASApp/NetAccessXX/WelcomeScreen?country=uk&language=en&group=AAHE

I was actually on the phone to them at the time over an unrelated issue, and the call centre was asking me to log in to their site via http://www.aandl.com which redirects to a variant of the third link when you click the "Go" to manage your account.

They seemed confused when I told them that the pages I was being directed to, either directly or indirectly were not what they were telling me they should be, but insisted they must be right.

I've read all of the comments posted - and working for a major UK bank in their Online Helpdesk I have to say that often customers are to blame for losses.

They have inadequate security on their system and end up with a trojan. Trojan either has a key logger or directs them to a fake site.

Either way the fraudsters typically get their details.

I once spoke to one guy who had responded to 3 scam e-mails in 3 months.

Yes, on the debit card front things do get a little more complex due to cloning and so on, but in terms of online fraud I really do believe that customers should be reimbursed in the first instance, educated on internet security and any further losses is their liability.

Banks take all sorts of measures to protect customers, from SSL and Two Factor Authentication (most banks are currently rolling this out) to using fraud software such as Cyota, and using IP logging.

Most banks also monitor the transactions customers make, so if you usually only make transfers for £50 via online banking, and suddenly try to transfer £1000 that would most likely get the attention of the fraud team.

The bank I work for has recently won an award for its anti fraud strategy - but the bank can only do so much.

If you reply to a scam e-mail, then how do you expect the bank to protect you from that? Customers can yell at bank staff down the phone that we should improve the services, but it's like you giving someone a front door key for your house. Would you blame the police for that person stealing your property?

I've been called at home twice by my credit card's fraud department to verify a purchase. The first time is when I bought a computer some years ago -- I was just coming through the front door with it when the phone rang with someone asking me whether the transaction was OK. Most recently I had my collection of motorcycles out being cleaned up and fuelled so I was out buying several small amounts of fuel over a period of a few hours. They called up to check.

A good credit card company will flag a problem immediately by an unusual transaction or pattern of transactions. They're the ones that you stick with.