Ebuyer / Bank of Scotland adopts Verified by Visa
The scourge of Verified by Visa continues. A 2-page step is tacked on at the end of a normal checkout process: see screenshots 1, 2. (You may find this useful if you’re forced to implement it yourself in future.) Yes, it sits inside an iframe in the page. Two things (security code and expiry date) you’ve already provided earlier in the process and are forced to provide again.
If you click “How will it be used” next to the email address, it opens a popup window with an explanation.
On the next step, if you click Help, it opens Help in the previous popup window (in the background, so you may well not notice anything had happened), which has no scrollbars, fixed-width layout wider than the window, and cannot be resized, so the only way to view all text is to select-drag.
The Help page actually mentions accessibility, but merely provides useless lip service. What good does it do to link to the WCAG, or to screen readers? And how much can you trust it if it claims “Support for No Java Script”, while the popup window wouldn’t have opened without JavaScript? Or even, god help us, when in-page anchor links look like this: <a href="javascript:moveToInerLink('#DDA');"> (sic).
After purchase completion, you receive a lengthy “Welcome to Bank of Scotland Secure” email message urging you to personalise it with a new login name and “personal message”. Any novice online shoppers who’ve made it this far is likely to throw their hands up in confusion.
This is supposedly all for our security, but already, phishing scams mimicking Verified by Visa abound. How long before phishers start mimicking the Verified by Visa Iframes? Using an Iframe you can’t even see the domain name, the https or little padlock. The pages in the Iframe are served from https://www.securesuite.co.uk/hbos/, itself not exactly a reassuring household name (note that the scam above is served from http://usa.consumers.datasecurities.net)
Visa’s response is this complacent, self-serving attitude: “The interesting thing about these Verified by Visa phishing attacks is that they further the argument to sign up for Verified by Visa, which is designed to thwart fraudulent payment transactions,” And if that doesn’t give you the horrors, “Visa is looking into a system under which a card issuer could require a cardholder to register for the program before completing an online checkout process” (my emphasis).
Comments
Of course the purpose of these systems is not to make purchasing more secure (it doesn't), but to defer more of the risk onto you rather than the jokers who perpetrate credit cards on us.
None of the systems in common use stop man-in-the-middle attacks apart from one time credit card numbers, which are a rare offering.
Adding additional security for credit card transactions would be very cheap - however for credit card companies it's even cheaper to ensure they don't have to pay out. Then the more fraud the better, it just means more transactions!
Posted by: Doug Winter | July 3, 2007 08:31 PM
Just to point out ;) Those screen shots show Bank of Scotland, aka HBoS (Halifax Bank of Scotland) screens. *Not* Royal Bank of Scotland (RBS) as the title says. They are different organisations entirely.
Posted by: Matt Hamilton | July 23, 2007 02:48 PM
Oops, thanks for spotting that, Matt! Fixed.
Posted by: Francois Jordaan | July 23, 2007 02:59 PM