jack: (Default)
[personal profile] jack
AAAAAAAAAAAAAUGH!

How can the banking industry know less about security than me?

A while ago, "Verified by Visa" became compulsory when buying things online. In order to buy anything, you have to know your verified by visa password.

Except, SURPRISE! You don't have to. You can either know your verified by visa password "passcode", OR know your card details, postcode and date of birth.

Seriously, that's strictly less secure than asking for card details, postcode, and date of birth only. I don't think I could devise a system less secure than that if I tried. For instance, it still provides absolutely zero protection against someone you know "borrowing" your credit card: shouldn't that be something passwords protect against?

I mean, I understand -- they don't want to be inundated with phone calls from people saying "I tried to buy something and I couldn't, what's wrong". But after all the brouhaha about verified by visa I thought maybe you needed to speak to someone in person, or at least need the right dongle to reset it. But no, I was insufficiently cynical. Again.

There's probably some other good reason I should know about but don't? I hope?

I do not think that if people were asked to predict my major flaw they would guess "insufficiently cynical about human stupidity". But apparently, I am. Can I rebrand it as "optimism" or "faith in mankind"..? :)

Date: 2012-10-28 01:03 pm (UTC)
kaberett: Trans symbol with Swiss Army knife tools at other positions around the central circle. (Default)
From: [personal profile] kaberett
There are some cases in which it is Worse Even Than That, but I am not willing to go into details of my personal experience in public ;)

Date: 2012-10-28 08:41 pm (UTC)
From: [identity profile] eudoxiafriday.wordpress.com
Wow, I haven't encountered that - maybe because I just know my verified by visa password so I haven't looked for alternatives?

Two similar things I am annoyed about although more because they are confusing than because they are less secure:

(1) one of my banks uses Verified by Visa in the way that I assume it is supposed to be used - with an entirely different, separate password for all my internet banking. Another bank I bank with uses it using one of the words that is a password for my internet banking with them. Surely this is less safe! Also, when they ask for your verified with visa password I am thinking "huh? Did I set one up? they only started this recently ..." not "Oh! It is Memorable Piece of Information X which I gave them several years ago when setting up internet banking!"

(2)For Virgin Media, there are separate passwords for logging in online and for identifying yourself to a person over the phone (good, right?). But the password you need to key in a few characters of on the keypad automated system when you're on the phone to them *before* you get to a person is your password from your online banking, *not* the password from your phone banking. Cue me getting that wrong every time I call them before I go "wait, there was something weird about this ... I should try the internet password?". I would have thought it would be better to keep the two systems (me accessing my details by logging in online / a customer services person accessing my details on their central system) completely separated wrt security procedures?

Date: 2012-10-29 12:28 am (UTC)
forestofglory: E. H. Shepard drawing of Christopher Robin reading a book to Pooh (Default)
From: [personal profile] forestofglory
"Verified by Visa" refuses to except my UK debit card, because it is not attached to a UK postcode. Last time I bought train tickets online I had to use a different card -- and thus pay to have money exchanged. It was very frustrating.

Date: 2012-10-29 09:43 am (UTC)
corrvin: gray cat lying on the floor, text "I'll get right on that" (right on that)
From: [personal profile] corrvin
I'm still perplexed why the way to "verify my identity" by default is to give information that isn't very secret. I mean, these days, a lot of people's mothers are still using their birth names; birthdays are something everyone with a Facebook account knows about; and that leaves only the things that you may not easily give out, but that you can't change even after you've given them out.

Shouldn't verifying who I am involve something more inherently secure? I mean, ask me a question about something that isn't the subject of a yearly party. Ask when I got divorced. WHY I got divorced. Ask what awful thing I called a certain ex once. Ask me about something I'm ashamed of. That seems much more secure than birthday, zip code, and my mother's name!