Verified by visa
Oct. 28th, 2012 12:37 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png)
AAAAAAAAAAAAAUGH!
How can the banking industry know less about security than me?
A while ago, "Verified by Visa" became compulsory when buying things online. In order to buy anything, you have to know your verified by visa password.
Except, SURPRISE! You don't have to. You can either know your verified by visa password "passcode", OR know your card details, postcode and date of birth.
Seriously, that's strictly less secure than asking for card details, postcode, and date of birth only. I don't think I could devise a system less secure than that if I tried. For instance, it still provides absolutely zero protection against someone you know "borrowing" your credit card: shouldn't that be something passwords protect against?
I mean, I understand -- they don't want to be inundated with phone calls from people saying "I tried to buy something and I couldn't, what's wrong". But after all the brouhaha about verified by visa I thought maybe you needed to speak to someone in person, or at least need the right dongle to reset it. But no, I was insufficiently cynical. Again.
There's probably some other good reason I should know about but don't? I hope?
I do not think that if people were asked to predict my major flaw they would guess "insufficiently cynical about human stupidity". But apparently, I am. Can I rebrand it as "optimism" or "faith in mankind"..? :)
How can the banking industry know less about security than me?
A while ago, "Verified by Visa" became compulsory when buying things online. In order to buy anything, you have to know your verified by visa password.
Except, SURPRISE! You don't have to. You can either know your verified by visa password "passcode", OR know your card details, postcode and date of birth.
Seriously, that's strictly less secure than asking for card details, postcode, and date of birth only. I don't think I could devise a system less secure than that if I tried. For instance, it still provides absolutely zero protection against someone you know "borrowing" your credit card: shouldn't that be something passwords protect against?
I mean, I understand -- they don't want to be inundated with phone calls from people saying "I tried to buy something and I couldn't, what's wrong". But after all the brouhaha about verified by visa I thought maybe you needed to speak to someone in person, or at least need the right dongle to reset it. But no, I was insufficiently cynical. Again.
There's probably some other good reason I should know about but don't? I hope?
I do not think that if people were asked to predict my major flaw they would guess "insufficiently cynical about human stupidity". But apparently, I am. Can I rebrand it as "optimism" or "faith in mankind"..? :)
no subject
Date: 2012-10-28 01:03 pm (UTC)no subject
Date: 2012-10-28 08:41 pm (UTC)Two similar things I am annoyed about although more because they are confusing than because they are less secure:
(1) one of my banks uses Verified by Visa in the way that I assume it is supposed to be used - with an entirely different, separate password for all my internet banking. Another bank I bank with uses it using one of the words that is a password for my internet banking with them. Surely this is less safe! Also, when they ask for your verified with visa password I am thinking "huh? Did I set one up? they only started this recently ..." not "Oh! It is Memorable Piece of Information X which I gave them several years ago when setting up internet banking!"
(2)For Virgin Media, there are separate passwords for logging in online and for identifying yourself to a person over the phone (good, right?). But the password you need to key in a few characters of on the keypad automated system when you're on the phone to them *before* you get to a person is your password from your online banking, *not* the password from your phone banking. Cue me getting that wrong every time I call them before I go "wait, there was something weird about this ... I should try the internet password?". I would have thought it would be better to keep the two systems (me accessing my details by logging in online / a customer services person accessing my details on their central system) completely separated wrt security procedures?
no subject
Date: 2012-10-28 08:51 pm (UTC)Yeah, I _thought_ I did (I always get muddled because I used my "secret bank password" but I had to recapitalise it), but it turned out resetting was really easy...
no subject
Date: 2012-10-29 12:28 am (UTC)no subject
Date: 2012-10-29 09:43 am (UTC)Shouldn't verifying who I am involve something more inherently secure? I mean, ask me a question about something that isn't the subject of a yearly party. Ask when I got divorced. WHY I got divorced. Ask what awful thing I called a certain ex once. Ask me about something I'm ashamed of. That seems much more secure than birthday, zip code, and my mother's name!