Co-op Bank and Verified by Visa
Richard Brooksby
rb at ravenbrook.com
Thu Jun 18 11:45:55 BST 2009
I'm getting into a battle with the Co-operative Bank over their
implementation of the Verified by Visa scheme. I thought I'd let you
know about it, and also see if you agree with my position or have any
suggestions.
A few months ago, while shopping online at a random new site, I was
asked to enter my "memorable name" in order to verify my Visa card
transaction. The "memorable name" is one of the secrets I share with
the Co-op when using on-line or telephone banking. However, the site
that was asking me to enter it was unknown to me. I closed the window
and was unable to shop with that merchant.
I had an e-mail conversation with the bank. Here it is, with some
quotations and boilerplate elided.
> From: Richard Brooksby <Richard.Brooksby at pobox.com>
> Date: 2009-02-05 15:15:26 GMT
> To: ihaveseenascam at co-operativebank.co.uk
> Subject: Unverifiable request for security details
>
> I recently attempted to buy an item on-line and was prompted to
> enter my "Memorable Name" by a site that was not the Co-operative on-
> line banking site. I have no way of knowing whether or not this
> request is genuine, or whether or not the request is has anything to
> do with the Co-operative Bank, or whether it is being processed in a
> secure manner.
>
> I had already entered my credit card details (which are not secrets)
> and was then prompted for secret information. I took this screenshot:
[screenshot removed to stay within ukcrypto posting limit]
> There is no way I will type my security information into a third-
> party web site, and so I was unable to complete the purchase.
>
> If this is a genuine scheme, is there a way I can opt out of it? It
> seems terribly insecure. Anyone at all could put up a window with
> these graphics on it and request my security information.
>
> Thank you.
Begin forwarded message:
> From: ihaveseenascam at co-operativebank.co.uk
> Date: 2009-02-06 15:54:32 GMT
> To: Richard Brooksby <Richard.Brooksby at pobox.com>
> Subject: Re: Unverifiable request for security details
>
> Hello
>
> Thanks for your message.
>
> This is the verified by visa screen that adds more security onto your
> account while making purchases online. For more information please
> call us
> on 0845 600 6000.
>
> Thanks
>
> Andy
Begin forwarded message:
> From: Richard Brooksby <Richard.Brooksby at pobox.com>
> Date: 2009-02-09 09:56:10 GMT
> To: ihaveseenascam at co-operativebank.co.uk
> Subject: Re: Unverifiable request for security details
>
> On 2009-02-06, at 15:54, ihaveseenascam at co-operativebank.co.uk wrote:
>
>> This is the verified by visa screen that adds more security onto your
>> account while making purchases online. For more information please
>> call us on 0845 600 6000.
>
> Hello Andy.
>
> I know that it claims to be a "verified by visa" screen, and I have
> read the pages on the Visa web site about the scheme. But the
> problem is that it is prompting me for secret information which
> should only be shared with the Co-operative bank, and it is doing so
> from a third party web site which I have no relationship with.
>
> ANY web site could make such a screen appear. Are you saying I
> should enter my security details into anything which looks like this?
>
> Do you see the problem?
Begin forwarded message:
> From: ihaveseenascam at co-operativebank.co.uk
> Date: 2009-02-09 12:50:17 GMT
> To: Richard Brooksby <Richard.Brooksby at pobox.com>
> Subject: Re: Unverifiable request for security details
...
> I can understand your concern. However, a way of identifying
> whether the
> request is genuine is the system will ask for your memorable name,
> if you
> are using a Co-operative Bank or smile.co.uk card. Any other cards
> you use
> will ask for a different piece of information.
>
> I hope this information helps.
Begin forwarded message:
> From: Richard Brooksby <Richard.Brooksby at pobox.com>
> Date: 2009-02-10 12:15:42 GMT
> To: ihaveseenascam at co-operativebank.co.uk
> Subject: Re: Unverifiable request for security details
>
> On 2009-02-09, at 12:50, ihaveseenascam at co-operativebank.co.uk wrote:
>
>> I can understand your concern. However, a way of identifying
>> whether the
>> request is genuine is the system will ask for your memorable name,
>> if you
>> are using a Co-operative Bank or smile.co.uk card. Any other cards
>> you use will ask for a different piece of information.
>
> Are you saying that I can tell that the request is genuine precisely
> because it asks me for secret information?
>
> So I should trust any web site which happens to know that the Co-
> operative bank identifies its customers using a memorable name and
> puts up a plausible looking graphic?
Begin forwarded message:
> From: ihaveseenascam at co-operativebank.co.uk
> Date: 2009-02-10 17:58:16 GMT
> To: Richard Brooksby <Richard.Brooksby at pobox.com>
> Subject: Re: Unverifiable request for security details
...
> The information on the last email I sent you is more a guide than a
> strict
> rule. I would suggest you only make purchases from websites you are
> familiar with and trust. If you are ever in any doubt as to the
> authenticity of the website and Verified by Visa interface, do not
> enter
> any details. It may also be worth contacting the company you intend
> to
> make the purchase from via the telephone to check their authenticity.
>
> Please note, you are also covered by our Fraud guarantee and if you
> find
> you have any transactions on your account that you're not aware of,
> please
> call our customer service team on 08457 212 212 and we'll be happy to
> investigate them for you.
Begin forwarded message:
> From: Richard Brooksby <Richard.Brooksby at pobox.com>
> Date: 2009-02-11 14:15:49 GMT
> To: ihaveseenascam at co-operativebank.co.uk
> Subject: Re: Unverifiable request for security details
...
> On 2009-02-10, at 17:58, ihaveseenascam at co-operativebank.co.uk wrote:
>
>> ... I would suggest you only make purchases from websites you are
>> familiar with and trust. If you are ever in any doubt as to the
>> authenticity of the website and Verified by Visa interface, do not
>> enter any details. ...
>
> Well, I don't intend to enter my Co-op security information into
> anything except the Co-op web site.
>
> Is there a way to opt out of the "Verified by Visa" system so that I
> am not prompted for this information? It is currently preventing me
> from making purchases on the web, since it insists on this
> information and I cannot verify that it is authentic.
Begin forwarded message:
> From: ihaveseenascam at co-operativebank.co.uk
> Date: 2009-02-11 15:04:11 GMT
> To: Richard Brooksby <Richard.Brooksby at pobox.com>
> Subject: Re: Unverifiable request for security details
...
> I believe it should be possible to opt of the verification process.
> Please
> call our customer service team on 0845 600 6000 and we'll be happy
> to help
> you.
I dropped the matter until a few days ago, when I was once again asked
to enter my memorable name when shopping for RAM from crucial.com (who
do a great job, btw). In this case I avoided the issue by paying via
PayPal.
But then I phoned the bank. I was told that no, it is not possible to
opt out. It is also not possible to use a different secret for
Verified by Visa, only the memorable name. In fact, the person on the
phone explicitly said this would be the same as the secret used for
telephone banking.
I won't bore you with all the other bogus reassurances I was given.
(You're safe if the little lock appears in the window, for example.)
Suffice it to say that they didn't understand very much about
security. I asked to speak to someone who did, and they said they'd
get a manager to call back. So far, no call.
I started drafting an e-mail reply, partly so I would have some notes
if I get a call. Here's what I've gathered.
Begin forwarded message:
> From: Richard Brooksby <Richard.Brooksby at pobox.com>
> Date: 2009-06-16 14:03:15 BST
> To: ihaveseenascam at co-operativebank.co.uk
> Subject: Re: Unverifiable request for security details
>
> On 2009-02-11, at 15:04, ihaveseenascam at co-operativebank.co.uk wrote:
>
>> I believe it should be possible to opt of the verification
>> process. Please
>> call our customer service team on 0845 600 6000 and we'll be happy
>> to help
>> you.
>
> Unfortunately, I am told that it is not possible to do so, nor is it
> possible to specify a different set of secret information that will
> be used. It was confirmed to me on the telephone that the
> "memorable name" is indeed the same one used to verify me for
> telephone banking. This is terribly insecure. It is quite easy for
> someone to make a fake Verified by Visa page which gets this
> information from your customers. There is quite a lot of evidence
> that this is ALREADY happening. See below.
>
> I also refer you to this article in Computing magazine <http://www.computing.co.uk/itweek/news/2214146/industry-lays-secure
> >:
>
>> At a recent roundtable event hosted by fraud detection firm
>> CyberSource, experts from banking, e-commerce and academia argued
>> that 3-D Secure – which comprises Verified by Visa and Mastercard
>> SecureCode – is fundamentally insecure.
>
>> Mick Scott of lastminute.com said the firm had found one case of
>> fraudulent activity on a UK card which was nevertheless authorised
>> using Verified by Visa.
>
> Also, to the Intrinsic Security blog entry, which explains in some
> detail why this scheme is so flawed <http://antiworm.blogspot.com/2006/02/verified-by-visa-veriphied-phishing.html
> >.
>
> You will see in the follow-up comments to that blog entry that
> people are ALREADY victims of Verified By Visa man-in-the-middle
> attacks where their secrets have been stolen and transactions made.
>
> Jon Varco, head of Verified by Visa, says that this is a "voluntary
> scheme", but you are forcing everyone to use it, in spite of its
> huge flaws and the security risk it introduces.
>
> It's clear from Visa's own site (for example, see <http://www.visaeurope.com/personal/onlineshopping/verifiedbyvisa/main.jsp
> >) that banks are intended to ask customers to voluntarily enroll in
> the "Verified by Visa" scheme. The Co-operative Bank appears to
> have failed (or decided not) to do this, but to enroll its customers
> without consulting them. Would it be possible to find out how this
> policy decision was made?
So, that's it until today.
Is my analysis and are my assertions correct?
Any advice or suggestions?
Any related insights about what's going on?
I don't want to leave Co-op, but I might have to get a card from
someone else with a better security policy.
---
Richard Brooksby <rb at ravenbrook.com> Senior Consultant
Ravenbrook Limited <http://www.ravenbrook.com/>
Voice: +44 777 9996245 Fax: +44 870 1641432
AIM: hothquist Yahoo: gresque Jabber: hothquist at jabber.org
LinkedIn: <http://www.linkedin.com/in/richardbrooksby>
More information about the ukcrypto
mailing list