Co-op Bank and Verified by Visa

Andrew T cybergibbons at gmail.com
Thu Jun 18 12:00:52 BST 2009 

It's interesting that your bank has entered into a fairly prolonged
dialogue about this - all my attempts meet with closed tickets after
the first response.

Barclays, Barclaycard, Egg and Halifax have all entered me into the
scheme without asking, and none of them will allow me to opt out.

Interestingly, Egg seems to have two VbV usernames associated with my
account. When I get presented with the first screen of VbV, the
username box is a dropdown with the same name, bar the end digits (134
vs 173) or something. Only one of them can be reset and used, the
other appears to reset but then won't work.

I asked them how it would be possible for two usernames to be
associated with the same card, but have yet to receive a satisfactory
response.

As an aside, I also asked if I needed to be truthfull when answering
the "Mother's Maiden Name" question. Barclays and Barclaycard said
yes, the other two didn't seem to know. It's amusing answering the
question with "Egg, Dog" and "Chickenpoppers".

Andrew

2009/6/18 Richard Brooksby <rb at ravenbrook.com>:
> I'm getting into a battle with the Co-operative Bank over their
> implementation of the Verified by Visa scheme.  I thought I'd let you know
> about it, and also see if you agree with my position or have any
> suggestions.
>
> A few months ago, while shopping online at a random new site, I was asked to
> enter my "memorable name" in order to verify my Visa card transaction.  The
> "memorable name" is one of the secrets I share with the Co-op when using
> on-line or telephone banking.  However, the site that was asking me to enter
> it was unknown to me.  I closed the window and was unable to shop with that
> merchant.
>
> I had an e-mail conversation with the bank.  Here it is, with some
> quotations and boilerplate elided.
>
>> From: Richard Brooksby <Richard.Brooksby at pobox.com>
>> Date: 2009-02-05 15:15:26 GMT
>> To: ihaveseenascam at co-operativebank.co.uk
>> Subject: Unverifiable request for security details
>>
>> I recently attempted to buy an item on-line and was prompted to enter my
>> "Memorable Name" by a site that was not the Co-operative on-line banking
>> site.  I have no way of knowing whether or not this request is genuine, or
>> whether or not the request is has anything to do with the Co-operative Bank,
>> or whether it is being processed in a secure manner.
>>
>> I had already entered my credit card details (which are not secrets) and
>> was then prompted for secret information.  I took this screenshot:
>
> [screenshot removed to stay within ukcrypto posting limit]
>
>> There is no way I will type my security information into a third-party web
>> site, and so I was unable to complete the purchase.
>>
>> If this is a genuine scheme, is there a way I can opt out of it?  It seems
>> terribly insecure.  Anyone at all could put up a window with these graphics
>> on it and request my security information.
>>
>> Thank you.
>
> Begin forwarded message:
>
>> From: ihaveseenascam at co-operativebank.co.uk
>> Date: 2009-02-06 15:54:32 GMT
>> To: Richard Brooksby <Richard.Brooksby at pobox.com>
>> Subject: Re: Unverifiable request for security details
>>
>> Hello
>>
>> Thanks for your message.
>>
>> This is the verified by visa screen that adds more security onto your
>> account while making purchases online.  For more information please call
>> us
>> on 0845 600 6000.
>>
>> Thanks
>>
>> Andy
>
> Begin forwarded message:
>
>> From: Richard Brooksby <Richard.Brooksby at pobox.com>
>> Date: 2009-02-09 09:56:10 GMT
>> To: ihaveseenascam at co-operativebank.co.uk
>> Subject: Re: Unverifiable request for security details
>>
>> On 2009-02-06, at 15:54, ihaveseenascam at co-operativebank.co.uk wrote:
>>
>>> This is the verified by visa screen that adds more security onto your
>>> account while making purchases online.  For more information please call
>>> us on 0845 600 6000.
>>
>> Hello Andy.
>>
>> I know that it claims to be a "verified by visa" screen, and I have read
>> the pages on the Visa web site about the scheme.  But the problem is that it
>> is prompting me for secret information which should only be shared with the
>> Co-operative bank, and it is doing so from a third party web site which I
>> have no relationship with.
>>
>> ANY web site could make such a screen appear.  Are you saying I should
>> enter my security details into anything which looks like this?
>>
>> Do you see the problem?
>
> Begin forwarded message:
>
>> From: ihaveseenascam at co-operativebank.co.uk
>> Date: 2009-02-09 12:50:17 GMT
>> To: Richard Brooksby <Richard.Brooksby at pobox.com>
>> Subject: Re: Unverifiable request for security details
>
> ...
>>
>> I can understand your concern.  However, a way of identifying whether the
>> request is genuine is the system will ask for your memorable name, if you
>> are using a Co-operative Bank or smile.co.uk card.  Any other cards you
>> use
>> will ask for a different piece of information.
>>
>> I hope this information helps.
>
> Begin forwarded message:
>
>> From: Richard Brooksby <Richard.Brooksby at pobox.com>
>> Date: 2009-02-10 12:15:42 GMT
>> To: ihaveseenascam at co-operativebank.co.uk
>> Subject: Re: Unverifiable request for security details
>>
>> On 2009-02-09, at 12:50, ihaveseenascam at co-operativebank.co.uk wrote:
>>
>>> I can understand your concern.  However, a way of identifying whether the
>>> request is genuine is the system will ask for your memorable name, if you
>>> are using a Co-operative Bank or smile.co.uk card.  Any other cards you
>>> use will ask for a different piece of information.
>>
>> Are you saying that I can tell that the request is genuine precisely
>> because it asks me for secret information?
>>
>> So I should trust any web site which happens to know that the Co-operative
>> bank identifies its customers using a memorable name and puts up a plausible
>> looking graphic?
>
> Begin forwarded message:
>
>> From: ihaveseenascam at co-operativebank.co.uk
>> Date: 2009-02-10 17:58:16 GMT
>> To: Richard Brooksby <Richard.Brooksby at pobox.com>
>> Subject: Re: Unverifiable request for security details
>
> ...
>>
>> The information on the last email I sent you is more a guide than a strict
>> rule.  I would suggest you only make purchases from websites you are
>> familiar with and trust.  If you are ever in any doubt as to the
>> authenticity of the website and Verified by Visa interface, do not enter
>> any details.  It may also be worth contacting the company you intend to
>> make the purchase from via the telephone to check their authenticity.
>>
>> Please note, you are also covered by our Fraud guarantee and if you find
>> you have any transactions on your account that you're not aware of, please
>> call our customer service team on 08457 212 212 and we'll be happy to
>> investigate them for you.
>
> Begin forwarded message:
>
>> From: Richard Brooksby <Richard.Brooksby at pobox.com>
>> Date: 2009-02-11 14:15:49 GMT
>> To: ihaveseenascam at co-operativebank.co.uk
>> Subject: Re: Unverifiable request for security details
>
> ...
>>
>> On 2009-02-10, at 17:58, ihaveseenascam at co-operativebank.co.uk wrote:
>>
>>> ... I would suggest you only make purchases from websites you are
>>> familiar with and trust.  If you are ever in any doubt as to the
>>> authenticity of the website and Verified by Visa interface, do not enter
>>> any details. ...
>>
>> Well, I don't intend to enter my Co-op security information into anything
>> except the Co-op web site.
>>
>> Is there a way to opt out of the "Verified by Visa" system so that I am
>> not prompted for this information?  It is currently preventing me from
>> making purchases on the web, since it insists on this information and I
>> cannot verify that it is authentic.
>
>
> Begin forwarded message:
>
>> From: ihaveseenascam at co-operativebank.co.uk
>> Date: 2009-02-11 15:04:11 GMT
>> To: Richard Brooksby <Richard.Brooksby at pobox.com>
>> Subject: Re: Unverifiable request for security details
>
> ...
>>
>> I believe it should be possible to opt of the verification process.
>>  Please
>> call our customer service team on 0845 600 6000 and we'll be happy to help
>> you.
>
> I dropped the matter until a few days ago, when I was once again asked to
> enter my memorable name when shopping for RAM from crucial.com (who do a
> great job, btw).  In this case I avoided the issue by paying via PayPal.
>
> But then I phoned the bank.  I was told that no, it is not possible to opt
> out.  It is also not possible to use a different secret for Verified by
> Visa, only the memorable name.  In fact, the person on the phone explicitly
> said this would be the same as the secret used for telephone banking.
>
> I won't bore you with all the other bogus reassurances I was given.  (You're
> safe if the little lock appears in the window, for example.)  Suffice it to
> say that they didn't understand very much about security.  I asked to speak
> to someone who did, and they said they'd get a manager to call back.  So
> far, no call.
>
> I started drafting an e-mail reply, partly so I would have some notes if I
> get a call.  Here's what I've gathered.
>
> Begin forwarded message:
>
>> From: Richard Brooksby <Richard.Brooksby at pobox.com>
>> Date: 2009-06-16 14:03:15 BST
>> To: ihaveseenascam at co-operativebank.co.uk
>> Subject: Re: Unverifiable request for security details
>>
>> On 2009-02-11, at 15:04, ihaveseenascam at co-operativebank.co.uk wrote:
>>
>>> I believe it should be possible to opt of the verification process.
>>>  Please
>>> call our customer service team on 0845 600 6000 and we'll be happy to
>>> help
>>> you.
>>
>> Unfortunately, I am told that it is not possible to do so, nor is it
>> possible to specify a different set of secret information that will be used.
>>  It was confirmed to me on the telephone that the "memorable name" is indeed
>> the same one used to verify me for telephone banking.  This is terribly
>> insecure.  It is quite easy for someone to make a fake Verified by Visa page
>> which gets this information from your customers.  There is quite a lot of
>> evidence that this is ALREADY happening.  See below.
>>
>> I also refer you to this article in Computing magazine
>> <http://www.computing.co.uk/itweek/news/2214146/industry-lays-secure>:
>>
>>> At a recent roundtable event hosted by fraud detection firm CyberSource,
>>> experts from banking, e-commerce and academia argued that 3-D Secure – which
>>> comprises Verified by Visa and Mastercard SecureCode – is fundamentally
>>> insecure.
>>
>>> Mick Scott of lastminute.com said the firm had found one case of
>>> fraudulent activity on a UK card which was nevertheless authorised using
>>> Verified by Visa.
>>
>> Also, to the Intrinsic Security blog entry, which explains in some detail
>> why this scheme is so flawed
>> <http://antiworm.blogspot.com/2006/02/verified-by-visa-veriphied-phishing.html>.
>>
>> You will see in the follow-up comments to that blog entry that people are
>> ALREADY victims of Verified By Visa man-in-the-middle attacks where their
>> secrets have been stolen and transactions made.
>>
>> Jon Varco, head of Verified by Visa, says that this is a "voluntary
>> scheme", but you are forcing everyone to use it, in spite of its huge flaws
>> and the security risk it introduces.
>>
>> It's clear from Visa's own site (for example, see
>> <http://www.visaeurope.com/personal/onlineshopping/verifiedbyvisa/main.jsp>)
>> that banks are intended to ask customers to voluntarily enroll in the
>> "Verified by Visa" scheme.  The Co-operative Bank appears to have failed (or
>> decided not) to do this, but to enroll its customers without consulting
>> them.  Would it be possible to find out how this policy decision was made?
>
> So, that's it until today.
>
> Is my analysis and are my assertions correct?
>
> Any advice or suggestions?
>
> Any related insights about what's going on?
>
> I don't want to leave Co-op, but I might have to get a card from someone
> else with a better security policy.
>
> ---
> Richard Brooksby <rb at ravenbrook.com>  Senior Consultant
> Ravenbrook Limited <http://www.ravenbrook.com/>
> Voice: +44 777 9996245  Fax: +44 870 1641432
> AIM: hothquist  Yahoo: gresque  Jabber: hothquist at jabber.org
> LinkedIn: <http://www.linkedin.com/in/richardbrooksby>
>
>
>
>



-- 
Andrew

More information about the ukcrypto mailing list