Co-op Bank and Verified by Visa

Nicholas Bohm nbohm at ernest.net
Thu Jun 18 13:12:16 BST 2009 

Richard Brooksby wrote:
> I'm getting into a battle with the Co-operative Bank over their
> implementation of the Verified by Visa scheme.  I thought I'd let you
> know about it, and also see if you agree with my position or have any
> suggestions.
> 
> A few months ago, while shopping online at a random new site, I was
> asked to enter my "memorable name" in order to verify my Visa card
> transaction.  The "memorable name" is one of the secrets I share with
> the Co-op when using on-line or telephone banking.  However, the site
> that was asking me to enter it was unknown to me.  I closed the window
> and was unable to shop with that merchant.
> 
> I had an e-mail conversation with the bank.  Here it is, with some
> quotations and boilerplate elided.
> 
>> From: Richard Brooksby <Richard.Brooksby at pobox.com>
>> Date: 2009-02-05 15:15:26 GMT
>> To: ihaveseenascam at co-operativebank.co.uk
>> Subject: Unverifiable request for security details
>>
>> I recently attempted to buy an item on-line and was prompted to enter
>> my "Memorable Name" by a site that was not the Co-operative on-line
>> banking site.  I have no way of knowing whether or not this request is
>> genuine, or whether or not the request is has anything to do with the
>> Co-operative Bank, or whether it is being processed in a secure manner.
>>
>> I had already entered my credit card details (which are not secrets)
>> and was then prompted for secret information.  I took this screenshot:
> 
> [screenshot removed to stay within ukcrypto posting limit]
> 
>> There is no way I will type my security information into a third-party
>> web site, and so I was unable to complete the purchase.
>>
>> If this is a genuine scheme, is there a way I can opt out of it?  It
>> seems terribly insecure.  Anyone at all could put up a window with
>> these graphics on it and request my security information.
>>
>> Thank you.
> 
> Begin forwarded message:
> 
>> From: ihaveseenascam at co-operativebank.co.uk
>> Date: 2009-02-06 15:54:32 GMT
>> To: Richard Brooksby <Richard.Brooksby at pobox.com>
>> Subject: Re: Unverifiable request for security details
>>
>> Hello
>>
>> Thanks for your message.
>>
>> This is the verified by visa screen that adds more security onto your
>> account while making purchases online.  For more information please
>> call us
>> on 0845 600 6000.
>>
>> Thanks
>>
>> Andy
> 
> Begin forwarded message:
> 
>> From: Richard Brooksby <Richard.Brooksby at pobox.com>
>> Date: 2009-02-09 09:56:10 GMT
>> To: ihaveseenascam at co-operativebank.co.uk
>> Subject: Re: Unverifiable request for security details
>>
>> On 2009-02-06, at 15:54, ihaveseenascam at co-operativebank.co.uk wrote:
>>
>>> This is the verified by visa screen that adds more security onto your
>>> account while making purchases online.  For more information please
>>> call us on 0845 600 6000.
>>
>> Hello Andy.
>>
>> I know that it claims to be a "verified by visa" screen, and I have
>> read the pages on the Visa web site about the scheme.  But the problem
>> is that it is prompting me for secret information which should only be
>> shared with the Co-operative bank, and it is doing so from a third
>> party web site which I have no relationship with.
>>
>> ANY web site could make such a screen appear.  Are you saying I should
>> enter my security details into anything which looks like this?
>>
>> Do you see the problem?
> 
> Begin forwarded message:
> 
>> From: ihaveseenascam at co-operativebank.co.uk
>> Date: 2009-02-09 12:50:17 GMT
>> To: Richard Brooksby <Richard.Brooksby at pobox.com>
>> Subject: Re: Unverifiable request for security details
> ...
>> I can understand your concern.  However, a way of identifying whether the
>> request is genuine is the system will ask for your memorable name, if you
>> are using a Co-operative Bank or smile.co.uk card.  Any other cards
>> you use
>> will ask for a different piece of information.
>>
>> I hope this information helps.
> 
> Begin forwarded message:
> 
>> From: Richard Brooksby <Richard.Brooksby at pobox.com>
>> Date: 2009-02-10 12:15:42 GMT
>> To: ihaveseenascam at co-operativebank.co.uk
>> Subject: Re: Unverifiable request for security details
>>
>> On 2009-02-09, at 12:50, ihaveseenascam at co-operativebank.co.uk wrote:
>>
>>> I can understand your concern.  However, a way of identifying whether
>>> the
>>> request is genuine is the system will ask for your memorable name, if
>>> you
>>> are using a Co-operative Bank or smile.co.uk card.  Any other cards
>>> you use will ask for a different piece of information.
>>
>> Are you saying that I can tell that the request is genuine precisely
>> because it asks me for secret information?
>>
>> So I should trust any web site which happens to know that the
>> Co-operative bank identifies its customers using a memorable name and
>> puts up a plausible looking graphic?
> 
> Begin forwarded message:
> 
>> From: ihaveseenascam at co-operativebank.co.uk
>> Date: 2009-02-10 17:58:16 GMT
>> To: Richard Brooksby <Richard.Brooksby at pobox.com>
>> Subject: Re: Unverifiable request for security details
> ...
>> The information on the last email I sent you is more a guide than a
>> strict
>> rule.  I would suggest you only make purchases from websites you are
>> familiar with and trust.  If you are ever in any doubt as to the
>> authenticity of the website and Verified by Visa interface, do not enter
>> any details.  It may also be worth contacting the company you intend to
>> make the purchase from via the telephone to check their authenticity.
>>
>> Please note, you are also covered by our Fraud guarantee and if you find
>> you have any transactions on your account that you're not aware of,
>> please
>> call our customer service team on 08457 212 212 and we'll be happy to
>> investigate them for you.
> 
> Begin forwarded message:
> 
>> From: Richard Brooksby <Richard.Brooksby at pobox.com>
>> Date: 2009-02-11 14:15:49 GMT
>> To: ihaveseenascam at co-operativebank.co.uk
>> Subject: Re: Unverifiable request for security details
> ...
>> On 2009-02-10, at 17:58, ihaveseenascam at co-operativebank.co.uk wrote:
>>
>>> ... I would suggest you only make purchases from websites you are
>>> familiar with and trust.  If you are ever in any doubt as to the
>>> authenticity of the website and Verified by Visa interface, do not
>>> enter any details. ...
>>
>> Well, I don't intend to enter my Co-op security information into
>> anything except the Co-op web site.
>>
>> Is there a way to opt out of the "Verified by Visa" system so that I
>> am not prompted for this information?  It is currently preventing me
>> from making purchases on the web, since it insists on this information
>> and I cannot verify that it is authentic.
> 
> 
> Begin forwarded message:
> 
>> From: ihaveseenascam at co-operativebank.co.uk
>> Date: 2009-02-11 15:04:11 GMT
>> To: Richard Brooksby <Richard.Brooksby at pobox.com>
>> Subject: Re: Unverifiable request for security details
> ...
>> I believe it should be possible to opt of the verification process. 
>> Please
>> call our customer service team on 0845 600 6000 and we'll be happy to
>> help
>> you.
> 
> I dropped the matter until a few days ago, when I was once again asked
> to enter my memorable name when shopping for RAM from crucial.com (who
> do a great job, btw).  In this case I avoided the issue by paying via
> PayPal.
> 
> But then I phoned the bank.  I was told that no, it is not possible to
> opt out.  It is also not possible to use a different secret for Verified
> by Visa, only the memorable name.  In fact, the person on the phone
> explicitly said this would be the same as the secret used for telephone
> banking.
> 
> I won't bore you with all the other bogus reassurances I was given. 
> (You're safe if the little lock appears in the window, for example.) 
> Suffice it to say that they didn't understand very much about security. 
> I asked to speak to someone who did, and they said they'd get a manager
> to call back.  So far, no call.
> 
> I started drafting an e-mail reply, partly so I would have some notes if
> I get a call.  Here's what I've gathered.
> 
> Begin forwarded message:
> 
>> From: Richard Brooksby <Richard.Brooksby at pobox.com>
>> Date: 2009-06-16 14:03:15 BST
>> To: ihaveseenascam at co-operativebank.co.uk
>> Subject: Re: Unverifiable request for security details
>>
>> On 2009-02-11, at 15:04, ihaveseenascam at co-operativebank.co.uk wrote:
>>
>>> I believe it should be possible to opt of the verification process. 
>>> Please
>>> call our customer service team on 0845 600 6000 and we'll be happy to
>>> help
>>> you.
>>
>> Unfortunately, I am told that it is not possible to do so, nor is it
>> possible to specify a different set of secret information that will be
>> used.  It was confirmed to me on the telephone that the "memorable
>> name" is indeed the same one used to verify me for telephone banking. 
>> This is terribly insecure.  It is quite easy for someone to make a
>> fake Verified by Visa page which gets this information from your
>> customers.  There is quite a lot of evidence that this is ALREADY
>> happening.  See below.
>>
>> I also refer you to this article in Computing magazine
>> <http://www.computing.co.uk/itweek/news/2214146/industry-lays-secure>:
>>
>>> At a recent roundtable event hosted by fraud detection firm
>>> CyberSource, experts from banking, e-commerce and academia argued
>>> that 3-D Secure – which comprises Verified by Visa and Mastercard
>>> SecureCode – is fundamentally insecure.
>>
>>> Mick Scott of lastminute.com said the firm had found one case of
>>> fraudulent activity on a UK card which was nevertheless authorised
>>> using Verified by Visa.
>>
>> Also, to the Intrinsic Security blog entry, which explains in some
>> detail why this scheme is so flawed
>> <http://antiworm.blogspot.com/2006/02/verified-by-visa-veriphied-phishing.html>.
>>
>>
>> You will see in the follow-up comments to that blog entry that people
>> are ALREADY victims of Verified By Visa man-in-the-middle attacks
>> where their secrets have been stolen and transactions made.
>>
>> Jon Varco, head of Verified by Visa, says that this is a "voluntary
>> scheme", but you are forcing everyone to use it, in spite of its huge
>> flaws and the security risk it introduces.
>>
>> It's clear from Visa's own site (for example, see
>> <http://www.visaeurope.com/personal/onlineshopping/verifiedbyvisa/main.jsp>)
>> that banks are intended to ask customers to voluntarily enroll in the
>> "Verified by Visa" scheme.  The Co-operative Bank appears to have
>> failed (or decided not) to do this, but to enroll its customers
>> without consulting them.  Would it be possible to find out how this
>> policy decision was made?
> 
> So, that's it until today.
> 
> Is my analysis and are my assertions correct?
> 
> Any advice or suggestions?
> 
> Any related insights about what's going on?
> 
> I don't want to leave Co-op, but I might have to get a card from someone
> else with a better security policy.

In my experience the Verified by Visa and Mastercard SecureCode sites
show me a memorable phrase of my own choosing (set at registration) as a
form of authentication.  Weak but better than nothing; and my bank
(Coutts) allows me to use a password for these sites which is not the
same as anything I use elsewhere.  So these are grounds on which you
might challenge the Co-op's implementation.

The system nevertheless seems fairly feeble.  Twice it has failed to
recognise correct entries, but its response is to invite me to set a new
password.  When I set the existing password, it accepts it.  (This may
suggest that a crook went through the same process to enter their
password, and I am merely returning to the status quo ante; but the
statements show no fraudulent entries).

I think your analysis and assertions are right; whether they will reach
anyone in the Co-op capable of understanding them is doubtful.  It will
be very interesting to see if in searching for a card whose issuer has a
better policy, you can find anyone among the prospective issuers who can
understand what you are asking for.  I would not be hopeful.

Nicholas
-- 
Salkyns, Great Canfield, Takeley,
Bishop's Stortford CM22 6SX, UK

Phone  01279 870285    (+44 1279 870285)
Mobile  07715 419728    (+44 7715 419728)

PGP public key ID: 0x899DD7FF.  Fingerprint:
5248 1320 B42E 84FC 1E8B  A9E6 0912 AE66 899D D7FF

More information about the ukcrypto mailing list