I’m not the kind of guy who falls for those super-obvious identity theft scams. I live online, I work in IT and I don’t really like sports. I’m pretty careful when it comes plugging my credit card into the internet.
But last month, when I was stuck for rail tickets in Europe, I thought I’d slipped up. Turns out, it was just a “security feature.”
Here’s the story: Last month, my girlfriend and I had some trouble with our train tickets. Crouching on a hostel bunkbed, hands cramping on the tiny Eee PC keybaord, I was already in a bad mood about having to shell out another ₤180 for new train tickets.
But I was at the official Eurostar website, so at least I wasn’t worried about getting scammed.
Begrudgingly, I entered my name, address, credit card, CVC number, etc. I clicked “Proceed” and was redirected to a third party site, with my bank’s logo on it. And great, it’s asking me for my financial information again!
This screams “phishing scam” to anyone that ever bothers to look at the address bar in their browser.
So after few panicked phone calls to the Visa Fraud line, the Eurostar people and my bank, I find out that not only is my identity safe and sound, SecureSuite.net and their “Verified by Visa” program is legitimate.
Visa really dropped the ball here. This is a terrible security strategy, and here’s why:
People, especially people that aren’t very tech savvy, are trained to not enter any financial information online when the website in the address bar looks fishy. A good example of “looking fishy” would be when a website in the address bar has absolutely nothing to do with the website you think you’re visiting. In this example, SecureSuite.net has nothing to do with any of the organizations I’m dealing with: Eurostar, Visa, or my bank.
Here are three steps Visa could take to fix this process:
- Ditch SecureSuite.net. This is not a familiar name. I have a Visa card, and an RBC account — I don’t have any association with some company called “SecureSuite.” Everything needs to go through domains owned by one of the companies I’m familiar with, and that I trust.
- Publicize this. Send emails to customers, make phone calls, hand out pamphlets. Your new security features should never look like a scam — and part of the reason this looked so much like a scam is that I’d never heard of Verified by Visa.
- If you absolutely must have vendors, like Eurostar, redirect customers to a domain that they aren’t going to recognize, make sure they give a warning. Even something simple, like “You will now be redirected to our security partners, SecureSuite.net. This is intended, and is not a browser hijack.”
15 comments
Comments feed for this article
August 24, 2008 at 9:22 pm
Sara
Non-topical: there’s an interesting debate going on over at Justin’s site, about (among other things) the point at which a fetus becomes a person.
Thought you might be interested.
August 24, 2008 at 9:30 pm
Derek
Lovely.
I imagine it’s full of respect, feminism and level heads. I doubt there’s been a single comment using inflamatory term like “infanticide” yet.
Thanks for the heads up. I’m tied up with work at the moment, but I’ll try to make my way over soon.
August 26, 2008 at 11:36 am
Jolly Sapper
Back to the topic…
I’m glad that somebody else gets just as freaked out when that extra Visa verification (Verisign?) page pops up, without warning.
It doesn’t help that I’ve only run into this twice over the years.
August 26, 2008 at 12:14 pm
Sara
Oh, topic! Right. Is it only a Canadian thing? Because I have a Visa and have never had this happen.
August 26, 2008 at 3:29 pm
Derek
Nope, not a Canadian thing. I was using a European site the first time I saw it.
One of the biggest problems is that it’s not standard procedure — some sites implement it, others don’t.
Visa is trying to pass the buck for online fraud to vendors: they want to make the argument that vendors should protect customer finances by using Verified by Visa — which is really just another password, and not much of an increase in security anyhow.
It’s a sloppy, poorly executed attempt to save their butts when someone gets phished.
February 20, 2009 at 3:23 am
Dave
Almost the exact same thing happened to me (just now in fact; which is why I’m posting here).
On making a transaction I was prompted to set up a verified by visa password etc (although I’ve done it beforeāgo figure) and after I was sent an email from “barclays@securesuite.net” which totally freaked me out.
I’m glad somebody’s already inquired into this; this is a very helpful post! Thanks!
May 3, 2009 at 5:32 pm
Greg
Thanks for this post. I was just taken to securesite.net and thought I was being phished. Panic ensued…
Visa should take your recommendations to heart. The Verified by Visa process is just terrible as it stands.
May 6, 2009 at 9:13 am
Kevin
I just encountered the Verified by Visa program a second time, and while it met many of the standards you advocated above, I still think it’s a bad security practice to have someone enter in ANY sensitive private data (I had to enter my social security number last 4 digits and my postal code) into any site other than that of the financial institution itself. I was at the site of a retailer I trust, and the URL was (and yes you are correct, we are trained to look) was entirely normal for this retailer’s web site. I was advised that the form was being served by the bank, however, the masthead was branded with the retailer, and the URL was that of the retailer. If Visa trains people to accept this kind of validation process, they expose themselves to fake web sites and unscrupulous web retailers who might take advantage of this new norm to gain the confidence of users and capture from them sensitive account information. Thus, the Verified by Visa program could actually result in reduced security and increased incidence of fraud. I think this was thought up as a punt by some suits who don’t understand the theories of online security. I have a proposal that Visa could use to achieve the same goal with real security:
Visa should provide OpenID service. I sign up for an OpenID account at Visa, they verify my identity, linking it to my bank account / credit card. I sign in with my Visa OpenID (or another OpenID I have added to my validated Visa ID) at my retailer’s web site (during which, of course, I’m taken to the Visa page to enter my password). I can then make my purchse normally, entering in my CC number, expiry date and security number like I always do. This models establishes a trust relationship between the customer, retailer and financial institution in a secure way.
August 9, 2009 at 5:22 pm
Anonymous
The same thing just happened to me while helping my mother and explaining to her how easy and worry free internet shopping is nowadays. So much for that when I started freaking out.
I also went to the visa website and they don’t mention securesuite.net as a trusted partner or anything. Why do they make it so hard to feel safe?
September 22, 2009 at 9:21 am
bob
I thought this was abit weird but i needed the product so bad, i then kept on recieving emails and i suddenly missed a heart beat, thought to my self, what have i done. It looked like a scam why did i type my details in??
I quickly googled verified by visa etc.
Turns out its fine but scared me!
Open ID FTW
November 16, 2009 at 8:43 am
judith
I won’t use this method of purchase again.
December 17, 2009 at 5:46 pm
Chris
I just phoned RBC Visa because my spidey-senses went off when I saw the centresuite URL and they refused to verify or deny whether centresuite is the third-party that manages this service for them. All I kept getting was “I can’t confirm that because I can’t see what you’re seeing”. And “Verified by Visa is the third-party”. I can understand the hesitance to give me the go-ahead, but the question was a simple one. When I told her that I couldn’t possibly be the only one who was given pause by the third URL that was completely unrelated to either RBC or the company from whom I was making my purchase she said she’d never heard an inquiry. It’s good to see that there are other rational and reasonably cautious people out there.
I made my purchase, but I will be writing a letter to express my surprise and disappointment in this horribly ill conceived “security feature”.
January 5, 2010 at 5:05 pm
Kenny
I encountered the same situation when I got redirected to another website with the name “SecureSuite.net”. Alarm bells in my head were ringing. Until I discovered this article. Panic Over.
February 25, 2010 at 5:56 am
Nick
Same thing happen to me except with Bank of America during an online purchase.
I ran whois on securesuite.net and its registered to a Mr. Yaron Shohat in Virginia, USA.
Are you sure this isn’t a scam???
February 25, 2010 at 12:25 pm
Steven
I had the same exact thoughts when I saw the same exact things on a purchase I made today. Thank you for clearing this up.
In regards to Nick’s concern about this Mr. Yaron Shohat individual – From LinkedIn, he’s the “Head of Online Threats Business Unit at RSA, The Security Division of EMC” and was originally form Cyota (which the WHOIS report also notes).
Verified by Visa was a solution of Cyota (SecureSuite – Processor Edition), which was bought by RSA Securty.
http://www.rsa.com/press_release.aspx?id=6823 is a press release by RSA. It doesn’t mention anything about the website, but after slowly putting the pieces together, it sounds more legit.
I guess we (or I, at least) can sleep a little more sound now
Thanks again!