Monday, September 01, 2008

Verified by Visa is totally broken

My bank uses Visa credit cards. Visa has just rolled out a new "Verified by Visa" (VFV) system, which is supposed to be more secure.

In fact, VFV relies on XSS, random, unrecognisable third-party sites, and a generally woeful user experience which completely goes against security best practice.

There is background here: The 'Verified by Visa' fiasco ... courtesy of ANZ

In my case, thank fuck I was using Firefox with NoScript, for just look what it detected:

[NoScript XSS] Sanitised suspicious upload to [] from []: transformed into a download-only GET request

What the hell is ""? Why is at least WorldPay not processing this? Who authorised some random third-party site to access my credit card AND bank-specific security questions? And why the FUCK does it all rely on dodgy cross-site scripting to work?!?

All extremely shoddy, and designed to vapourize human confidence in online shopping. Well done Visa, you utter fuckwits.


  • Quelle coincidence! This very day I emailed to tell them what a shower of shite I thought their Verified by Visa system is (my current account comes with a Visa debit as standard). I didn't have all your technical geekery to back up my assertions, but hopefully the sheer force of my invective might prove persuasive.

    By Blogger MsBee, at 8:43 pm  

  • I agree, its total rubbish. Had to implement it in booking engine at work. Conversions totally dropped off. Natwest VISA doesnt appear to have it enabled at the moment though.

    By Anonymous Northern Coach Tart, at 10:38 pm  

  • Yes the same thing happened to me.
    I tryed to buy items from a shop that used RBS worldpay. So I canceled my purchase. Sent them an email that they should offer other payment options. I am not giving my exp date and codes to strange sites.

    By Anonymous Anonymous, at 9:11 pm  

Post a Comment

<< Home