I thought that securesuite.co.uk was a phishing attempt, but it seems be a legitimate outsourced provider of the so-called “3D secure protocols” known as Verified by Visa and MasterCard Securecode for card issuers. So far I have identified AIB (IE), and Royal Bank of Scotland (UK), and MBNA (IE) as users.
However I must be frank and say securesuite.co.uk has all the hallmarks of a phishing scam, I’ll make the phishing keywords bold in case you wish to skim over this section. Lets say you are presented with the screen, you are asked for your password when first presented with the popup which is a window with no address bar, not knowing your password - because this is your first time using the added layer of security - you’ll click forgot password, or register, you are then asked for your credit limit, CV2. To be sure you view the page info of the popup and see its securesite.co.uk, and not mybank.com, not even mycreditcardbrand.com, so you visit http://www.securesuite.co.uk, but there is no response, and at https://www.securesuite.co.uk there is a blank page. You perform a WHOIS query and see
Checking server [whois.nic.uk]
Domain name:
securesuite.co.ukRegistrant:
cyotaRegistrant type:
UnknownRegistrant’s address:
8 west 38th street
new york
ny
10018
USRegistrar:
Register.com Inc [Tag = REGISTER-DOT-COM]
URL: http://www.register.comRelevant dates:
Registered on: 09-Jun-2002
Renewal date: 09-Jun-2008
Last updated: 09-Apr-2006Registration status:
Registered until renewal date.Name servers:
ns0.eu.dedicatedserver.com
ns1.eu.dedicatedserver.com
Who are “cyota”? this looks like a scam. You call your bank but the functionaries on the line have never heard of securesite.co.uk, they know about Verified by Visa, and MasterCard securecode, but don’t know how they work. So you visit mybank.com, or in my case aib.ie, but of course their site is down again displaying an error message, you visit mastercard.com or visa.com, but naturally they can’t have something as simple as a list of authorised providers of the system.
Well I took the risk, in the interests of journalism, and buying a new harddrive from komplett.ie!
and I can confirm that securesuite.co.uk is legitimate. But hey thats just what I say , ultimately is is up to each person whether or not they trust the system, would you?
Banks should really learn to put everything on their own single domain, eg bankofexample.com. Yet I see that Bank of Ireland still use boimail.com for their email, and bankofireland.ie for their website.
*securesuite.co.uk is not to be confused with securesite.co.uk which is a shared SSL site operated by a company called Redstation, and looks quite nice, indeed in the Ambrand Dot Com office we enjoy listening to the most excellent and truly fresh beats user that one user has uploaded to his space on securesite.co.uk.
Thanks for the article. I also agree that this site appears to be a classic ‘phishing’ site. Even after reading your article, I’m not sure that I want to proceed with this. It asks just too many detailed/personal questions, and the only reference to my bank is the name shoved into the top left corner.. not even the corporate logo… I’ll try and find out more info first.
hi
the site popped up for me after using the card and i started to fill details before realising this seemed a little strange, emailed c/c company to see if they know who they are
Hi Joe,
Did you ever get a reply from you C/C company?
Are they legit or scammers/phishers?
Yes that’s just great isn’t it! Just when the problem of phishing is starting to enter the public consciousness, and people are finally starting to understand that they need to look very carefully and be suspicious before entering their credit card number …and along comes this hairbrained scheme to entirely undermine the point.
I just got to the securesuite website and it looked suspicious so I clicked ‘No thanks’.
It redirected me back to my purchase which seemed to have been completed successfully… I’ll get back to you
It seems to have moved on. I tried to make a purchase on-line today. I was confronted with this pop-up. In the past I have done the No Thanks bit, but this time the choice was Accept or, Accept. I called my bank. With the staggering arrogance that banks adopt it seems that a MERCHANT can opt to INSIST that you sign up and provide a password. That then commits you to using the scheme at other shopping sites on the internet. Once you have signed up you HAVE to remember that password.
[this line of comment removed by editor]
It’s ridiculous. I should provide all my card details to an unknown website? The banks have really mucked this one up. Imagine the phone call to the bank if you get ripped off:
“Well, I was buying something on the internet, and then this little box popped up, from someone I don’t know, asking for all my details. So I put them in.”
Right…
[this line of comment removed by editor]
I got one after booking the eurostar, with no option to return to the eurostar page for confimation, seemed REALLY dodgy to me. they tell me endless notices about how to look out for phishing on my online banking and then flash this up at me and expect me to send off all my details, what are they thinking, it looks identical to the things they are trying to protect me from!
securesuite.co.uk rang all my phishing alarm bells when I encountered it trying to book a Brussels Airlines ticket today. I investigated, because I really wanted the ticket, and after finding this very page, decided it was probably genuine but didn’t want to risk it. (Amazingly the airline has a phone number where I got the ticket at the same price!) An hour later I needed an advance train ticket. First Great Western also use securesuite.co.uk - I also really needed that ticket so bit the bullet and gave my damn date of birth to the annoying “3D Secure” window.
The whois info is now weirder and more suspicious than that quoted above. Look at the “Registrant’s address” field. It’s a suburb of Tel Aviv, Israel! And what on earth is the “ny” doing there?
Upon further investigation, Cyota appears to be an Israeli security firm, headed by one Amir Orad, and bought by RSA Security in 2005.
http://findarticles.com/p/articles/mi_m0EIN/is_2003_April_8/ai_99748350
http://www.rsa.com/press_release.aspx?id=6316
http://www.crime-research.org/news/12.05.2005/1228/
http://www.highbeam.com/doc/1G1-158592380.html
Here’s the whois info:
Domain name:
securesuite.co.uk
Registrant:
cyota
Registrant type:
Unknown
Registrant’s address:
7 Shenkar Street
Herzelia
ny
46733
IL
Registrar:
Register.com Inc [Tag = REGISTER-DOT-COM]
URL: http://www.register.com
Relevant dates:
Registered on: 09-Jun-2002
Renewal date: 09-Jun-2008
Last updated: 09-Apr-2006
Registration status:
Registered until renewal date.
Name servers:
ns0.eu.dedicatedserver.com
ns1.eu.dedicatedserver.com
WHOIS lookup made at 20:00:30 28-Dec-2007
Thanks for the information. I just ran into this site for the first time when buying something from a site that I’ve used before but is known for having very low prices (to the extent that a lot of people ask whether or not they’re legit), and it definitely had me suspicious.
It’s ridiculous that they tell us to look out for off-site addresses and ignore the logos, and by those criteria this site looks like a textbook phishing scam. It doesn’t even look professional; just a web form asking for your card details with your bank logo stuck on there and an unknown URL. If the banks are trying to prevent fraud they’ve really dropped the ball there.
I use Abbey, incidentally.
I just come across this on ebuyer…
This annoying thing came up insisting I enter card details. Obviously IT IS A SCAM, as it asks for details to continue when the transaction is already complete (I later checked my account to confirm this) , why else would it do that?
I just closed the window and got rid of it.
Just used Komplett and got the securesuite.co.uk redirect
I just click Activate Later and was back in Komplett and amount was paided so where was no need to enter any details
I agree it has phishing all over it even if vaild
Just encountered this playing online poker - my bank is Alliance & Leicester, although from what I read above it’s the merchant rather than the bank? I had a similar reaction - although no “forgot password” bit, it asked me for a password from the get-go. I was a little drunk so, while thinking it all looked a little fishy, I went ahead with it. Of course, since I got it popping up from within an application it seemed less suspicious.
I just tried to pay a Thameswater bill with a natwest card and got the same thing. I can’t see how all these different banks would use something so dodgy - probably a scam.
Just got the same booking a flight through Airasia.com with my Nationwide card. Although it looked pretty dodgy I went ahead, mainly due to the links posted here pointing to the legitamacy of this RSA Security/Cyota company, also the amount of detail (terms and conditions and privicy policy popups), and the site was presented in the same window so I could see the address and the padlock indicating some pretty heavy incription. Also the flight was CHEEEEEEAP and there was no ‘opt out’ button (a little annoyed at this).
Got an email from securesuite’s domain pretty much immediately after with a nice little welcome message and a few links to their own website and also Nationwide’s
http://www.nationwide.co.uk/vbv/default.htm - nationwide’s website also links back to securesuite when hovering over the register button so I doubt very much that this is a scam.
I do agree that forcing people to use it or suffer not being able to buy cheap stuff is a shitty way of going about it though. Add that to the cloud of phish that lingers over it and you’ve got to wonder what the so-called information fraud protection professionals are going to come up with next.
http://www.rsa.com/node.aspx?id=3017 Their top priority goal of ensuring companies can “Inspire user confidence” seems to have failed here.
All,
Interesting to note all the comments above, that clearly show some concerns among users who want to pay online, and unfortuntaly to realise at the same time that whilst the first comment is almost a year old, the issue of miscommunication has not been addressed in the meantime…
Securesuite is indeed a product from Cyota, which was bought 3 years ago by RSA Security (now part of EMC). It is actually an authentication service compliant with the 3D-Secure specification, and offering both the VbV (Verified by Visa) and SecureCode (MasterCard) implementations of this specification.
To be more explicit, 3D-Secure is an additional authentication layer introduced by card issuers, allowing the merchants to ask for an additional authn token to the card issuer before accepting a payment online.
3DS is made of an authentication protocol (that is then to be supported by the card authorisation networks) and offers an architecture for authn mechanisms, which are decoupled from the transport protocol itself. Authn implementations can range from passwords (most commonly deployed right now) to one-time passcodes or CAP tokens (those authn applications being present on most of the debit/credit cards those days).
So, Securesuite is a (commercially viable) service/product used by many card issuers (i.e. banks) which decided to outsource their 3D-Secure authentication. It is not a scam attempt at all.
Hope this helps in some way - my 2 cents only here…
I came across this when processing payment for a council tax bill, which i access via my councils website. This is the first time it has popped up in the payment process so i didnt enter my details. I am also with Abbey.
Even if it is legitimate, it looks like phishing & I really dislike this.
Rather belatedly decided to Google securesuite after hours on the phone to the Indian subcontinent. Found all your comments most instructive. I had second thoughts after giving my card details to securesuite in a final bid to try and get my train ticket purchase with First Great Western to go through. So the people in India checked out Securesuite, assured me that it was undoubtedly a scam and promptly cancelled my connect card! Seems the right hand doesn’t know… Anyway, I take a pretty dim view of a company that stops you making your transaction unless you fill in some uncheckable form. The scary thing is that while Great Western was sulking about the Connect card, I bashed in my French credit card details which were immediately accepted … only to discover that the site then accepted the Connect card as well. Presumably this means that I paid twice! So much for First Great Western …Vive la SNCF!
Just spent about 40mins booking a load of train tickets for my company to get to this verified by visa shite, and then an error, and of course lost all my booking data so I get to start again.
Is there anyway to opt out of this ?
Ihave just had the Secure Suite authentication thingy pop up. What I would like to know is can I de-register or is it too late now?
Here in the USA, I got the popup, did enough to get the purchase, and then got an email from the same securesuite location. But when I forwarded that to Chase bank, they said it’s a phishing trick.
BUT, when I go on VISA.COM and search for “Verified by Visa” I get a legitimate link and an invite to enroll. WTF?
I got the popup and spoke to two people at my bank - one said it was a scam the other said it was legitimate and there was a phone number to contact securesuite on 0870 010 4542 (in the UK). Just sounds too dodgy to me!
Hi, i ran into this secure suite thing a minute ago whilst making an online order and stupidly entered my details into it, before realising that it looked very strange and not legitimate. What can i do to protect myself if this is a phishing scam as im now quite worried and dont want my account emptied?
Verified by Visa and securesuite are not the same thing. Verified by Visa is genuine, I am able to link to it from my banks own website.
I have just had a search and found this
http://www.nationwide.co.uk/vbv/Shopping_with_Verified_by_Visa.htm
A link from Nationwide’s website, click ‘view our demo’ and it leads directly to securesuite.co.uk
Whilst shopping though, I did choose not to fill this in, and found this through a search as I thought it did look very much like a phishing scam. I think it would be better if it was advertised, in a similar way to how they brought ‘chip and pin’ in a few years back, so everybody has the awareness of it.
Whatever you do don’t take my word for it! Whereas I can assure you what I’ve said is true, many people can be conned by someone also claiming to be true. Check out the links in this thread and do your own research, that is how we can collectively beat phishing.
Hi
I just found this Securesuite as I got an email from the Halifax about my account and don’t have one. Followed the link as it looks authentic - very dodgy - shall email the Halifax
Cx
Banks that decide to offer cardholders registration during shopping - which to some of us may look like phishing, as personal data is requested - have to communicate to their cardholders multiple times about the program under rules by Visa and MasterCard.
But people being people - and if your are anything like me - it is likely that the nice flyer the bank produced and put into your card statement went unread into the bin.
So if you are not sure, consider opting-out on the first occasion you see this and then ask your bank about the 3-D Secure scheme.
But remember, the person you might be talking to might not have had the training yet and does not know about the program
A couple of further things - pop-up windows are disallowed by the schemes now, so the window is likely to be in the merchants webpage and the merchants are encouraged to put additional messaging in the check-out process to inform the cardholder that an authentication or registration might be required.
At the end of the day, the 3-D Secure scheme is also protecting your interests, as it protects your card being used fraudulently and helps you avoid to go through a tedious chargeback process after fraud has been committed on your card. Who ever had to go through this knows what I mean.
If in doubt about registration, you can always use the Visa site directly to register your card prior to a purchase:
https://verified.visa.com/aam/src/app/ve.aam?partner=vdc&resize=no
Please note that this will redirect you to the registration site that your bank uses, so this might be again a .arcot.com or .securesuite.co.uk site.
Similar capabilities exist on the MasterCard site:
http://www.mastercard.com/us/personal/en/cardholderservices/securecode/index.html
Links:
http://www.visaeurope.com/pressandmedia/factsheets/verifiedbyvisa.jsp
http://usa.visa.com/personal/security/visa_security_program/vbv/verified_by_visa_faq.html
I just had this pop up with www.gamestation.co.uk. Ive been using gamestation for ages since its an online branch of a brick and morter store it seemed more trustworth but then this thing popped up and as like everyone else my scam alarm went into overdrive. I cant find much information about them.
When the box first popped up I checked them out and found nothing but luckely there was an option to keep going without signing up so I choose then then I got a basic white page (with securesuite.co.uk in the address bar) with basic black text saying there was a problem with your transation please try again, or words to those effect. I went back to the gamestation website and tried again with a vain hope it wouldent pop up, it did but this time there was two options with one for accepting it and one for disregarding just one big option saying sign up to continue with transaction.
My bank (Bank of Scotland) dosent mention this anywhere and Securesuite.co.uk is blank to this is deeply suspicous. I checked my recent orders list to see if like some other commenters the transation went through but it hadent.
Just as a slight additional, Gamestation has always been trust worthy before but now there Checkout procedure is split between multiple address (though it has the same design/layout). You start at gamestation.co.uk then go some website called https://orderpage.ic3.com.
This is frighting, right now buying from an Ebay seller with no prior reviews seems safer.
On the recomendation of another commenter I looked on the official Visa website and it tells me about there Verified with Visa program (conveniently linked I might add) and it gave me a list of countries and then a list of banks they are linked with appeared; My bank appeared to I clicked the link and it gave me a webpage on my official banks website (though I couldent find this earlier when I searched, not after hours of clicking and searching through there garbage site) and it gave me a link to enrol a visa card. Up popped a securesuite.co.uk webpage for me to use. Im slightly more sure its trust worthy but my god have all banks gone mad? Im sending a complain in tommorow morning.
Came upon this service while shopping on newegg.com as well. Didn’t realize how suspicious it was at the time but after getting the confirmation email for my subscription for the “verified by visa” service sent to my Spam box, I checked it out.
https://www.securesuite.net/chase/docs/faq.jsp
It looks REALLY suspicous.
I’ve done a lot of research and none of it’s been very conclusive except for this thread and even now I’m not completely convinced - but it does seem to be legit, so you can add CHASE bank to that list banks using the securesuite service.
The REGISTER button on this official Chase page
http://www.chase.com/ccp/index.jsp?pg_name=ccpmapp/cms/explore/page/verified_by_visa#weblinks
links to the obscure securesuite.net page. I can’t believe they outsourced something as sensitive as this to some no-name service who obviously aren’t trying very hard to gain consumer trust.
PS - It seems the securesuite.net site is certified by VeriSign as well. The certificate also points to Cyota.
I purchased a computer on the delloutlet.com
Web site last night at 3am. When I submitted the order, a page popped up briefly at https://ecomm.dell.com/dellstore/chkout3_ccauthentication.aspx?c=us&cs=22&l=en&s=dfh&itemtype=SNA, which explained I might be required to register my credit card with Verified By Visa, and sure enough, a few seconds later, a popup window with no address displayed asked me for the last 4 digits of my SSN, daily withdrawl limit, and some other things I don’t remember.
This morning, when I woke up, I got to thinking about the process, and I had a sneaking suspicion I had been phished.
So I called Dell to ask them. No one I talked to had any clue what I was talking about when I asked them about Verified By Visa. Eventually, I was disconnected. So that made me worry that, since no ones knows about it, perhaps it was phishing. I mean, why else would everyone treat me like an idiot or moron?
So then I called my credit card company, Chase. I explained my question to them, and the rep, rather quickly, came to the conclusion that I probably was a victim of phishing! In fact, when I started out the call, I said I was concerned that I might have been phished in a Verified By Visa scheme, she replies “That’s the eternal question.” She proceeded to tell me about how to protect myself from identify theft, and offered to enroll me in a security program they offered. I know she was just trying to help.
At that point, being convinced I was phished, I called the 800 number I was given in the email I received from the securesuite.com domain. Immediately, they asked me for my name. I only gave them my first name. Then, they asked me for my mother’s maiden name, and I refused to give it. I did give them my zip code. I explained I what I was going through, and asked to be given the contact info of anyone *at dell* or *at chase* (the 2 parties I know who are legitimate) who could verify securesuite.com’s legitimacy. Then, suddenly the operator addressed me with my last name, something I didn’t give them during the phone call. I asked him how he knew my last name just by my giving him my first name and zip code, and he said he knew from the phone number I was using.
I was then transferred to a gruffy-sounding
gentleman who, after a period of time, asked me for my Chase
credit card account number, which I didn’t give. When I asked him to give me the contact of anyone at dell or chase who could verify his legitimacy, I was told I would need to call their customer service, but that they’d just end up transferring me back to him.
So at that point, convinced by every possible piece of evidence I was given I was phished, I put a fraud alert on my credit reports and changed the password on all my online shopping and banking accounts.
Then, finally, on the chase.com web site, after doing a search on ‘Verified by VISA’ and scrolling to the bottom of the page, I found a page that had a link to the securesite.net Web site. If Chase links to that Web site, they *Must* be legit, right?
At that point, I realized it was probably all legit.
So then I ordered a very cheap item from delloutlet.com, just to go through their cart process again, and sure enough, there was the explanation page I had read last night at 3am, almost falling asleep, telling me I may or may not get a popup page related to Verified By Vista. Of course, the explanation page went by this time in one second. Luckily, I was using a screen capture program, since I was going to send the entire checkout process to my friend to see if I was indeed crazy, so I could read the contents.
I tried to give some legit feedback to dell on maybe making the ‘verified by visa’ info easier to find/get to, and perhaps pulling the program from their site altogether since neither Dell reps NOR Chase reps were informed at ALL about the program.
After all of my ordeal, I just have to conclude that this program is very poorly managed, possibly rushed, and surely there is a lack of communication and publicity about the program to all customer service reps involved.
I consider myself fairly saavy when it comes to avoiding phishing schemes. I’ve concluded there is simply no way for the average person to avoid being phished in an environment like this where programs like “Verified By Visa” are implemented and managed so poorly.
What an absolute mess.
This thing popped up when I tried to but Skype credit - my firewall blocked the transaction and threw up a really scary looking message. This looks well dodgy to me.
Hi
I too, have just gone through the reaction of this must be a scam … !!! I was first passed from the UK online seller to 2CO in the USA (who I have heard of, but still slightly concerning) to take the payment and before they will undertake the transaction you are passed to Securesuite. So I aborted at that point.
Just like the rest of you tying to find out out who the hell these guys are is difficult - and without your posts to Ambrand I would be none the wiser.
As everyone says the formating looks particular amateurish from SecureSuite and even worse from 2CO. It looks like all the scams I have seen coming from China.
I’ve had my credit card details stolen by having submitted its number online to Paypal (It angers me the way that ebay force you into it). Having informed the Police that I have proof Paypal has security issue - they are the only people with this new card number so it has to be them - the police confirm Paypal is indeed their number one problem regarding internet fraud!! Paypal of course deny everything. I dont and wont touch them again.
Well done to the ordinary honest folks out there for trying to purchase stuff online safely!!!
Dave
The big problem with this scheme is the idiotic idea to roll the registration process into the purchase process. The normal thing to have done would have been:
1) Advertise and inform customers that they need to register their cards via their bank’s website.
2) Trap unregistered cards at the merchant and tell them to go register at the bank - no popups, no re-directs. Just a “sorry” message and stop the transaction.
You can see that the merchant’s would’ve howled at the prospect of losing customers just on the point of purchase, so they decided to fold the registration process “seamlessly” into the purchase. Of course, the designers had all been living on Mars for the last 5 years and had never heard of phishing. And so we arrive at the situation we’re in now…
By the way, I’m not sure that the VbV is actually in the *customer’s* interest.. It’s great for the merchant since it makes it harder to use a stolen card number; it’s great for the bank for the same reason - but it’s not so great for a customer who is phished for both the card number *and* password. You will not be able to repudiate the purchase and will not be refunded.
I’m always giving out to parents and friends for clicking on links in emails but in my effort to “reauthorise” my card details for my expansys.ie order I clicked on the link and filled in my passcode.
It was only then that I realised how easy it can be to be taken in and how the securesuite site could easily be mocked up. I should have gone through the expansys site or something like that, but it goes to show..
Yipee!, this article was mentioned on theregister.co.uk
http://www.theregister.co.uk/2008/07/22/securesuite_ecommerce_glitch/print.html
I just had the same experience with this site and exactly the same feelings. The whole point of 3D-Secure is so that the issuer can verify the purchaser’s identity (for all the self-serving reasons mentioned by Oscar Bravo).
How is the customer ever to feel safe if the 3d-secure experience is outsourced?
You’re on wikipedia too
http://en.wikipedia.org/wiki/SecureCode
Thank you very much for this article. While trying to buy something from a UK-based supplier with my card I got the a suspicious phishy pop-up from securesuite. Before proceeding I looked on http://www.visaeurope.com/promotion/vbv/uk/ and http://www.mastercard.com/securecd/listIssuers.do for my card provider - no joy, nor is securesuite there under UK/US providers, nor is cyota. This couldn’t look more like a phishing scam if it tried, what a shame it doesn’t redirect to the cardholders card provider’s site.
hmm..
I think the story never ends. I bought a lap top from Dell and run
into this. Gave all the details including SSN number, since this was as part of process and Dell also informed the additional step.
But after doing it, I felt like it may be a phishing attack and
lost my peace of mind.
thanks.
Thanks for this post and thanks to those who commented. I shared the same queasy feeling as others when confronted with this situation.
When recharging my Skype account, I was transferred to not the uk site (my bank is Canadian) but to https://www.securesuite.net and all the points mentioned by others sent off alarm bells for me (the unfamiliar URL; the cheap-looking interface; the request for highly confidential data).
As a result of comments made above, I decided to go to my bank to see if this scheme was legitimate, and it would seem it is.
First, there’s the bank’s website encouraging cardholders to sign up for Verified By Visa:
http://www.cibc.com/ca/visa/optional-services/verified-by-visa.html
Then, on that page, there’s a link to the registration page:
http://www.cibcsecurepay.com/
The above registration page has a ‘Register Now’ button, which then takes you to our good friends:
https://www.securesuite.net/cibc/registration/welcome.jsp?lang=eng;
This is indeed a scrappy way for the bank to handle such an important service. They don’t inform the customer that they have outsourced the process and appear to be trying to make cardholders believe it’s all done by the bank. (They boast: ‘CIBC is proud to offer you Verified by Visa, a free password protection service for your CIBC VISA card when shopping online. As part of CIBC’s commitment to protecting our customers, the Verified by Visa service works to ensure that you alone can use your credit card online when shopping at participating merchants. Better still, it only takes a moment to register.’)
A simple line stating that the VBV service is made available in partnership with a trusted provider (identified as securesuite.net or whatever) and that cardholders would be transferred to that provider’s site would go a long way towards assuring customers.
The system as it is certainly is counter-productive if the banks are trying to tell customers they should be vigilant and not offer their private information to unknown entities.
Hi All,
I have just gone through similar experiences as the ones posted above, having now spoken to various banks/secure sites etc, I can assure all that it is actually ligitimate.
FF
Appears to be a legitimate 3rd party company handling some services for banks such as Nationwide here in the UK.
Agree with others, very poorly executed service and seems ripe as a phishing victim.
I came across the VfV page when I paid a bill online through my O2.co.uk portal. Got suspicious the first time so checked the url source, where the images were coming from etc, did the usual lookups and then got a reply back from the O2 Website Support team that it was a legit service being offered through their website.
Well I have gone as far as asking Nationwide to change my credit card and if needed my account details to avoid any nasty surprises so lets see what happens.
There are a couple of people trying to offer re-assuring comments, but the design of this thing reflects scary levels of incompetence. I ran into it booking a Eurostar ticket, and luckily the “no thanks” option was OK. I’m using a coorporate card, so I’m hoping I can get some info out of our support people.
Well, we’re well into 2009 and they still have this totally phishy mess!
But it looks like the original blog post was from late 2006!
I started my google efforts after the first popup, personal questions, etc.
Maybe they figured out how to make money on fraud, so it’s best to leave everything just the way it is…
Dear All,
I’d just like to write yet another reassuring comment that securesuite.co.uk is a perfectly legitimate site and you should not hesitate to tell them all your personal financial details….
However, you would have to be an idiot to believe me. For all you know, I could be the scammer behind the site. Posting a few comments here - this is the top Google hit for “verified by visa securesuite.co.uk”, BTW - using various different names would be a great way to increase the proportion of people who fall victim to this scam.
I have just just spoken to the “verified by VISA” department at Nationwide and the person that I spoke to, who seemed quite authoritative, told me that she had never heard of securesuite.co.uk, currently registered at 8200 Greensboro Drive, Suite 1100, Mclean VA 22102 US. So should I believe her, whose identity is beyond doubt since I called the phone number printed on my card, or should I believe the people who have posted here whose identities are completely unproven?
I’m going to assume that it is a scam until I have a letter - not an email - from someone at Nationwide confirming it one way or the other.
@ “Scammer”
Thanks for your intelligent comment, If I was grading it as a term paper I’d be writing the letter A already.
I generally trust the “wisdom of the masses” (as does google, that is how page rank works)
I trust that wisdom more than the words on one person that works in a bank. Even if it was written on headed paper I realise that in large organisations the left hand often does not know what the right is doing.
Re “wisdom of the masses”, how do we know they are “masses”, and not all just one person? There are, for example, examples of Wikipedians operating under multiple pseudonyms.
Thought experiment: let’s say I’ve been told that a site is not legitimate over the phone by my bank, but I go ahead and give them all my details anyway. So they empty my account and I ask the bank for my money back. Would my bank refund me? No! They’ve told me on the phone that they had never heard of the site! Would the judge agree with them? Yes! Of course, if I’m told over the phone by my bank that they have never heard of site XYZ then, even if the “wisdom of the masses” tells me it’s legitimate, I would be crazy to tell them anything.
@ “Scammer”
>how do we know they are “masses”
I know because each had a differnt IP address (although they could have used TOR)
>let’s say I’ve been told that a site is not legitimate over the phone by my bank
Incorrect, I think you bank will say they have never heard of a site, they will not go so far as to say that it must therefore be bad, or indeed good, they will have no opinion.
An additional reason for trusting this securesite domain, which I did not mention in the original article was that in order to reach it one starts off with an online shop that one trusts, and thus by extension one can assume (by a chain of trust) that it is trustworthy.
But ultimately, it is up to the dear reader to decide whom he wishes to trust, this site has nothing to gain, or lose either way, we just write about things that interest us.
I too felt very uneasy after entering information into a “Verified by Visa” popup during an online checkout. This is a great thread that I found when trying to determine whether I had been a victim of phishing or not, but in my case the site forwarded to was securesuite.net. Since nothing posted can truly be trusted, if you want peace of mind, do the following: go to visa.com and select the “You’re Secure with Visa” / “Cardholders” link. This will take you to a page with a link to Verified by Visa. Follow it, and then select the “Activate Now” button. This will bring up a popup requesting your card number, but it originates from https://usa.visa.com/… so it is safe. Once submitted, this forwards you to the securesuite.net web site (where I was able to log in using the username and password obtained during the initial checkout). So, the securesuite.net site is safe, and you can verify it for yourself using the above procedure. But it’s sad that the system was so poorly conceived, and in the end will probably do more harm than good as users are “taught” that it’s ok to give sensitive information to web sites that do not match those that can be trusted.
totally agree….and banks are still idiots, keep on doing this.
b1ade wrote:
>So, the securesuite.net site is safe
Interesting. But what about securesuite.co.uk?
FYI I am still waiting for an answer to my letter to Nationwide asking them what their affiliation to securesuite.co.uk is. I will post an update here when I get a reply. So far, my only information from them is what their “Verified by VISA” dept told me on the phone: they have NEVER HEARD OF THAT SITE.
Not a scam, it seems.
Mine was through my LloydsTsb debit card. I checked on it by going to the LloydsTsb site and heading for the security link. There it specifically mentioned the system, which they call Clicksafe. I was able to log in to this system through the LloydsTsb website, with the proper LloydsTsb security certificate, using the details that I’d entered on the original securesuite page.
So, not a scam, seemingly, but a very, very stupid system for banks to be involved with.
If you’re unsure then go to your bank’s website and search the page for Clicksafe or Securesuite.
Possibly against my better judgement I enrolled my NatWest card with the MasterCard scheme ages ago, and have been using it for many purchases, including with pizzahut.co.uk.
When ordering a pizza today I got to the usual “embedded link to your bank” section, and provided the requested details (“enter 1st, 3rd and 7th letters of your password). It came back saying that I’d got it wrong, so I re-entered (it was still asking for the same details, so it can’t be trying to work out my full password). It came back again saying it was wrong. So I tried a third time and it said wrong again.
At this point, maybe I’ve mis-remembered my password? Possible, let’s re-enrol anyway (I always thought that this was stupid, what point is it having a system that insists on a password and lets you easily create a new one anyway).
So I start going through the details it wants for re-registering and notice that apart from my date-of-birth all of the details it asks for are on the card – so someone who has stolen my card only needs to find out my date-of-birth to re-enrol on the system and loot my account.
At this point I’m not thinking it’s a scam or hack, just a stoopid system. So, after double checking that my link to pizzahut.co.uk is still secure, and I am still in a embedded section of the Pizza Hut website, I click the button to send my details to re-register.
At this point Firefox pops-up “Although this page is encrypted, the information you have entered is to be sent over an unencrypted connection and could easily be read by a third party” etc.
Now the alarm-bells start ringing. Status bar says “Waiting for www.securesuite.co.uk”, which as far as I knew at the time has nothing to do with NatWest, MasterCard or Pizza Hut. Has pizzahut.co.uk been hacked? Is this an elaborate redirection scam? Is my PC infected with something? So I hit cancel!
After a spot of whois’ing and Googling and ending up here I’m convinced (as many have said here before) that this was all legit (usual disclaimers apply!), but sending re-registration details to a domain unknown to the user UNENCRYPTED?????????
I work in IT and am always telling people not to do things online without thinking, but this kind of thing certainly doesn’t help when the best minds that the industry has to offer design systems with errors like this.
Today I finally got a letter from Nationwide, confirming that securesuite.co.uk is legitimate. This took one phone call (when they told me that they had never heard of it), one email (ignored), two letters (first one ignored), and more than two months.
Of course they phoned me first, and asked me for all my personal details without offering any proof of who they were. So I told them to put whatever they wanted to say in writing.
Read it here: http://chezphil.org/tmp/nationwide_securesuite_letter.jpg
I have a horrible feeling that whoever came up with this idea will now have moved on to something like digitising our medial records, or something….
What makes this idiotic “service” even worse is that it won’t work unless JavaScript is enabled. This should be totally unnecessary - it’s just a form that gathers some information and sends it to a server, which can be done perfectly well in pure HTML. But no - they use JavaScript, making the user vulnerable to malicious code. There is a huge incidence of “legitimate” web sites with poor security being infected with malicious scripts, and the only protection you have is to browse with scripts disabled. To force the use of scripts unnecessarily on an untrustable (because unknown and verifiable) _banking-related_ web site is just plain daft (sorry to use technical jargon, developers).
Hey,
Found your site when googling “https://www.securesuite.co.uk phishing”! Totally argee, looks well suspect.
Cheers for the post tho.
R
After coming across this particular site before I can give only the following advice as based on what I was told informally by the bank I use for internet transactions.
The major clearing banks do not as policy require 3rd party verification of transactions for internet use,if any e-tailer decides to use such measures it is with the consent of the purchaser.So in short if you do not want to give your details to someone you don’t know then don’t!
I would also add add the vendor to any personal blacklist you have and spread the word.
The only way you will get vendors to up their game is to use the financial power that you have and deny them the oxygen of your business until they realise they are in error.
Verified by Visa and SecureCode are probably among the worst security implementations of all time. The reasons for this are very simple, but you need to understand the background a little. The programs were brought out by Visa and MasterCard in response to merchants cries that MC & Visa needed to do more to protected merchants against online fraud. So they did more - and this is the result.
MC and Visa mandated to all issuing banks that they must implement SecureCode and VerfiedbyVisa. So when an online transaction is carried out on a card, and handled by an acquirer, the acquirer checks if the merchant (e.g. amazon) has signed up for SC/VbV (I’ll come back to that later) and if they have will redirect the request to the issuing banks provider of SC/VbV - in the case above this is securesuite for AIB. The issuing bank must have this implementation in place with a provider.
Now, to get to the crux of the issue, the reason that it is all done so badly and looks so crap is the banks have no interest in doing this at all. they only do it because it is mandated. And why do they have no interest - and this is the one, key point to the whole mess - is that it creates a liability shift. When an online transaction happens traditionally, if there is any fraud/chargebacks etc the liability and loss rested with the merchant. Now, when an online transaction is carried out using VbC or SC and there is fraud, chargeback, etc, the laibility moves to the issuing bank, along with the associated overheads / administration in managing the fraud. This is why it is so badly done, this is why banks don’t bother communicate to their customers on this service, or educate their staff on the service. They’ve no interest - they do it because its a condition of their issuing license with MC/Visa.
So I hear you say, but if the liability shifts and it takes all exposure away from merchants (which is why the program was started) why don’t all merchants use it. When an online merchant signs up with an acquirer to handle payment transactions, they specify (and pay more) whether they want VbV/SC as part of the transaction payment process. Its is only if a merchant specifies this that a transaction will be routed in this way and the liability shifts away from them. So why don’t they all do it?
Well clearly the answer to that is in all the posts above. Because its crap! Look how many people abandoned transactions above. I’ve heard anecdotal evidence of online merchants dropping sales by as much of 70% after signing up for VbV/SC, realizing that their fraud levels don’t look so bad after all, and quickly abandoning the program.
Its a classic example of a well-conceived idea that was poorly executed and followed through. MC and Visa started this, but didn’t do enough to make sure it was a success.
Given that one has already provided enough information for anyone to get the personal assurance message, I also found securesuite a very phishing like domain name. I also failed to get Nationwide to verify that Cyota were their agents; they just repeated use the information on our web site, but their web site was an http site, so it was not possible to confirm that it was not tampered with.
Cyota are, of course, a non-EEC company, so not obviously subject to EEC data protection laws.
Eventually I used a diversity approach (checking at different times from different accounts, etc.) to get some confidence.
However the big problem I find now is that merchant services companies, and people like British Gas, are embedding the 3D Secure form in their web pages without using any sort of frame, so that they are man in the middle on the outbound leg, and, unless one very carefully checks the scripting on the page, could easily be so on the inbound leg!
When I first heard of the system, I thought it was a good idea, as it got round the problem of traders redirecting to unknown card processing sites, for the secure part of the transaction.
I just phoned Halifax and they confirmed that they do use securesuite, and (judging by the speed of his response) the operator had had numerous enquiries as to its legitimacy. Hopefully the banks will have taken this on board…
I still find it very odd/hard to stomach that with just my card and my birth date (THATS JUST ONE PIECE OF INFO THAT’S NOT PRINTED ON MY CARD, AND ITS NOT THE HARDEST BIT OF INFO TO FIND OUT EITHER) that someone can change my password. A password isn’t really a security layer if anyone can change it relatively easily is it?
Thanks for posting this information.
I have just been through exactly the same thing as an MBNA user and had exactly the same concerns. Even carried out the WHOIS query!
It seems the details have been updated:
…and look less phishy (sic)
Domain name:
securesuite.co.uk
Registrant:
RSA, The Security Division of EMC
Trading as:
EMC
Registrant type:
Non-UK Corporation
Registrant’s address:
8200 Greensboro Drive
Suite 1100
Mclean VA
22102
United States
Registrar:
Register.com Inc [Tag = REGISTER-DOT-COM]
URL: http://www.register.com
Relevant dates:
Registered on: 09-Jun-2002
Renewal date: 09-Jun-2010
Last updated: 11-Nov-2008
Registration status:
Registered until renewal date.
Name servers:
pdns3.ultradns.org
pdns4.ultradns.org
pdns5.ultradns.info
pdns6.ultradns.co.uk 204.74.115.1
Just encountered this when making an online purchase or boiler parts that I have previously used.
Just like everyone else, the alarm bells went off at the apparent phishing nature of the page which had never been part of the checkout process before.
I abandoned the transaction and went searching for info and found this thread.
based on the info here, I then went to my banks website and found a link through there security info. The information imlied it was an abbey site I would be linked to, but sure enough, it was securesuite.
Given the origin of the link, I decided to register my card as Abbey would be initially liable if it were fraudulent. (in my amateur legal opinion)
Having registered this way, I went back to the boiler site and completed my transaction. The verisign popup only asks for 3 characters from your (up to 30 character) password, giving me somewhat more confidence in the system.
My advice - Register with verified by Visa via you banks website. If the bank has been hacked, it is there responsibility and liability for any resultant fraud.
Thanks to all your contributors for info and advice. It really helped with this one.
I have put the NoScript security plugin on firefox. It will not allow payment verification dyue to securesuite: “NoScript filtered a potential cross-site scripting (XSS) attempt from [https://www.securesuite.co.uk].”
Securesuite is no doubt is a trustworthy site but it should be taken to court for failure of duty of care to interact with normal security procedures — a failure that which surely result in people dropping computer security and producing increased criminal activity. I using the telephone for payments–securesuite shows that computer security is defective in its implementation.
Yeah, so Visa have subcontracted online security for our card purchases to a person or persons unknown who don’t seem to understand the basics of online security? If I was a Visa executive, I’d feel //humiliated// by the existence of this system with my company’s name on it, and would want it changed tomorrow. But it’s been rotten for years, now.
They seem to have fixed two things. At least now they have a domain name! Seriously, they used to redirect you to an anonymous IP address (!). And to make the site look even more like an third-rate Russian scam site, it even used to have spelling mistakes. This system needs to be roasted on a consumer affairs tv program, as an example of how not to do internet security.
The danger, of course, is that the site conditions people to think that this is acceptable behaviour for a site, which means that they’re more likely to get caught be an actual scam site.
You’d almost think that Visa had hired a bunch of actual scam site programmers to set up their security. Hmmm. Surely not …
Actually, I take one thing back. The “Verified by Visa” site still hasn’t gotten rid of the spelling mistakes. I just left some feedback, and got this:
“Thank you for completing the questionnaire. We really appreciate your views and will take all sugestions into consideration.”
There are two “g”’s in “suggestions”. Of course, this is another sign that we’re supposed to look out for to alert us that we’re on a fake site, because a real banking site would never have basic spelling mistakes, would it …
[sigh]
Reading the comments above (or some of them at least), it seems like this problem still hasn’t been sorted out. I’ve just tried to purchase some groceries on the Tescos website and after I included my card details to pay for my items a second window appears asking me for further card details. I think it is best to ignore it and just close the window. I typed in www.securesuite.co.uk and it still appears as a blank page after two years now. Very strange.
I had to call barclaycard anyway so I asked them about this phishing pop-up. Their rep(?) said it was ok to fill in whatever was asked because it was a new system designed to make things more secure. “So that’s ok then?” I said. “Yes” he said. But I’m sure everyone remembers those previously immortal words from their bank, “We will never ask you for your banking details online.”
It’s a bit annoying because I have three cards from Barclays and now I have to remember three new passwords. You’re not supposed to write them down, right? What scares me is that the phishing door is now open again. I was just about secure in the idea that I could give my numbers on the net but that secure feeling has now been seriously decreased rather then increased. Maybe that’s a good thing. Anyway, I expect a whole new suite of phishing scams based on this new pop-up format developed by the banks.
Last night I made a purchase online and was given the option to join MasterCard SecureCode….or not complete the transaction. I filled in the required information without giving it too much thought but grew suspicious after the fact. I contacted my bank; their response follows:
Dear (xxxxx),
Thank you for your inquiry regarding MasterCard SecureCode. This is a legitimate service provided by MasterCard, which allows cardholders to create a private, personalized password used for online transactions.
This service is intended to increase account security further by automatically prompting the cardholder to enter his personal password at the time of the transaction, and protecting against unauthorized use when shopping at participating online merchants. If you have additional questions or concerns, please reply to this message or call us at (xxxxxx).
We value your business and the opportunity to serve all your financial needs.
Thank you,
(xxxxx)
USAA
I’ve ordered trading cards for my son from a KoolKingdom.co.uk, and Greylight.co.uk, who both use this securesuite thing. Nothing has been taken out of my account that shouldn’t have, and my orders have arrived safely, so as far as i’m concerned it is legitimate.
I must admit it does look a little fishy though, you’d think they would so something more to make themselves look less like a scam and more like a legitimate website.
I joined this scheme by registering my Lloyds/TSB debit card when I could find no way of purchasing a particular item without doing so. Since then I have had to use it rarely, as the sites I use regularly do not require it.
Yesterday I received an email informing me that my clicksafe password had been successfully changed. Since I had not done so, I assumed the mail to be a phishing attempt and forwarded it to Lloyds/TSB’s email scam address. I have done this previously with obvious scam emails and had a prompt acknowledgement. This time I had not heard anything several hours later, so looked at the mail more carefully. It looked genuine, and didn’t appear to want me to reveal any personal details, so I grew alarmed. Rather than calling the number on the mail (in case it was a scam to connect me to a premium number), I found (the same) one on Lloyds/TSB’s genuine site and called to query if my password had actually been changed.
I was informed that my password had been changed, that someone had obtained my card details and had attempted to purchase goods to the value of over £300 from Currys. This transaction had been declined by the bank as ‘it did not conform to my normal pattern’ - rather odd since I do use Currys. Obviously my normal monitoring of the account showed nothing amiss.
So it appears that someone had accessed:
- My card number , start and end dates, security code.
- My Clicksafe login and password
As a result, my card has been cancelled and I await a replacement. I have altered all my clicksafe login details. When the new card arrives I will have to remember to amend my details on the sites where the old card is registered. During my call to Lloyds/TSB I was offered their ID aware service, which monitors account movements and also any credit applications - it sounded scary that someone in possession of my details could apply for credit in my name, default and leave me to pick up the pieces, so I agreed to join the scheme for £6.99 monthly. I had previously seen this scheme but considered it the bank’s job to ensure the security of the account.
I am left with a nasty suspicion that this whole situation may have been an attempt to make money for Lloyds/TSB - I am careful not to incur bank charges, so they might be keen to profit from me by other means. Does anyone remember the British Gas scam where they told customers on a maintenance contract that their boilers were becoming unserviceable because of a shortage of spares, and that if they did not get a new boiler (at a ‘bargain’ price from BG) they might find themselves without heating? I fell for that one, too.
In any case, if my bank details were compromised, it was not through my doing, and almost certainly via Clicksafe since those details were also obtained, so that doesn’t do much for Clicksafe’s reputation. I will not register my new card with them when it arrives.
My advice to anyone being pressured into joining Clicksafe’s scheme is to resist, not make the purchase via the internet with the retailer concerned and make sure the retailer understands why he is losing custom.
If this isnt a phishing site then its an incredibly bad decision by the card (or the securecode) providers to use such a crappy domain name and design.
Since reading this page, (and since the earliest posts were made 3-4 years ago and any phishing site would long-since have been taken down - I hope!) then Im going to trust it and put my details in, but I am also going to contact my card provider (MBNA) and tell them that I think its bad of them to use something that looks so suspiciously like phishing.!
Not impressed..!
I fell for this a few months ago and had to get my CIBC Visa card replaced.
I was purchasing Skype time and the on-line transaction bumped me to that “Verified by Visa” enhancement. I was suspicious of the domain not matching anything familiar so I tried to investigate - not being able to find any useful information I finally called a local branch of CIBC. I was bumped through several extensions, none knowing anything of substance about that “service”; finally the last one told me that it was legit. However even though still a bit suspicious I finalized that purchase.
The next statement showed couple of purchases of some version of Karpinsky software that I didn’t make once a few hours after my own-Skype transaction and then again a couple of days later.
To this day, in spite of making further inquiries by email to CIBC and to Skype I have received no formal explanation of whether that “Verified by Visa” securesuite domain is a legitimate operation or not.
Today I wanted to buy more time on Skype and guess what - the same site popped up asking for that same personal info and no one wants to give me an answer or to bring that operation down. - As far as I am concerned, they are either fraudulent operation as a whole or have a bunch of shady employees on their staff.
… any comments or ideas?
four years later, and still just a suspicious as ever. mind boggling, really.
take a look at
http://www.lightbluetouchpaper.org/2010/01/29/why-is-3-d-secure-a-single-sign-on-system/
The original paper is fascinating.
I’ve just tried to make a purchase from Tesco, got to the payment section and after putting in all my card details clicked continue only to have VbV Secure Code appear on the page asking me to register before continuing. Either you register or can’t proceed.
As I don’t want to give more details or have two codes and another password to remember I didn’t continue.
I’ve read through this thread and thought exactly the same as the other posters, that this isn’t adding security when more personal details have to be given on an insecure webpage in order to register.
Just gone through this myself - the “Verified by Visa” popped up while I was purchasing using a card from Santander. It was asking me to enter personal information in a frame embedded in the merchents web site.
The help page popup was rubbish. So called bank - spent ages “talking” to someone in India. Eventually got through to someone I could understand in the UK who took me through the registration. He could not understand why registering on a site “www.securesuite.co.uk” which is a domain I’ve never heard of and bore no relation to Santander or Visa would be any type of issue.
Anyway - eventually registered and when I went back to the merchent to try my purchase again - the secure suite site had set my login name in a cookie!
I can’t believe the banks are signing up to this.
Hi, I have been using my natwest card online and never enrolled in verified by visa but I still receive emails about verified by visa from every bank other than my own. And after reading most of this page I am slightly convinced that it is legit but then why are they sending me messages about bank accounts I do not have????
It all seems very shifty even if it is legit.
Funny thing. I just had this issue with securesuite.net and called visa. I got passed around from department to department and back again. No one seemed to get the idea of the app being on a suspicious domain.
Even when i spelled it out for her that “I am currently on a website that I have strong reason to believe is a phishing scam to steal your clients’ information,” she still didn’t seem to care. I shit you not, exact words. her only response was, “if the verified by visa logo appears then you know your transaction’s secure.” To which I responded, “Even if it’s hosted on a different domain?” She answered, “Yes.”
Wow.
Disillusioned with the mighty visa security force, I then started looking around about securesuite and found this page. I laughed as the article reiterated everything I just told the inept agent at visa security. After reading through some comments (which I wholeheartedly agree with), I came across one that mentioned that simply canceling out of the verified by visa app would bring you back to the purchase screen and the order would be completed.
Well, it did and was. In fact, it had already completed well before I had even got a hold of visa security. Some security system that was. Still, that deepens the evidence of this being a phishing scam.
I still have one question, “Why don’t visa security care when I call to report a scam stealing their customers’ information?”
Just noticed this excellent info when making a ticket purchase from a train company site. STILL, over FOUR YEARS LATER. I noticed it as I whitelist my scripts, nothing gets to run active content on my system without authorisation. So often, when I make a purchase, I have to switch the protection off, or it doesn’t work, or partially works. Due completely to the site launching one or more external domain requests at the order confirm page. Why are there so many awful designers out there getting repeat employment for years on end?! For me, it’s the site I’m using, the external payment processing site, if present, then the bank’s own site for the verification stage, THEN this securesuite, because the bank also use that. Yeah, I’m super-confident in the security there… Idiot banks.