“Thank you for completing the questionnaire. We really appreciate your views and will take all sugestions into consideration.”

There are two “g”’s in “suggestions”. Of course, this is another sign that we’re supposed to look out for to alert us that we’re on a fake site, because a real banking site would never have basic spelling mistakes, would it …

[sigh]

They seem to have fixed two things. At least now they have a domain name! Seriously, they used to redirect you to an anonymous IP address (!). And to make the site look even more like an third-rate Russian scam site, it even used to have spelling mistakes. This system needs to be roasted on a consumer affairs tv program, as an example of how not to do internet security.
The danger, of course, is that the site conditions people to think that this is acceptable behaviour for a site, which means that they’re more likely to get caught be an actual scam site.

You’d almost think that Visa had hired a bunch of actual scam site programmers to set up their security. Hmmm. Surely not …

Securesuite is no doubt is a trustworthy site but it should be taken to court for failure of duty of care to interact with normal security procedures — a failure that which surely result in people dropping computer security and producing increased criminal activity. I using the telephone for payments–securesuite shows that computer security is defective in its implementation.

Just like everyone else, the alarm bells went off at the apparent phishing nature of the page which had never been part of the checkout process before.

I abandoned the transaction and went searching for info and found this thread.

based on the info here, I then went to my banks website and found a link through there security info. The information imlied it was an abbey site I would be linked to, but sure enough, it was securesuite.

Given the origin of the link, I decided to register my card as Abbey would be initially liable if it were fraudulent. (in my amateur legal opinion)

Having registered this way, I went back to the boiler site and completed my transaction. The verisign popup only asks for 3 characters from your (up to 30 character) password, giving me somewhat more confidence in the system.

My advice - Register with verified by Visa via you banks website. If the bank has been hacked, it is there responsibility and liability for any resultant fraud.

Thanks to all your contributors for info and advice. It really helped with this one.

I have just been through exactly the same thing as an MBNA user and had exactly the same concerns. Even carried out the WHOIS query!

It seems the details have been updated:

…and look less phishy (sic)

Domain name:
securesuite.co.uk

Registrant:
RSA, The Security Division of EMC

Trading as:
EMC

Registrant type:
Non-UK Corporation

Registrant’s address:
8200 Greensboro Drive
Suite 1100
Mclean VA
22102
United States

Registrar:
Register.com Inc [Tag = REGISTER-DOT-COM]
URL: http://www.register.com

Relevant dates:
Registered on: 09-Jun-2002
Renewal date: 09-Jun-2010
Last updated: 11-Nov-2008

Registration status:
Registered until renewal date.

Name servers:
pdns3.ultradns.org
pdns4.ultradns.org
pdns5.ultradns.info
pdns6.ultradns.co.uk 204.74.115.1

I still find it very odd/hard to stomach that with just my card and my birth date (THATS JUST ONE PIECE OF INFO THAT’S NOT PRINTED ON MY CARD, AND ITS NOT THE HARDEST BIT OF INFO TO FIND OUT EITHER) that someone can change my password. A password isn’t really a security layer if anyone can change it relatively easily is it?

Cyota are, of course, a non-EEC company, so not obviously subject to EEC data protection laws.

Eventually I used a diversity approach (checking at different times from different accounts, etc.) to get some confidence.

However the big problem I find now is that merchant services companies, and people like British Gas, are embedding the 3D Secure form in their web pages without using any sort of frame, so that they are man in the middle on the outbound leg, and, unless one very carefully checks the scripting on the page, could easily be so on the inbound leg!

When I first heard of the system, I thought it was a good idea, as it got round the problem of traders redirecting to unknown card processing sites, for the secure part of the transaction.

MC and Visa mandated to all issuing banks that they must implement SecureCode and VerfiedbyVisa. So when an online transaction is carried out on a card, and handled by an acquirer, the acquirer checks if the merchant (e.g. amazon) has signed up for SC/VbV (I’ll come back to that later) and if they have will redirect the request to the issuing banks provider of SC/VbV - in the case above this is securesuite for AIB. The issuing bank must have this implementation in place with a provider.

Now, to get to the crux of the issue, the reason that it is all done so badly and looks so crap is the banks have no interest in doing this at all. they only do it because it is mandated. And why do they have no interest - and this is the one, key point to the whole mess - is that it creates a liability shift. When an online transaction happens traditionally, if there is any fraud/chargebacks etc the liability and loss rested with the merchant. Now, when an online transaction is carried out using VbC or SC and there is fraud, chargeback, etc, the laibility moves to the issuing bank, along with the associated overheads / administration in managing the fraud. This is why it is so badly done, this is why banks don’t bother communicate to their customers on this service, or educate their staff on the service. They’ve no interest - they do it because its a condition of their issuing license with MC/Visa.

So I hear you say, but if the liability shifts and it takes all exposure away from merchants (which is why the program was started) why don’t all merchants use it. When an online merchant signs up with an acquirer to handle payment transactions, they specify (and pay more) whether they want VbV/SC as part of the transaction payment process. Its is only if a merchant specifies this that a transaction will be routed in this way and the liability shifts away from them. So why don’t they all do it?

Well clearly the answer to that is in all the posts above. Because its crap! Look how many people abandoned transactions above. I’ve heard anecdotal evidence of online merchants dropping sales by as much of 70% after signing up for VbV/SC, realizing that their fraud levels don’t look so bad after all, and quickly abandoning the program.

Its a classic example of a well-conceived idea that was poorly executed and followed through. MC and Visa started this, but didn’t do enough to make sure it was a success.