When Written: Dec 2009
Whilst we are on the subject of on-line shopping indulge me whilst I make an observation on the ‘Verified by Visa’ system. This is the credit card security system where after you have entered your credit card information with the shop or their internet payment provider another window pops up from either Visa or Master Card asking you to provide your user name and password before the payment will be authorised.
This all looks fine but the weakness as I see it comes should you forget the password. There is only an option to change it, not the usual option to have the password emailed directly to you. The screen that enables you to set a new password asks several security questions of which all except one can be answered if you have the card details, those details you will certainly have because you have just entered them on the vendor’s site anyway. The final ‘security’ question is your date of birth. A quick look on sites like Facebook or one of the many Family tree web sites, where a helpful member of your family may have entered your date of birth in the aim for completeness, will often reveal this, hardly a security question! It does make you wonder who comes up with these security measures and if they even use the internet.
Come on Visa I’m sure you can do better than this. At least if you use the more usual system of email validation there is a very good chance that the person requesting a change of password is the person who originally registered the card with Verified by Visa, or use the method of providing a user definable secret question and answer which should only be known by the card holder.
I know that the credit card companies are currently working on ‘smart cards’ which generate a onetime passkey on a display in the card much like some of the calculator style devices that certain banks issue to provide extra security for their on-line banking system.
I remember writing many years ago in this magazine about Amex trailing credit card swipe readers; nothing came out of that trial so apart from those extra three numbers on the back of our credit cards and a look up of the card holder’s address not much is different in the security of our on-line transactions. We are still waiting for a solution.
The topic of on-line security came up in conversation recently; a friend of a friend who shall remain nameless had his PayPal account compromised, he was puzzled as to how this could have happened. As it turned out he revealed that he had clicked on what he thought was a genuine email from PayPal’s accounts department. However this turned out to be a spoof email cleverly faked to look like it was from PayPal. These emails can look very convincing but the rule here is never to click on a link in an email but go directly to the web site in question by typing its address in the browsers address bar. Faking a link in an email can be as simple as:
<a href=”http//www.nasty_site.ru”>Click here to login to PayPal</a>
The technique of hovering over such links to see the ‘real’ link shown up as a tooltip cannot always be trusted as this can be faked if JavaScript is enabled in your email client as is the case with most modern email web front-ends. It is all very well checking normal urls but what about the increasing use of shortened urls, you know the sort of thing : http://tinyurl.com/ybsad9q.
These shortened URL can be quite useful particularly on Twitter where the number of characters is limited. So how do you know it’s a safe url? Only click on links from people you trust? What about re-tweets? These shortened URLs are a great way for phishing sites to disguise their links so be very careful when clicking on them, I’m sure that the increase in people falling foul of such attacks is due in part to urls such as these.
Article by: Mark Newton
Published in: Mark Newton