"I will complain to the retailers, banks, credit card companies and to government about every Verified By Visa or MasterCard SecureCode instance I see but only if 15 other online shoppers will do the same."
— Tom Morris
Deadline to sign up by: 1st July 2009
16 people signed up (1 over target)
Country: United Kingdom
Rather than implementing some real security measures (one-time password generators, personal SSL certificates, SMS authentication, SMS and e-mail audit notifications and so on), the banks and credit card companies have put in place two poorly designed security measures called "3-D Secure", also known as "Verified by Visa" or "MasterCard SecureCode". They use inline iframes to present password windows to users. This teaches people that just typing in any old password when someone asks for it is okay - it's suspectible to man-in-the-middle attacks and to phishing.
The system is completely nointuitive. It gives almost no security benefit, and has considerable problems. It's a poor solution to the problem of identity theft. I think it's perfectly possible to stop it: if we complain to every online retailer we use who has implemented this hare-brained idea, and to Visa, MasterCard, the banks, APACS and the government. We should be demanding proper, working online security technologies from our banking institutions, not half-baked crap like Verified by Visa. To paraphrase Linus Torvalds, security that doesn't involve a web of trust model is little more than masturbation.
For more information on 3-D Secure/Verified by Visa/SecureCode, see:
Tom Morris, the Pledge Creator, joined by: