Alastair’s Place

Software development, Cocoa, Objective-C, life. Stuff like that.

3-D Secure Woes

So far over the past week, we’ve had two people tell us that they think some sort of scam is going on via our website after their bank decided to ask them for something stupid as part of its 3-D Secure (Verified by Visa/MasterCard SecureCode) implementation.

The first one was a U.S. bank that decided it’d be a great idea to ask its customers to enter their Social Security Number into a web form on the Internet. U.S. citizens are understandably very wary about giving out their Social Security Numbers on-line, particularly on websites they don’t recognise, and it also seems that the bank in question apparently hadn’t mentioned to the cardholder that it might go and ask them for this information during a card payment transaction, resulting in a worried e-mail to us asking if it was some sort of scam.

The second incident involved a credit union that had told its members that it would never ask them to enter their credit union member number online. And then it did, in its 3-D Secure authentication form. Again, we get an e-mail asking us if it’s some sort of scam.

Most of these problems seem to be due to inept security policies at U.S.-based card issuers. At the very least if you are going to enroll your customers’ cards for 3-D Secure, you need to make sure they know what to expect when they see the Verified by Visa or MasterCard SecureCode boxes appear. Otherwise it’s actually a major security risk, because someone could set-up a site that pretends to use VbyV or MCSC and asks for information like Social Security Numbers that can then be used for credit fraud.