January 6, 2005, 12:00 AM

Verified by Visa security program used as bait in phishing scams

Even security programs can serve the efforts of outlaws with schemes for online payment fraud. Visa’s Verified by Visa password program is being used as bait in e-mail phishing efforts to gain cardholders’ account information, a Visa executive says.


Even security programs can serve the efforts of criminals with schemes for online payment fraud. Visa’s Verified by Visa password program is being used as bait in e-mail phishing efforts to gain cardholders’ account information, says Brad Nightengale, who heads Visa USA’s department of emerging products.

“Our cardholders tend to be a focus of these phishers,” Nightengale says. “Phishers use any technique they can to get credit card information. It’s not surprising they would to pick on Verified by Visa.” Phishing attacks use devious e-mail messages purporting to be from an authentic source, such as a Visa card issuer, to gather account and personal information for fraudulent purposes.

Verified by Visa is a program that Visa eliminates online payment fraud liability for online merchants who provide a mechanism in their checkout process that lets shoppers enter a special Verified by Visa cardholder authentication password provided by a Visa card issuer. About 4 million out of 230 million eligible Visa cards issued in the U.S. are registered in the Verified by Visa program, and about 25,000 merchants participate in the program worldwide, Nightengale says.

Because the security program has been widely publicized by Visa, phishing scams have begun targeting Visa cardholders to encourage them to sign up for it. Fraud experts say they have seen phishing e-mail with Visa logos that request recipients to submit their credit card account information and other data, such as the 3-digit card verification numbers designed to protect against fraud in card-not-present transactions.

Nightengale says he’s unable to quantify how many phishing attacks have tried to use Verified by Visa as bait, but says this type of scheme hasn’t appeared to be more common than others. When Visa sees evidence of phishing schemes, it’s usually able to terminate them within 5-10 hours by using a service that tracks their IP address and calls on the hosting Internet service provider to shut them down, he adds.

“The interesting thing about these Verified by Visa phishing attacks is that they further the argument to sign up for Verified by Visa, which is designed to thwart fraudulent payment transactions,” he says.

To make the Verified by Visa program more effective and widespread, Visa is looking into a system under which a card issuer could require a cardholder to register for the program before completing an online checkout process, Nightengale says. Under the current system, card issuers can only produce messages in the checkout process that offer unregistered cardholders the option of signing up and creating a Verified by Visa password. The new system could include a software component that would rate the risk level of a particular cardholder transaction–based on criteria such as the cardholder’s location or credit history–in determining whether to require the cardholder to register for Verified by Visa. “We’re closely studying that,” Nightengale says.



comments powered by Disqus




From IR Blogs


Patrick Smarzynski / E-Commerce

What the changes at eBay mean for sellers

The online marketplace introduced new rules for sellers last month. It’s crucial that sellers understand ...


Mark Feinstein / E-Commerce

A quick guide to global e-commerce opportunities

Consumers in many countries are buying more online each year. Understanding the nuances of each ...