Phished by Visa
The title is in honour of Ben Laurie’s excellent piece here. Ben is by any standard a leading expert in online security, and his short article is strongly recommended reading for anyone who shops online.
I’ve just placed an order with ebuyer, timed to get a few bits & pieces before VAT goes back up. Ebuyer seems like a good bet these days: they’ve done nothing to force me to blacklist them (e.g. Dabs), nor is their website full of flash crap to make it painful to use (e.g. Scan). And I’ve been happy with them in the past, as a low-cost retailer that delivers efficiently.
The shopping and ordering process went smoothly, marred only by one item of six on the shopping list being out of stock (I’ll try Argos next – they probably have an equivalent). I entered all the usual details including my Visa creditcard, and it appears to have accepted my order.
It then took me to a “Verified by Visa” screen. This was in a frame, and the frame contents were generated by a script, so I could not easily verify where my sensitive data were being sent. This is precisely the phisher scenario, and a magnet for identity theft, as Ben describes! I reluctantly submitted the first VBV screen, as it hadn’t required sufficient sensitive information to complete a phish.
The second screen then asked me to create a new VBV password. Since I am already (reluctantly) signed up for VBV, I pulled out at this point and sent a note to ebuyer under the heading of reporting a website security issue. Having said that, the issue appears to be with VBV rather than with ebuyer, and the fact that my purchase was accepted seems to indicate that VBV was, despite appearances, not actually required.