Monthly Archives: December 2009

Phished by Visa

The title is in honour of Ben Laurie’s excellent piece here.  Ben is by any standard a leading expert in online security, and his short article is strongly recommended reading for anyone who shops online.

I’ve just placed an order with ebuyer, timed to get a few bits & pieces before VAT goes back up.  Ebuyer seems like a good bet these days: they’ve done nothing to force me to blacklist them (e.g. Dabs), nor is their website full of flash crap to make it painful to use (e.g. Scan).  And I’ve been happy with them in the past, as a low-cost retailer that delivers efficiently.

The shopping and ordering process went smoothly, marred only by one item of six on the shopping list being out of stock (I’ll try Argos next – they probably have an equivalent).  I entered all the usual details including my Visa creditcard, and it appears to have accepted my order.

It then took me to a “Verified by Visa” screen.  This was in a frame, and the frame contents were generated by a script, so I could not easily verify where my sensitive data were being sent.  This is precisely the phisher scenario, and a magnet for identity theft, as Ben describes!  I reluctantly submitted the first VBV screen, as it hadn’t required sufficient sensitive information to complete a phish.

The second screen then asked me to create a new VBV password.  Since I am already (reluctantly) signed up for VBV, I pulled out at this point and sent a note to ebuyer under the heading of reporting a website security issue.  Having said that, the issue appears to be with VBV rather than with ebuyer, and the fact that my purchase was accepted seems to indicate that VBV was, despite appearances, not actually required.

Grrr ….


Defying your betters …

In today’s mail, a letter from the Yorkshire Building Society (of which I am a member, by virtue of having a few quid in an ISA there) concerning the proposed takeover of the Chelsea, a building society that’s got into trouble.

The letter assures me that “Your Board unanimously believes that this proposed merger is in the best interests of the Yorkshire’s members.” The reasons cited have merit: for example, it will indeed expand the branch network[1], but I can’t help thinking this is just one side of an argument with two sides.

Especially so in the current economic climate, where the powers-that-be are desperate to sweep any problems of bust financial institutions under the carpet to fester, and are prepared to do so fraudulently.  A little over a year ago, the Chelsea was itself the white knight riding to the rescue of a much smaller building society; now it itself is in trouble.  That deal was surely far too small to have had a significant effect on the Chelsea, but this proposed deal is not: in terms of size it’s a merger of relatively-equals.  Who’s to say the Chelsea’s current debt might not drive the Yorkshire down in another year?

Besides, I really don’t want to be complicit in propping up the current government’s policy of mass Denial, which is currently pushing our economy the way of Weimar.  If a small crisis now over the Chelsea can help break that dam before it grows even bigger, then I’m for it.

I’ve never voted against a motion from the board of an institution like this before.  But there has to be a first time.

[1] But since the local branch of the Yorkshire (where I opened my account) closed, neither BS is accessible from here.