The underlying idea is that you enter your payment details into a merchant’s website and then your bank, through either the Verified by Visa or MasterCard SecureCode program, will verify your identity.  This is done by way of a password associated with your card and usually presents itself through a frame on merchant’s website.

Sound like a good idea?  Well let’s run through the two major issues with this approach.

Customer Conditioning

We are repeatedly told by banks, card companies and security consultants that our personal information should be kept confidential.  I just want to preface my following points with this quote, taken directly from the Visa Website:

‘Phishing’ is the term used for the activities of criminals who create and use fraudulent e-mails and associated websites. These are designed to look like e-mails and websites of well-known legitimate businesses, financial institutions, and government agencies.

These e-mails and websites are created in order to deceive internet users into disclosing their bank and financial account information or other personal data such as mother’s maiden name, addresses, usernames and passwords. This information could then be used for criminal purposes, such as identity theft and fraud.

And what do you do?

If you receive an e-mail claiming to come from Visa, your bank, or any other organisation, requesting personal account information, do not provide the details.

Emphasis added by me.  There’s very similar advice on the MasterCard website.

What they are saying is, there are websites out there that pretend to belong to your bank asking for personal information.  If you come across one, you should not provide these details.

So now we’ve got some best practice security advice, let’s look at the Verified by Visa process.  The diagram to the right briefly outlines the steps involved in buying something from a subscribed merchant.  Once you’ve entered your card details, and submitted them to the merchant, a connection is made with your bank and you enter the Verified By Visa process.  At this point, one of two things can happen.  Either you will be prompted for your password, if you’ve already been signed up, or you are prompted to provide some personal information to verify your identity and then asked to create a password.  Regardless of which path you get taken down, it all happens within a frame on the merchant’s website.  I can’t stress this last part enough.  When you are entering these details, you are still on the merchant’s domain and their branding (and navigation etc.) is still present.  The form you enter your details in to is just a small frame within the page.

The image to the left, taken from a demo on the Visa website, should give you a feel for the process.  As you can see, the form really is completely integrated into the merchant’s site, with only your bank’s logo and the program’s logo available as a hint you are sending your info elsewhere.

The dangers here are obvious, and really underline how badly conceived these programs are.  On the one hand we are warned not to give out personal information, specifically the information asked for when enrolling on these programs, unless you can trust the receiving party.  On the other hand, we are asked by our own banks to provide this information through third party merchants.

script type="text/javascript">

In addition to flying in the face of, and rendering obsolete, the advice given by the card companies, these programs condition users to partake in phishing scams.  The established advice for avoiding phishing scams should apply to your entire internet experience, yet certain parts of the advice would prevent you from using these security programs.  For example:

[Phishers] … typically ask for information such as usernames, passwords, credit card numbers, social security numbers, date of birth, etc

Remember not all scam sites will try to show the “https://” and/or the security lock. Get in the habit of looking at the address line, too. Were you directed to PayPal? Does the address line display something different like “http://www.gotyouscammed.com/paypal/login.htm?” Be aware of where you are going.

On point 1, this is the exact information requested from you and on point 2, you are supplying information about your bank account but the domain name is still that of the merchant.

To make matters worse, the implication is that if you do no sign up to the respective security program, you will no be allowed to make further online purchases.  And on that note, from the Anti Phishing Working Group:

Phishers typically include upsetting or exciting (but false) statements in their emails to get people to react immediately

If it looks like a scam, smells like a scam and tastes like a scam, it’s probably just your bank and card issuer cohorting to confuse you and place you in danger.

The net result of this is that an unscrupulous scammer could set up a site and insert a fake Verified by Visa or MasterCard SecureCode form to gather personal information.  There is little defence against this attack as a consumer.  And that’s just a specific attack focusing on these security programs, what’s more likely is that a consumer will be more likely to enter personal and banking information into a phishing website because these legitimate, card provider and bank endorsed, schemes have psychologically conditioned consumers to think it is a normal, safe practice.  It’s not, and is the exact practice the banks should be trying to prevent and discourage.

Hidden Threats

Above I’ve touched on some of the behavioural and psychological reasons for these programs being counter productive but there are other, more technical risks.  One of the key concepts behind these programs is that you verify your identity with your account issuing organisation and not the merchant.  This reduces the risk to you, as a consumer, of identity theft because your information never goes to the merchant.  Instead the merchant sends a request to your bank for a transaction and your bank makes sure it’s you, the account holder, triggering the transaction.  When it confirms (or otherwise) your identity, it simply issues confirmation to the merchant that you are who you claim to be.  It’s fairly basic challenge – response type stuff.

The problem is that all this happens within the merchant’s site.  So even legitimate merchants can install code that captures the information you provide to your bank and use it for their own means.  This is slightly different to the fake form problem I touched on above as the transaction is entirely legitimate.  Think of it as someone watching over your shoulder as you withdraw money from an ATM.  You may not even know it’s happening as your transaction will complete without any visible problems.  Perhaps a better analagy is handing your credit card to a waiter at a restaurant only for them to disappear  behind a counter only to re-emerge with a terminal and your card.  Nine times out of ten they’ve simply gone to collect the billing terminal, but there’s always that one who’s cloned your card and is now looking over your shoulder to get your pin number to go with it.

Again, without a fairly significant amount of technical savvy you’re just not going to be aware of all this going on behind the scenes.

It’s For Your Own Good, Really!

The really interesting aspect of both these programs is that they are actually aimed at reducing risk and liability for the card issuer and merchant.  In a standard Card Not Present transaction, the burden of security falls on the merchant.  And where a scammer uses stolen information to make a purchase, in the majority of cases, the card issuer will repay the victim and then attempt to reclaim some or all of the costs from the merchant through “charge backs”.  These schemes aim to reduce the number of fraudulant transactions and, this is a key point, place the burden of proof on the consumer.  The following is taken from the Verified by Visa merchant site:

Eliminate chargebacks
Verified by Visa helps protect you from fraudulent claims from cardholders – that they didn’t take part in, or authorise, a payment. Once you are up and running with Verified by Visa, you are no longer liable for chargebacks of this nature.

To the consumer, this means it is less likely that the card issuer will refund the costs incurred from fraudulant activity involving the comsumer’s account.  if you have signed up to one of these programs, the only way someone could make a purchase from a merchant signed up to the scheme is if you have given your password to someone else.  Right?  Therefore, it’s your fault, and not the fault of the card issuer or the merchant.

One might say that the fight against fraud is mutually beneficial, and I’d agree.  What isn’t mutually beneficial is the transfer of liability on to the consumer.

Alternatives?

Clearly the current system has some fatal flaws.  It seems very much as if a technical solution was found to a largely social and behavioural problem.  There’s no doubt that technology can be an enabler in these circumstances, and that any solution has to be technically sound, but a purely technical solution will not work.

In my opinion, the solution needs to adhere to the following rules:

1. Encourage security best practice, such as non-divulgence of personal information to untrusted parties and re-enforce compliant actions.
2. Be technically resilient to attacks.
3. Clearly identify itself and establish trust (it should only attempt to establish trust if it is truly trust worthy i.e. meets the other requirements and is impossible the fake).
4. Be compatible with, not in contradiction to, anti-phishing advice.
5. Follow usability best practices.
6. Correctly identify the initiator of the transaction and confirm them as an authorised user of the account.
7. Clearly state the information being sought by the merchant and for what purpose.

I think that’s a decent start.  I’d be interested to see the requirements initially stated for these programs.

One this is clear, the current methods fall short of these requirements and represent a ticking time bomb, a disaster waiting to happen.

What are your thoughts on these programs?  Have you signed up?  Did you have a choice?

First things first though. To get to these options you will need to access the software on your wireless router. This may be done through a custom piece of software (like that found on Apple Airports) or, more commonly, through a web-based interface. To get to the web interface, consult the router’s manual although it’s highly likely just typing “http://192.168.1.1″ into your web browsers address bar will get you there. You will usually have to log in when you try and access this page, to do so, either consult your manual for the default username and password (alternatively, you can find the default passwords for most routers on the internet) or enter the one you chose at initial setup.

1. Turn on security – This, really, is an absolute must. All Wireless routers (the box that “routes” the wireless connection out to the internet, and vice versa) come with security of differing types. It is very important to turn it on. However, you may find a choice confronts you, WEP,WPA, WPA PSK, WPA2, TKIP and loads of other acronyms that just give people headaches. To cut through it all, generally speaking, WEP is fairly insecure while WPA PSK and WPA2 are better. I won’t bother explaining the difference, it’s not important, but if you can, go for WPA2 and use as long and as complicated a password as you can. You won’t have to enter your password very often (in fact, of it’s a home network and you don’t travel with your computer, you only have to enter it the very first time), so don’t worry about memorising or typing it, make it, write it down and put it somewhere safe.
2. Hide your network – Every wireless network has a name, this name is called an SSID. When you search for networks, it is the SSIDs that appear in the list of results. You can prevent other people from seeing your network by turning broadcast SSID to off. This means that when people search for networks, yours won’t appear. What this means to you is that when connecting to your network, you will have to type in the name, as opposed to selecting it from a list. Of course, you will only need to do this once (unless you connect to a wide variety of different networks regularly) so it shouldn’t concern you.
3. Make your network invite-only – If you set up a network with the intention of just accessing it yourself, or allowing access to a small number of devices, MAC filtering can provide an extra level of security. A MAC address is a unique number assigned to every wireless device. By enabling MAC filtering, you can deny access to machines with certain addressed or, better still, only allow access to certain devices. Say your computer only. To find out your MAC address, fire up the command prompt in windows (Start Menu > Run > type “cmd” and press return) and type “ipconfig /all”. The MAC address of your machine will appear in the list. If your using OSX, open up System Preferences, click on Network and select the airport connection. From here, click on configure and the MAC address is labeled as Airport ID.
4. Make sure your passwords are different – The observant amongst you would have noticed that there are two important access credentials (like username, password etc.) you need to run a Wi-Fi network. Firstly, there’s the password you need to access the network, this is the one you type in when configuring your computer to use the network. Secondly, there’s the username and password you need to access the admin options on the router. These are completely separate, and therefore, should have unique passwords. It also helps to change to a username other than the default for your router. By keeping these credentials different, you ensure that even if someone gains access to your network, they can’t go messing around with your setup and therefore take it over.
5. Provide a physical barrier – Many Wi-Fi routers allow you to set the range of the network. Many times, it allows you to increase it beyond the default in order to provide access further away from the router. However, you can use this setting to help secure your network. This may take a bit of trial and error, but it’s worth it and a very powerful trick. Try to limit the range of your network to the absolute minimum. Try knocking the power down to 75% of its normal setting, heading to the furthest point away from the router where you want to use the connection, and see if it works. Like I said, you may need to try a few different settings, but it’s worth it. The simple fact being, people can’t break into a network that isn’t there. If you’re struggling to find this setting on your router, it’s sometimes referred to as XMIT, Range or Power. This tip may also put your mind at ease if you are at all worried about the recent Wi-Fi radiation concerns.

Over and above those tips, you should be aware that no wireless network is completely secure. In fact, eves if you do follow the tips above, a determined individual could gain access, it would just take allot more work than usual. If you are still worried about security, then maybe you should consider whether you really need a wireless connection, or whether a wired one would suffice. You can also, in many cases, install alternative firmware on your router. Usually, doing this provides more options to you (always be aware of what you are doing), more features, beefed up security and more. Installing a new firmware is a bit beyond the scope of this article, so I’ll just point you in the direction of Lifehacker’s excellent tutorial. The observant amongst you will note that I’m running a different firmware on my Linksys router, as evidenced by the screenshots above.

I hope these help some of you out. Just to demonstrate the importance of security, I’ll leave you with this thought. I was at my Partners parent’s house a few weeks ago and they were having some speed and reliability problems with their wireless connection. I had a look and the culprit was a poorly configured router and laptop. When reconfiguring the router, I checked the logs and noticed there was not one, but two machines accessing the network that they were not aware of. And that was in a quiet suburbian area in middle England. Everyone wants free internet, so prepare to defend yourselves! Any tips? Drop them in the comments.

The Plan

With this so called processing key being one of the most famous hex character sequences in the world, how do the popular search tools fare with returning it? Its a simple premise. The one with the most results, is probably the least censored. Lets go.

Results

• Google – 17,100 results.
• Yahoo – 123,000 results!
• Ask – 11 Results.
• AlltheWeb – 89,600 results.
• Live.com/MSN – 510 results.
• Lycos – No results.
• Technorati – 1 result.
• Wikipedia – Redirects to the HDDVD page, specifically to the DRM section (classy). The page has been locked from editing.
• Alta Vista – 123,000 results.
• Reddit – 3 results, I guess the claims about Reddit not censoring aren’t quite true.
• Digg – I could find3 results, but there was also some very strange behaviour when searching for the key.  See below.
• Slashdot – The site that brought the news to the masses still has the story up, and another one containing the key. They even have a tag that is the key.

What does this mean?

As you can see from the results, there is a huge difference between search engines.  This may be down to their search algorithms, or it may not.  It’s hard to say for sure that there is censorship happening here, but suffice to say that given all the attention the HDDVD key has received, I would expect to see more than 510 stories (Live.com) and 1 blog entry (Technorati).

The real story has come out of digg.  In fact, Jay Adelson has just posted an entry on the official digg blog stating that submissions that contain the key will be removed.  What his post doesn’t cover is why stories mentioning that stories have been removed, are being removed.  And why users are having their accounts, and in some cases ip addresses, banned just for digging those stories.  I mentioned above that I searched for the key on digg and strangely, I got four pages of results back.  I say strangely because, well look at the image to the right.  So what we’ve got are four pages of search results, with the first page only showing two results.  The second and fourth pages are completely blank, as can be seen in the image to the left.  The third page has a completely unrelated story which just seems to have the key randomly inserted into the story description.  I’ve also seen stories and comments disappear before my very eyes over the last few hours on digg.  Bizarrely, some made it into the front page RSS feed only to be missing when viewed on the site.

With all these stats, it’s clear to see that censorship is alive and well.  Personally, I found the post by Jay Adelson quite disturbing.  I completely agree that digg needs to be very carefull, and I don’t have a problem with them adhering to takedown notices.  What I do have problems with is what’s going on around it, such as entire sites and users being banned for seemingly innocuous actions (like digging a story that subsequently gets banned).

I’ll leave the whole “is the processing key actually intellectual property” debate for another day.  Suffice to say that just because Apple has the rights to OSX, they don’t “OWN” the password I use to access it.

I went straight to the blog to investigate and, lo and behold, the offending post has now gone. Is this another example of Blogger being hacked in a very public way? Or is it an inside job?

We’ve seen Google Blogs being hacked before, so you would have thought they would have sured up their security. In fact, I seem to recall that when a previous hack occurred, the offender just tried to register the account through blogger, no trickery involved.  This new message posted earlier today certainly implies a similar situation. What do you think?  Is it just a Google staff member not realising that the blog they just registered for is publicly viewable?  Or something more nefarious?

I’ve removed my email address for privacy by the way. The worrying thing about this is that it tells me specifically that my password is incorrect. By deduction that must mean that my email address is correct. This is good from a usability standpoint, I use many different email addresses and many different, rotating, passwords. So I’m one step closer to logging in. Unfortunately this poses some serious privacy problems. Say, for instance, I was running a competing site selling cars and I wanted to get a jump on the competition. Using this simple login form I could harvest every email address registered with Autotrader. And that would be a lot of addresses seeing as it’s the UK’s largest site of this kind. How is this possible? Easy. You could easily (and trust me, a script like this would be very easy to write, we’re talking a half hour job) enter an email address into the login form and check the response. If you get the response above then you know the address is valid. If the address is not valid then you get the following response.

This should remove all doubt as to whether the original message was intended to be generic but worded badly. Also, it isn’t a simple validation, the email address I entered was valid, just not real. In defence of Autotrader I can see what they have taken this approach. Their typical user is not the typical user of a site like slashdot. They are typically not very tech savvy (some of the shocking advertisements should give this one away) and as such making them guess isn’t typically a good thing. On the other hand, this is more serious than if a username was used to log in. We’re talking email addresses of users with one thing in common they are looking to buy a new car -or- sell a car. That is very valuable information. When you also factor in the fact that the site offers an alert service, its likely that almost all the registered email address are active. If I was a spammer, I’d be all a quiver by now.