Whilst physical security measures are the sole responsible of the home owner, service providers on the Web frequently impose unworkable security mechanisms on their users. Here’s one cautionary tale of how this goes bad even for a security researcher.

Verified Terrified by VISA

Some time ago, when purchasing an item on the Web, I was duped into registering one of my cards under the “Verified by VISA” scheme; I was in a rush and on skimming the wording was left with the impression that it was obligatory. Ever since, I’ve had trouble remembering the (fairly) random 10-digit password I invented on that day. Sometimes I get in right, but often it escapes me and I end up either changing cards or taking my business elsewhere.

So far, this is all within the accepted problems users face with password authentication. However, within the last few weeks Verified by VISA has managed to lock my credit card and flag my purchases as potentially fraudulent. Here’s how.

A couple of weeks ago (again in a rush) I purchased an item protected by Verified by VISA. I went though the usually racking of my brain for the password – on this occasion I think I’ve got it right but the verification fails. So I try this time being 100% sure I’ve got the right password  – again wrong. Cautiously I try again – again wrong and now locked out.

After a few minutes of fuming about Web security – I realised that I registered for the Verified by VISA scheme under a completely different card. I’d never – to my knowledge – registered the card I was using so why it was asking me to verify I’ve no idea. I put unblocking the card with Verified by VISA on the bottom of my list of things to do and got on with my life.

Until yesterday. On making a purchase with a provider that happily automatically bills me using the card details Verified by VISA pops up and declines my purchase – a little annoying but no big deal. Until I get a load of phone calls from my bank about potentially fraudulent activity on my card.

So now I’m phoning automated fraud handling mechanisms and waiting on operators and generally wasting my time.  I’m left with the impression that Web payments are a shambles and one that isn’t going away anytime soon.