Although there are some problems with the implementation, I've come to like it for a couple of reasons:
(1) It authenticates features of your browser (like user-agent, IP address) to score the transaction. These are somewhat hard for an attacker to duplicate.
(2) With some UK banks, it is combined with a hardware one-time password generator to form a reasonably robust two-factor authentication.
Now there are certainly problems, such as it appearing in a frame, and not appearing as a subdomain of your bank, and those should be fixed.
The main problem with Verified By Visa (and whatever MasterCard calls it) is that in using it, you agree to be liable for it as if it were a card-present transaction, which is ludicrous for online purchases. Whenever I'm stopped to sign my card up for "Verified By Visa," I immediately switch to a different card because of the reduced protection I would have to agree to with "Verified" transactions. It's simply a way to shift responsibility onto the purchaser with no additional protection.
I used to run into the VBV screen when ordering from NewwEgg. It's been a while so I don't know if things are the same. I refused to consent to the terms for the reasons you gave. Instead, I just closed the browser. The funny part is that my purchase would still go through.
MasterCard SecureCode / "3D Secure" or whatever they call it, has been active on my card for many years and I never had any problems whatsoever. Always worked like a charm.. And the upside, nowadays I don't worry anymore about anyone storing my CC number on their unsecured servers.
I think 3D Secure only prevents doing transactions without double auth in "3D Secure enabled" online shops. In the shops that don't have that implemented, the transactions can go through (though probably those shops pay higher provisions).
Correct. The payment gateway usually has a setting to enable/disable 3D secure as a feature.
You also get a failed transaction report, some people can have 4-5 goes before giving up on their purchase. Sometimes to countries somewhere abroad the customer gets a form to fill in to apply for having this extra check on their account (because there is no 3D secure in the country where they have their card registered or it is not customary to use it).
It would be nice to use 3D secure as an extra feature, and, as a retailer, set it on a case by case basis, e.g. to an order that is for somewhere overseas or over a certain value.
In the UK a fraudulent order is a fraudulent order, as a retailer you are on your own dealing with it. Putting someone's card address in Google Street View and seeing how big their house is often turns out to be a good way of deciding whether to 'ship' or not.
Address verification is a 'soft fail' if you want it to be. It will compare the address by numbers, so someone entering 'Flat 2' in the primary address line will fail the system if the address is actually 'Flat 2, 34 Church Street' as '34' is expected for the match.
There is no system guaranteed to work, except Paypal, that you pay for in fees.
These matters aside, the system of swipe only in the US just gives most people in the UK scary feelings.
> In the UK [..] putting someone's card address in Google Street View and seeing how big their house is often turns out to be a good way of deciding whether to 'ship' or not.
Having lived in the UK for 3 years, I'm not sure anyone's "house size" over there is a good indicator for, well, pretty much anything ;D
The implementation I can live with. That fact that its opt-in is entirely fatal though. Criminals just need to find a website without it. So the only person inconvenienced by it is me.
(1) It authenticates features of your browser (like user-agent, IP address) to score the transaction. These are somewhat hard for an attacker to duplicate.
(2) With some UK banks, it is combined with a hardware one-time password generator to form a reasonably robust two-factor authentication.
Now there are certainly problems, such as it appearing in a frame, and not appearing as a subdomain of your bank, and those should be fixed.