When you use your credit card online to place an order, you might need to follow the Verified by Visa procedure. This procedure should authenticate the owner of the card by using an additional authenticate method provided by your bank, in order to prevent misuse of your credit card details. However, recently I’ve learned that ING introduced a completely new type of thread when an account owner follows their Verified by Visa procedure.
Let me walk you through a real-life example. Assume you want to buy something on
website example.com. At the checkout, you are asked to enter you credit card
details. You make sure that the URL says
https://example.com, meaning you make
sure the connection is encrypted and that the information is shared with
example.com and not some other site. The next page, shows the Verified by Visa
logo and the logo of your bank, ING. You are asked to enter your online banking
password, which is usually used to log into your online banking account. The URL
shows some unknown and cryptic third-party domain. Here, all the alarm bells
should ring! This can only be a phishing site.
Well, after a phone call with ING, it turns out, this is the actual, veracious verification process.
How bad is this? By sending the online banking password to an unknown third-party website, you should assume that password is disclosed and should be changed or blocked immediately. This is standard security procedure.
What could a phishing site do with the online banking password? They cannot, as one might have assumed, log into your online banking account right away. In order to log into the account, one needs, the account number, a 6-digit pin and a temporary pin from an external device. The requirement for the temporary pin makes this a lot harder. Additional phishing effort would be necessary (e.g. prompting for the 6-digit and the dynamic pin on the phishing site). However, via the FinTS API (for example via GnuCash) you only need the account number and the online banking password to query past transactions. That’s certainly something, I don’t want anybody to access.
What should the bank do? The bank should do two things. First, the domain asking for the online banking pin should be the domain of the bank. This is the only way to make sure you’re not being phished. Some shops offer the Verified by Visa forms via an iframe. While entering the banking password, the URL shows the URL of the online shop. This would also not ideal. The online shop should not know my online banking credentials. But, the problem with the iframe is that, the information is send to a third-party again. Secondly, the bank should introduce a second kind of passphrase, which is used only for this verification process. A couple of years ago this is how it used to be.
I think this is especially bad, because banks (and actually everyone) always tries to get people aware of phishing and make them check the URL before entering sensitive stuff. This example here, sabotages the whole effort. When the Verified by Visa procedure pops up, you should assume that everything is fine and enter your password?