Fucked Up by Visa

Have you encountered this "Verified by Visa" bullshit?

Some web sites now have this extra page their foist on you after you have already entered all your credit card info, where before completing the transaction, you have to fill out a second form with your name, email address, CCV, expiry, and a password. "For your protection." And they make it be a hard password, meaning none of my throwaway don't-give-a-shit passwords work.

It says "your card has been enrolled in Verified by Visa -- at no extra charge!" (Emphasis theirs.) Oh thanks ever so fucking much.

The last time I encountered this, I called Visa and asked them to "de-enroll" my card from it, but this time, the monkey on the phone, as well as the monkey's supervisor, said that if the vendor had signed up for it (TicketWeb in this case) that it was not optional.

Is this true? Do I have to switch banks now? Or do they all have a similar program "for my protection"?

Tags: ,

67 Responses:

  1. _nicolai_ says:

    Excellent, must modify my keyboard-snooping trojan to particularly record that data and send it back to me, then...

  2. zonereyrie says:

    The 'not optional' is a new one on me. But Verified By Visa is run by Visa, not the banks. I believe different banks have the option of participating or not, but Visa is really pushing it on the industry.

    MasterCard has a similar program called 'SecureCode' which works in pretty much the same way.

  3. jered says:

    I've never encountered this with American Express. (Blue, in this case.) That doesn't help with Visa/MC-only joints, though.

  4. flaterik says:

    I recently had to book a flight on the phone - and incur a $10 charge - because I couldn't defeat the verified by visa step on the northwest airlines site. None of my passwords worked, and the "remind me" function was broken - it just displayed a box with no form fields in it.

    I have nothing useful to add, but I share in your hate of this useless "feature".

  5. obnox says:

    I work for an online retailer.... here's the low down.

    Verified by Visa is implemented by the banks... some require that you sign up for it, some don't even offer it. So you can change banks, but Visa is pushing it as an industry standard so you will keep changing banks forever.

    Mastercard has the same sort of thing called secure code. I have never heard of a problem with that. Not one. So it's either been implemented really well or not at all.

    There's also a trick that seems to work for some merchants... hit the Cancel button on the VbV screen. It seems to work great.

  6. supersat says:

    You're going to have to find a bank that doesn't support Verified by Visa to avoid it, and nearly all do since it reduces their liability. AFAIK, you can't opt-out of it if your bank supports it, but merchants won't (currently) refuse a transaction if your bank says it's not supported.

    All of the enrolling and verification should take place on your bank's servers. If not, it's possible that it's a phishing scam (or, as I found out, a third-party company that your bank contracts with).

  7. owen says:

    Bank of America gave me the option to turn it on, and I did. It hasn't come up often enough to annoy me, but if it did I would PRESUME that there's a way to turn it off through them.

  8. davel_jonez says:

    Are you seriously whining about this? I mean *come on*.

    • jwz says:

      I am, in fact, seriously whining about this. Beyond it being just another pointless irritation, the fact that they won't let me use a password that I'll actually remember means that it takes me like 20 minutes every time I have to make a purchase this way. If I thought cancelling my cards and changing banks would fix it, I totally would. Which is why I asked.

      • violentbloom says:

        we have a customer who seems to think that its necessary to use crazy long weird passwords for "security" for your phone preferences online, for talking avatars basically. I keep pointing out that useless long passwords will only assure no one uses it.

        I haven't bumped into it yet with my visa but I think I've only used it for amazon online recently.
        I will however send my bank a letter requesting they don't sign up.

      • davel_jonez says:

        I think you're pretending to be dumber than you really are so that you can justify being more irate about this than is justified.
        Surely you have a password already memorized that you could reuse for VbV? Doesn't everyone?

        For the last seven years I've kept an encrypted file with all my usernames and passwords in it. I have dozens of different passwords. It takes less than fifteen seconds to access a password that I don't have memorized. So far I've lost track of a password one time. I can even access them from my Series 60 phone, although it doesn't sync automagically yet. I guess I don't see Verified by Visa as a hassle because I have the password problem solved, whereas most people don't.

        A fairly large number of people have had the opportunity to copy down my CVV code, and VbV prevents them from using it. Also, someone out there has a huge database of valid CC numbers, and it would be worth their while to try them all-0.1% of the time they'll guess the CVV right.

        • jwz says:

          No, in fact, none of the passwords I already have memorized work.

          Also, I don't give a flying fuck about who has had the opportunity to copy down my CCV code. You know why? Because I have no incentive to care about that. If someone defrauds my card, the law says I'm only liable for $50.

          The only one being protected by this is the bank, not me. Whereas the only one being inconvenienced is me. Because you and I both know that credit card numbers don't get stolen by sniffing the network on SSL connections, or by guessing 8 character passwords, they get stolen by banks getting hacked and 2,000,000 numbers plus CCVs getting stolen in bulk. Or banks selling their old drives full of data on eBay. Or accidentally getting posted on a wide open server. All of which would be clearly not my fault or responsibility.

          • davel_jonez says:

            VbV is designed so that there are far fewer points of failure in CC security. Pretty much the only people with the VbV password is you and Visa.
            Nobody wins if fraud makes CC processing prohibitively expensive.

            • brianenigma says:

              ...and nobody wins if the tradeoff between security and usability makes it unusable.

              The one time I ran into "Verified by Visa" a few months ago, the interface and flow seemed wrong, and I vaguely recall the URL seemed kind of fishy, too--or should I say "phishy?" Fortunately, VbV was optional at the merchant I was using (I don't remember which one now), so I was able to check out without issue.

            • snitrocket says:

              Nobody wins if fraud makes CC processing prohibitively expensive.

              I don't think anyone is arguing that. What people are asserting is that banks and Visa have decided the best way to improve their leaky, poorly designed systems is to annoy the fuck out of the customer, who will just have to shut up and deal.

              From the bank's perspective, they could care less about user convenience, so long as other bank's customers are not inconvenienced less. I won't use the word collusion, but having this be a Visa initiative takes some pressure off of banks to fix in house security.

        • violentbloom says:

          Yeah we all had the crazy password list, but there is a limit most people can hold in their head, and often I'm at work when I want to buy something.
          Sure someone can guess my 3 digit code. And it could take a considerable amount of time to deal with getting that cleared up. (Though I had suspecion of a store clerk doing this and my bank was actually totally great about switching the card immediately and so forth. It didn't actually take long to do.) As opposed to wasting quite a lot of time retyping all this bullshit information. I have pretty bad muscle pain (lyme not rsi) and it would be a total pain in the ass if my bank starts this. I'd just not use the card. So is it worse to not use something because it's a hassle, or have something stolen some small percentage of the time?

          I'm not the type that likes to walk around with a gun on the off chance that someone might mug me. I will buy another gun however should I move back to a crime filled neighborhood. But that's also why I don't live in the ghetto. Guns what a hassle. Retyping information what a pain in the ass.

          Why don't they let *me* decide for myself that I want a slightly easier to crack password rather than looking it. It's my money and my card after all.

          I'm not sure what visa's password requirement is. But the partner my company deals with has a really extreme policy. NO ONE could remember the password. And their salespeoples solution to this problem, write it down! on a sticky note no less. So that really helps security doesn't it?

          • davel_jonez says:

            Okay, I concede the point that Visa forces us to choose a "hard to gues" password. That doesn't really provide much value for the hassle.

          • davel_jonez says:

            VbV was implemented before it became common knowledge that hard to guess passwords aren't worth the hassle, so *shrug*.

            • violentbloom says:

              You know the password I always find the hardest to remember. An empty password.

              I'm not saying fraud protection is bad, it just seems like these companies don't really give much thought to the user's experience. Or they think writing it down is an acceptable solution. Which is nuts! Most people won't use an encrypted password file, most people will either put it plaintext on their computer or on a sticky note near their computer. And I think that's true even for easy passwords. If you have physical access to the person's stuff a lot of people leave information laying around on their desk at work, as a casual observation. This crazy validation scheme doesn't solve that problem at all.

              • brokengoose says:

                In most situations, writing down an online password on a post-it and sticking it to the monitor is a perfectly acceptable option (or at least a lot saner than sticking a password that's used via the network on the same network where it's used, even in encrypted form). This obviously isn't true for somebody who works directly with the general public (like a bank teller), but for a home machine or even the average cubicle machine, I wouldn't worry much. The number of people across the world who'd be able and willing to take a crack at creditcardpasswords.gpg is considerably larger than the number of coworkers who are dumb enough to risk stealing from another coworker.

                The big problem with the credit card programs like VbV is that there are other things that'd accomplish the same goals (reducing fraud), but those other options shift the cost away from the customer and toward the banks and credit card companies -- embedded "smart chips" and readers, for example. Instead, an option that costs the banks almost nothing but annoys every single customer with every single transaction will win every time over a more expensive but customer-friendly option.

              • moonwick says:

                For something like VbV, if someone's breaking into your apartment in order to be able to make fraudulent use of your credit card, you've got bigger problems.

  9. krick says:

    The first time I saw this shit was about 2 weeks ago on TigerDirect.com, I think. I'm pretty sure it's mandatory and there's nothing you can do about it except completely avoiding purchases on the interwebs.

  10. lars_larsen says:

    It reminds me of the child safety caps on aspirin. "For your protection" means "impossible to actually use".

    • taffer says:

      Note also how the child safety caps don't prevent children from opening the bottles, but they do cause serious trouble for, say, folks with arthritis.

  11. mendel says:

    Bizarrely enough, the only place I've encountered "Verified by Visa" is AllofMP3.com. Great, I'm glad they're making sure no-one but the Russian mob can charge my card.

    • applegoddess says:

      newegg forces you to use verified with visa accounts to purchase certain items (gift certificates) and make general payments with visa cards. a bit annoying. they're not the only retailers who do this online either, I just don't remember any I've come across lately.

      • obreerbo says:

        I just made a purchase from Newegg last Friday. This "Verified By Visa" screen came up, but since I hadn't recalled "activating" my card with this service, I just clicked the "No Thanks" button (or whatever it was labeled). The transaction went through just fine, and my gear is presently in the hands of UPS. I guess it wasn't all that important.

        (Side note: While I was logging in to Wells Fargo to check that the transaction had gone through OK, I got a snippy little message: "Wells Fargo no longer supports the browser version you are using. Please upgrade to a supported browser in order to get access to Wells Fargo's secure sites." Their "supported browsers" are basically MSIE, Netscape (not on Linux though), Safari, and AOL. I never had any problems with using Mozilla or Firefox before this. In the words of Mixerman: MOTHER FUCKER!)

        • sircyan says:

          My favourite is the user-agent plugin I've got installed. Just Tools->User-Agent->MSIE6 and whoa, look at that, the HTML renders just wonderfully in my "incompatible" browser. Like jwz posted some time long ago, who the hell would do this by exclusion?


          • obreerbo says:

            Yeah, when I installed that extension and selected "MSIE6" before hitting wellsfargo.com, that worked, and everything displayed just as it always has. It's a pain in the ass though. There's just no reason for those kind of restrictions.

            (And Wells Fargo did in fact show that the charge from Newegg was processed without a hitch, despite my not doing anything with the VbV screen when I got it during my order. This is all pretty wack. Not necessarily wiggity-wack, though, just regular type.)

        • editer says:

          That's odd. I use Wells Fargo too, and I just logged in to see if I got that message, and I didn't. I'm using Firefox

  12. mouseworks says:

    ...and some Mastercard companies turn it down. I'd already certified with Mastercard and my bank so I was switched to that first, gave them the info, and then was switched back to the Ritz Camera site which didn't have any way to put in which card you were using. The site mentions CyberSource Internet Fraud Screen enhanced by Visa, which may be a variant of what you had to deal with.

  13. gargargar says:

    I encountered this particular e-commerce-lectric-fence while trying to perform an emergency domain renewal with a shared spousal credit card. Since it's in my wife's name, I had to pretend to be her through this dizzying array of password idiocy. Of course, the whole time I thought it was some sort of cross-site scripting fraud (it didn't help that my registrar all but dumped me into the site of its merchant bank without so much as an enclosing frame to provide context). It wasn't until I punched in a number and got back our personal information that I started to relax a little.

    But I still couldn't convince the thing to play nice, and the card got a hold put on it. I switched cards and we spent time on the phone with the bank to get the hold taken off.

    It probably doesn't help that the only time I buy anything from a Web site is to renew my domains.

  14. johnsu01 says:

    I just saw this too for the first time last week, when renewing my domain with GANDI. I was mad at them, because I assumed it was something they were requiring. The lack of explanation on the page was frustrating -- I bailed on the transaction twice before finally giving up and going through with it. Mandatory things that are worded as if they are optional, sans a NO button, are both bizarre and annoying. So the consensus is that this is actually a result of the particular credit card, and not the online vendor?

    • jwz says:

      It sounds like all of the card company, the bank, and the vendor have to be complicit to fuck you in this way.

  15. aaronlehmann says:

    This is actually a good idea. I've always been offended that all you need to charge something to a credit card is the credit card number, which is the same number you give to merchants and flash around all over the place. The CCV isnt even worth mentioning as a fraud protection measure - it's just more numbers.

    I've never dealt with that system, but it sounds like the merchant never sees the password (the authorization happens through Visa's site), which is a step in the right direction. I won't be satisfied until credit card transactions are based on strong cryptographic protocols, though. Mandatory ones.

    Reducing fraud is in your best interest. It makes it less likely you'll have to contest unauthorized charges, and if the credit card issuer loses less revenue to fraud, their marketing department will have more cash to fund promotions (i.e. give you free money).

    • tfofurn says:

      Reducing fraud is in your best interest.

      Agreed. Fraud sucks. The question we need to be asking: does this system actually reduce fraud? More data entry and more passwords doesn't always equal security.

    • masterkill says:

      "it's just more numbers"

      I wish it actually was just more numbers--every time I've pay for something online I've had to enter the same data in multiple form fields: credit card number, expiry date, full name, address, post code and CCV. Why can't this just be one number? (Or two: "username" and hashed "password".) Isn't this all going to be stored in the same way, in the same place? (How likely is it that someone will be able to steal the "number" but nothing else?)

      Anyway, I thought part of the point was that when VbV is involved (I haven't seen it), you get asked for the same thing twice?

      • skington says:

        The point of CVV (or CV2 or whatever J Random Bank may call it) is that merchants' agreements with the banks prohibit them from storing it anywhere, so even if the merchant gets hacked your card details are still safe. Oh, and it's not stored on the magnetic strip, so an unscrupulous card-swiping merchant can't go on eBay and order stuff using your card.

        You need name, address and post code if you're going to ship something physical, and having a separate card number and expiry date can be damn handy when you renew your card and only the expiry date changes, as it means you don't have to memorise your card number again.

  16. tfofurn says:

    All of my online purchases for the past few years have been through MBNA's ShopSafe trick . . . they allow cardholders to generate a new CC number for every purchase. Once the card is charged, it's locked to the charging vendor, reducing the reusability of a stolen number.* User specifies the spending limit on the card at creation time, with an option to raise it later. Assuming Flash is installed, I haven't yet encountered an OS on which it doesn't work, and I've tried OS9, OSX, Windows and Linux. I don't think I've seen a Verified by Visa thing yet.

    * This breaks when trying to book airfare—the airline and the travel company count as different vendors.

  17. violentbloom says:

    http://usa.visa.com/personal/security/visa_security_program/vbv/shop.html looks like it might be required by some shops in addition to just the banks.

    http://usa.visa.com/personal/security/visa_security_program/vbv/card_issuers.html but hey you look up your bank to see if they have it--once you've already signed up that is.


    • fantasygoat says:

      A couple of months ago I got a call from Visa to tell me my card had been used at a store or something that has recently been found to be a source of stolen card numbers. Then they told me they cancelled my current card and they'd send me a replacement card with a new number in 5 to 7 days and please have a nice day, thankyouverymuch.

      Then I hear that Citibank was compromised and they cancelled a bunch of Visas to deal with it. So I'm fucked without a credit card for a week because these assmunchers can't handle their own security.

      Fuck them.

  18. burritob says:

    As has been noted by others, using something other than Visa is the only way to avoid VbV. And I don't think it matters whether your issuing bank is part of the scheme or not - that comes down to the merchant.

    I'm told that the way this is being foisted on the merchants is through revised internet merchant agreement which holds the merchant liable for losses from any fraudulent transactions which weren't "Verified by Visa".

    So the merchants are big on it to avoid getting assraped.
    Visa is big on it since they look proactive about internet fraud, while neatly overlooking the fact that CVV/CV2 was meant to serve the exact same purpose, and VbV does nothing to reduce fraud through other Cardholder Not Present transactions (eg, mail/phone ordering).
    The banks are big on it so they can claim they're doing something while trying to avoid being caught in the middle of the Shafting Zone.

  19. cpeterso says:

    Using the same password at every website you visit is a security risk; this bookmarklet lets you use one "master" password to create unique, complex passwords for each website you visit.


    • chrislightfoot says:

      Here in the UK quite a few merchants seem to be using VbV; it's never worked at all for me, but I have a card from an issuer who hasn't signed up to it yet, so it's not a serious problem yet. That said, when I did try it, I thought it was particularly clever of them to serve the VbV pages from some previously-unheard-of domain name and make the forms look like a phishing attempt -- outstanding!

      I bought something online the other day from a vendor whose payment pages said that they were going to transfer me to some other site for Chip-and-PIN verification, which (assuming it wasn't actually a scam) is completely insane. Whatever other criticisms one might have, the whole point of PIN-based verification is that the PIN should only ever be entered into a trusted input device, of which a PC viewing some random web page the punter's never seen before certainly isn't an example. Sigh.

      Anyone know of a company doing one-time credit card numbers in the UK?

      • dazeddaisy says:

        I am not sure of the company, but I do know a bank in Ireland has started doing it. Not that, that helps you unless you are in Ireland.

        I know nationwide is trying to bring it in ... or they were when I worked there.

    • jwz says:

      No, it's really not.

      • jesus_x says:

        careful, you might taint his "common knowledge" with truth. There's no cure for truth, buddy! That stuck sticks with ya!

  20. dasht_brk says:

    Underlying intrinsic/internal contradictions in a social arrangement must, of necessity, bubble to the surface, expose themselves, and invoke a revo^H^H^H^H resolution.

    In other words: Duh, what'd you expect? That whole system to actually work?


  21. coolerq says:

    I don't know how required it is. I have a Visa Check Card, and I remember seeing Verified by Visa... once, while I was going through a transaction. I declined signing up for it, and now I never see it. In fact, I can't figure out how to get back to the controls for it so I can activate it! I was in a rush so I didn't have time to read about it then. Anyway, maybe there's a way on the VbV page to opt out?


  22. jamiemccarthy says:

    My MasterCard has had this "feature" since December 2004.

    Five years ago my company made it policy for all company passwords to be stored in a Palm-compatible device, using GNU Keyring for Palm OS.

    They subsidized a crappy little Visor that I still use to this day pretty much just for that. I've got 230 passwords in it, all generated strongly randomly. I sync a backup to my Mac but I don't ever type the master password on the Mac so an attacker that gets the backup has to brute-force it. The remaining dangers are a virus on the Palm, or shoulder-surfing my Graffiti master password and then stealing it from me, neither of which seems very likely.

    I don't have any throwaway passwords anymore. Anyone who gets one of my passwords gets its authorization and no others.

    It's still annoying to have to dig the MasterCard super-duper password out of the Palm whenever a vendor asks for it -- and yes it is clearly designed to protect the corporation and not me and that really sucks -- but at least it takes less than 20 minutes.

  23. erorus says:

    FWIW, VbV was (and should still be) opt-in for MBNA cards. I never bothered to set up a password, so when Newegg mentions VbV, I just ignore it. Never had a problem.

    When you said you "called Visa" I'm gonna assume you called the bank who owns the card (MBNA, or Chase, or whoever), because that's who you really should contact. I just looked at the help files for my bank, and while they tell you how to enroll, they don't tell you how to cancel it. :( I did like this part of the FAQ, tho:

    Why should I use Verified by Visa/MasterCard SecureCode?
    Each time you use Verified by Visa/MasterCard SecureCode to confirm your identity, you're helping us protect your account against unauthorized online charges. While other programs protect you against fraudulent charges that appear on your statement, this service can actually prevent fraud before it happens.

    What other protections do I have when I shop online?
    You are still afforded the same Customer protection available to you when you shop in person, including Visa/MasterCard Zero Liability.

    So not only is it useless to us, we're helping the credit card companies in their difficult job of taking our money. Oy.

    • legolas says:

      At least this bank is honest about it!

    • wfaulk says:

      Even if you have zero liability from your bank, that's just the financial side. It can also be a huge pain in the ass to deal with getting a new card and the no-credit-card-having-ness for a week or two until you get it.

      I wonder, if you get a new card issued, can you get the new number, via a reasonably secure channel, like the web interface to your account, before you get the new card in the mail.

  24. jkonrath says:

    I haven't run into this one yet, but if I do, I'll probably just write the password on the back of the card with a sharpie. I'd do the post-it note on the monitor, but since I switched to an LCD, there's not a lot of space.

  25. lroberson says:

    Newegg.com is one of these merchants.

    I use one of my debit cards to make charges online. VbV was implemented by Newegg a couple of years ago. I was recently prowling for a hard-to-find way-overpriced high-end video card and I spotted it one day on Newegg. Of course, I rushed to order it, as they sell out of stock very quickly and I had been waiting for a few weeks.

    I fat-fingered my password on the VbV login page a few times, guessed a few more of my common passwords, and was finally locked out. That was a problem. I was deathly afraid that my order would be voided because it couldn't be charged. A few seconds later the site forwarded me back to the merchant's site, and I had the "Order Completed" page. I phoned the support number and the fool on the phone guided me through password reset. I asked him what would happen to the order, and he said the charge would be rejected. I logged into my online banking site and found that the $1600 charge (I was putting together a new rig) had reached the bank. As I was on the phone with the guy, the vendor emailed me a few times through the various steps of confirmation, including notification that my card was successfully charged. I worried, but went to bed.

    The next morning the bank had posted the transaction, debited the money, and the vendor had begun to pack my order.

    Way to go! Glad I wasted my time with that colossal piece of shit. It DIDN'T WORK AT ALL.

    Granted, it could've been a weak implementation on the part of the vendor. Perhaps VbV doesn't actually block the transaction, perhaps it merely politely tells the vendor "this checked out okay." and Newegg thought it had that message. One thing is for sure. It didn't fucking protect me one bit.

    • darkengobot says:

      If NewEgg uses it, I've never noticed it. I always use a Discover card for NewEgg.

  26. legolas says:

    I guess this won't be much use to you, but my friend phoned his (belgian) bank to ask about this (in a somewhat paranoid attempt to protect himself), who hadn't heard about this at all.
    So get a card form a Belgian bank, and you might be safe from this for a while. Although I guess this will be difficult for you... :-(

  27. gregv says:

    If you're really looking to switch banks my recommendation is Citibank. They use Mastercard and I've never run into SecureCode or whatever it is. I don't see it on their online account manager so I'm pretty sure they don't even offer it.

    The reason is probably because they have virtual account numbers, which is real security instead of just another password layer that the merchant has to support. If you want, you can sign into their little flash jobby and it will spit you out a credit card number that only accepts one charge. You can even put a limit on how big that one charge is. Transparent to the merchant, and totally opt-in on your end. Use it all the time, sometimes, or never.

    Another reason is I remember some time ago you complained about your bank rejecting charges because they were too big or otherwise triggered something in their anti-fraud system, and you wanted some megabank that doesn't give as much of a shit and won't hold things up. That's Citibank. I placed a $600 order online that was to be delivered to Milwaukee, whereas I've lived in New York my entire life. The merchant gave me a call, but Citibank didn't bat an eye.

    • wfaulk says:

      The flip side to this overreaching "security" is an almost complete lack of security, and that is exemplified by Citibank. Reference the previous post about how Citi recently lost millions of numbers and had to cancel then and send out new cards to all of those people, leaving them without a credit card for a week or two.

      The whole advantage to the VbV system for the end user is that it's (very slightly) more difficult for someone to steal your credit card information and leave you without a card for a week or two. If one wants to avoid that, he'd probably be interested in having the real security as good as possible.

      It occurs to me as I type this that VbV is irrelevant, really, as all the thief has to do is order from somewhere that doesn't support VbV.

  28. dcardani says:

    One thing that nobody's mentioned here is that any charge you make online using Verified by Visa cannot be charged back to the merchant, even if they fuck up in their usual ways. This is a serious problem.

    Also, any VbV transaction is considered a card present transaction, so should someone figure out (or steal) your password, and use it to make purchases, it's treated the same as if you went to the store and signed the receipt yourself.

    VbV should be avoided.

  29. sheilagh says:


    (not exactly grim meathook future, but certainly another example of crummy banks/financial institutions..)

  30. pitbrown says:

    You know, it's just OK for now...

  31. jered says:

    Did you ever find an opt-out mechanism? This just inconvenienced me for the nth time. It's mindbogglingly stupid, too, in that the VbV form lets me reset the password with only 1 additional piece of data -- last 4 of SSN.

    If that's all that's necessary to reset the password, why not just make that the VbV authenticator? Or.... don't let the merchants take the CVV code, instead make the CVV code the VbV authenticator, since I gather the goal is just to make sure the merchant bank is in the loop on every transaction and the merchant never has all the data necessary to complete and online transaction.

    • jwz says:

      No, but most of the sites that use it have a hidden "skip this step" link on the page somewhere. I have encountered sites that didn't, though -- or maybe they just hid it too well.

      • jered says:

        Is there one for TicketBastard? I'll look closer next time but couldn't find one.

        ZOMG, I bought tickets from them recently and they were trying out their new concept of "all-in" pricing, where the ticket cost reflects the full price. Yes, I was still paying a 50% "premium" (not that there's any way to avoid it), but it was still somehow less infurating to know that I was going to pay $27 up front for the "$20" ticket.

        I'm so glad we have the FTC and anti-trust laws to protect us from this sort of thing.