To: ive_seen_a_scam@smile.co.uk 23/02/2009
Please forward this to someone with the ability to assess the risk of such security breach. (Preferably with basic knowledge of SSL and cross site scripting.)
A web site (not smiles) is asking for my accounts memorable name. I shouldn't be entering this information anywhere other than into a secure smile web site.
[Other sites that take payment using pay-pal I can trust as I see they redirect to a pay-pal server for me to enter my account details.] Perhaps you should take a look at how pay-pal processes such orders.
As the site I was ordering from should probably be trusted I choose to enter it this time and to then change the memorable name as soon as the order had complete.
Specifically;
http://www.smile.co.uk/servlet/Satellite?cid=1076315830501&pagename=Smile%2FPage%
2FsmView&rendermode=preview&c=Page
Suggests I don't enter details into "computers that aren't your own" which I also assume applies to supplying to sites that aren't smiles.
http://www.smile.co.uk/servlet/Satellite?cid=1124867052028&pagename=Smile%2FPage%2FsmView&c=Page&loc=l
"all secure messages between us travel in a closed environment, so they can’t be read by anyone else" but this is a 3rd party asking for my memorable name and not smile.
Order was from;
http://wck2.companieshouse.gov.uk
Appears to use
https://www.netbanx.com
to make the payment then it either takes the memorable name in this site or uses an embedded site from;
https://secure5.arcot.com
Please contact me if you require more information.
----
Reply: 23/02/2009
Thanks for your message.
I can understand your security concerns with the verified by visa scheme.
For more information with all aspects of this please visit our site
(www.smile.co.uk) then click the security link at the top. Once there
select the verified by visa link on the left and this will then be able to
give you all the information you need.
----
My responce: 23/02/2009
Q: Is Verified by Visa (VbV) easy to use?
A: Yes. When you make an online purchase, a window from the Bank will be displayed and prompt you for your memorable name/VbV password. Simply enter your memorable name/VbV password and complete your purchase.
My problem is no apparent window from the bank is shown so it appears like (don't know if this is true or not) I am giving my security details directly to a third party. (It is very easy to create a malicious secure web site that looks just like the one I saw.)
----
Reply: 24/02/2009
I'm sorry you have concerns about your online security.
When you sign in to a Verified by Visa site using your smile card, you'll
automatically be asked for your memorable name. This will confirm that
you've been connected to smile behind the scenes. Other banks will ask
different questions, however being asked memorable names will confirm it is
us.
The original brief from Visa stated banks could introduce individual
questions for each customer, that's not been fully introduced yet, however
we'll be reviewing this in the near future. At the moment we're reviewing
and looking to implement other security procedures.
Please make sure the website you're using to make the online transaction is
a website that you trust, this is important as using a trusted website will
greatly reduce the likelihood of there being a scam.
Please also check that your PC is fully protected with antivirus, firewall
and anti-spyware software plus the relevant phishing filters available with
your chosen web browser. Please let me know if you need any more advice on
this.
Thanks for taking the time to contact us, I appreciate your concerns and
comments and have raised it internally for further consideration.