Visa and MasterCard are competitors, right?


So, I was purchasing an air-ticket from Singapore Airlines, using a Visa card issued by a Singapore bank (OCBC) and, of course, it went through the Verified-by-Visa process, but note the URL:

So that would be “Verified by Visa, by MasterCard, in Australia” then?


4 Responses to “Visa and MasterCard are competitors, right?”

  1. Anand Kumria Says:

    Yes but neither VerifiedByVisa nor the Mastercard are secure.

    UNLESS you have been “pre-enrolled” by your bank.

    The majority of people — and each of those systems are the largest social networks in the world, btw — are forcibly enrolled when attempting to buy something.

    How do they know, at enrollment time, they are at the right location? They can’t since enrollment (and a lot of verification sites) use an iFrame.

    So just say ‘No’.


  2. Roland Turner Says:

    Singapore’s a little different.

    All online transactions (credit card, online banking, …) are authenticated using either a keyfob with a new 6 digit code each minute, or they SMS a single-use 6 digit code to your registered phone. Any change in authentication details (a) has to be handled via the bank’s call centre and (b) causes a paper notification to be mailed to the address that you have on file with the bank. This is to say, all Singapore account holders are “pre-enrolled”.

    I was more intrigued by the VerifiedByVisa process being handled by, which has got to be an error by whoever they’re outsourcing the process to.

  3. Anand Kumria Says:

    I think we might have been communicating as ships in the night.

    I’m enrolled in HSBC’s keyfob system.

    However I am *not* enrolled into either of VerifiedByVisa or Secure3D.

    So, what happens is that at point of sale, a company I am trying to purchase from online attempts to enrol me.

    What should happen is that both service do *not* allow enrolment to occur ‘on-the-fly’.

    If you were correctly pre-enrolled, by the way, it would ask you to use your banks keyfob to authorise the transaction.

    Perhaps that happens in Singapore but it certainly does not in the UK (not sure about AU); enrollment into either programme means you need to come up with a separate password for the “online protection” technology.

    It is sufficiently not compelling that a number of companies have sprung up in the past while – which I’ve only started to notice recently – which attempt to degrade your security further but get around the restrictions.

    I’ll post something about that in a week or so.

  4. Roland Turner Says:

    I did start out by saying that “Singapore’s a little different.”.

    I’d also suggest that the on-the-fly enrolments aren’t as insecure as you imagine:

    (a) it’s somewhat like the “generate new ssh host keys on the fly” mentality: it’s theoretically hazardous but, in practice, you’re likely to notice at some point if there’s been a MITM

    (b) Visa/MasterCard aren’t stupid; if they saw a merchant generating lots of fraudulent signups, they’d withdraw the merchant’s facility. No-one who’s actually selling something (vs. pure scam sites, where caveat emptor clearly applies) would be able to get away with this for long.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: