They're kind of half-arsed. So far as it's possible to tell, nobody who knew anything about UX or digital security was anywhere close to these projects.
So, your bank opts in to the Verified by Visa scheme (they can't opt individual account holders out, or at least my otherwise very co-operative "good" bank said they can't when I asked years ago)
If an online retailer performs Authorisation the API they talk to will examine your card number and conclude it needs this extra check, so it tells them to forward your browser to an HTTPS site you've never heard of, in the arcot.com domain. I guess if you're a huge bank you've heard of Arcot, but consumers haven't. The site claims to be from your famous bank brand, but the domain name clearly isn't, anybody who has learned anything about phishing ought to run screaming.
The arcot.com HTTPS site looks at the transaction and if you've never done this before it (presumably always? but maybe if there's a fraud flag this doesn't happen?) registers you for the "Verified by Visa" service. You can pick "No, I'm busy right now, just let me buy stuff" and it will give you a few passes, but I believe eventually it's mandatory.
Signing up requires giving them some details about the card, and also effectively creating yet another secret password. (Because we all know secret passwords are great right?). There might be an option to pick a picture or text greeting so you'll "know it's them" although of course a sophisticated attacker could duplicate that part...
On subsequent visits you may be asked for that secret if you've created it. Or, it might give up asking and just say everything is fine before returning you to the original payment flow. My transactions are reassuringly boring so I am never asked for anything these days.
The whole thing looks like it was built by people who were impressed by IE6 and are planning to buy a 17" display soon. The cryptography would be impressive for the IE6 era and not so much today, it's TLS 1.2, it has some basic precautions, but it's scarcely Fort Knox, your GMail is better protected.
Ah, actually that sounds pretty much exactly the same, except I've only ever been redirected once or twice. I think the only difference is that I didn't realize that it would eventually force you to sign up.
So, your bank opts in to the Verified by Visa scheme (they can't opt individual account holders out, or at least my otherwise very co-operative "good" bank said they can't when I asked years ago)
If an online retailer performs Authorisation the API they talk to will examine your card number and conclude it needs this extra check, so it tells them to forward your browser to an HTTPS site you've never heard of, in the arcot.com domain. I guess if you're a huge bank you've heard of Arcot, but consumers haven't. The site claims to be from your famous bank brand, but the domain name clearly isn't, anybody who has learned anything about phishing ought to run screaming.
The arcot.com HTTPS site looks at the transaction and if you've never done this before it (presumably always? but maybe if there's a fraud flag this doesn't happen?) registers you for the "Verified by Visa" service. You can pick "No, I'm busy right now, just let me buy stuff" and it will give you a few passes, but I believe eventually it's mandatory.
Signing up requires giving them some details about the card, and also effectively creating yet another secret password. (Because we all know secret passwords are great right?). There might be an option to pick a picture or text greeting so you'll "know it's them" although of course a sophisticated attacker could duplicate that part...
On subsequent visits you may be asked for that secret if you've created it. Or, it might give up asking and just say everything is fine before returning you to the original payment flow. My transactions are reassuringly boring so I am never asked for anything these days.
The whole thing looks like it was built by people who were impressed by IE6 and are planning to buy a 17" display soon. The cryptography would be impressive for the IE6 era and not so much today, it's TLS 1.2, it has some basic precautions, but it's scarcely Fort Knox, your GMail is better protected.