4

A few online merchants are offering special deals for using Visa Checkout, a payment service similar to PayPal, so I've been trying to learn something about it before signing up. When you are on a shopping site and click the Visa Checkout icon, it pops up a window to enter your Visa Checkout username and password:

enter image description here

Is this scheme secure? I don't see anything that lets me verify that this popup is valid and protects my information. It seems that a rogue site could easily fake the popup and harvest the login credentials.

With PayPal, I am directed to the PayPal site to sign in, which lets my browser show me the PayPal host and TLS authentication:

enter image description here

If I check those items on the URL bar, I feel reasonably confident that I am delivering my credentials only to PayPal.

Is the PayPal scheme more secure than Visa Checkout? Or is there some way I'm missing to protect against spoofing?

rhashimoto
  • 143
  • 1
  • 5
  • I find the in page popup rather concerning as a end user for fear of spoofing. Like you show in the paypal example, being redirected to another site, whereby i can guarantee the ssl certificate etc is all good just feels better. I'd feel anymore secure with this visa secure than just punching in a cc number. Don't really see the benefit realisaiton here visa. – Jafin Nov 24 '15 at 07:25

2 Answers2

1

The problem you mention is a real one.

This scheme was a subject of criticism and led to a newer implementation ("3D Secure by ...", the old one unfortunately also sometimes uses this name) which is two-factor (you usually get an SMS with a code you must input on the merchant's page). You are also warned of the upcoming operation ("you will now be transferred to 3D secure..."). The scheme you mention failed to pass the European Central Bank requirements.

The requirements for e-commerce payments were strengthened with the PCI-DSS SAQ A-EP, specifically designed for modern e-commerce payments (where you are not redirected to a bank or processor's page to fulfill your payment)).

The redirection to PayPal in your example is a good compromise - you get into a better-known page which, as you mention, you can analyse and check against common-sense security (specifically to whom the cert was delivered to).

WoJ
  • 8,957
  • 2
  • 32
  • 51
0

Is this scheme secure?

Security is never absolute, so it's impossible to answer whether this is outright "secure".

In the Visa scenario you're essentially placing your trust in newegg. Behind the scenes the Visa popup probably uses TLS, but for all intents and purposes newegg could serve you a phishing screen instead and you'd have a hard time telling. All you know is that you have a secure connection to newegg.

In the paypal scenario you can easily verify the TLS connection and URL yourself, however this doesn't mean that paypal is secure or trustworthy. You still have to trust paypal.

Essentially it comes down to how trustworthy newegg is. If newegg is approximately as trustworthy as paypal then they're both equally as secure. If newegg is less trustworthy then the paypal solution is more secure.

If instead of paypal there was a less trustworthy party with an identical implementation to paypal involved, then the visa solution might be more secure.

It seems that a rogue site could easily fake the popup and harvest the login credentials.

If you don't trust the site, then you should preference the paypal implementation. If the site is trustworthy then the security difference is minimal.

thexacre
  • 8,444
  • 3
  • 24
  • 35