3D, 2D or 1D Secure?

Thanks to all those who responded to my earlier comments about card security. It seems there are different implementations of Verified by Visa and MasterCard SecureCode. Some issuers request only a number of characters from your password to verify the transaction whereas others ask for the full password.

Some issuers also annoyingly set certain password standards so a password may have to include both upper and lower case letters as well as numerals and characters.  While they think that this makes the password more secure in fact the reverse is true. The more complex the password the more likely the user will have to record it thus making the additional complexity self defeating.

Passwords aside I received a disturbing letter from the Co-operative Bank this week about their implementation of Verified by Visa.  It said that they were going to register me for VbV in a month's time and would set my established "memorable name" as the password. While I'm happy that they are joining VbV I'm not happy about the way they're doing it.

Firstly my "memorable name" isn't really secure since I have to speak to a member of Bank staff to set it. Secondly, and I called Co-op to raise my concerns about this, there seems to be no stage in the process where I can set a validation phrase or personal message. This means that whenever I use Verified by Visa I have no way of confirming that the VbV window I am using is genuine and not spoofed. The employee I spoke to kept saying that it was OK because I would be diverted to the Co-op's website to input my password. She couldn't understand that without a validation phrase displayed I couldn't be sure that this was their site and wouldn't be entering any password!

In theory 3D Secure is a good system but it seems to me that the various ways in which banks are implementing it leave it open to fraud.