Verified by Visa and arcot.com function like a man-in-the middle attack

If I didn’t know better, I would have thought that the Verified by Visa service offered by arcot.com was a man-in-the-middle attack that was poorly designed to look like a trusted service from Visa (my credit card) and USAA (my bank).

Why your instinct should be to not trust arcot.com

Here’s a few reasons why my instinct was to distrust both Verified by Visa and arcot.com:

Why Verifed by Visa and arcot.com looked like a man-in-the-middle attack

A MITM attack requires that the attacker place himself between two parties that are trying to communicate (me and united.com) and impersonate at least one of the parties (look like Visa or USAA). The arcot.com site required me to enter my name, the three-digit security code on the back of my Visa, the expiration date of my card, and my birth date — all of which was information that I already provided to united.com.

arcot.com has a very weak password policy

I knew arcot.com was legit even though it’s behavior is quite suspect. I believe a newegg.com purchase first exposed me to this process. But this time, arcot.com required me to create a password for their service.

Arcot.com Verified by VisaTheir password requirement reads: “To create your password enter 6 to 10 characters, without spaces.” But each time I entered a password, it would get rejected by this message: “Your password does not conform to the Password Policy. Please try again.” The is no link to a Password Policy and the link to Help does not contain information about their password policy.

Here are the five passwords I attempted:

  • hup52!eChu
  • XeW=A#rA5&
  • #re_aqeS7s
  • 4racrE$rec
  • beNu&Em9fu

Each of which is between 6 to 10 characters and would take a desktop PC about 58 years to crack). What ended up working was a much weaker alpha-numeric 10-character password that would take a desktop PC about 6 years to crack. That was the best level of security Verified for Visa and arcot.com afforded me.

Password limits imply poor security

Restricting users to a small selection of characters and a length of 6 to 10 characters gives the impression that arcot.com is storing user-entered passwords in an insecure form (like plain text).

The best practice for collecting and storing user submitted passwords is to:

  • Permit any character (entropy)
  • Permit an unlimited number of characters (length)
  • Add salt (unique random data added to each user’s password)
  • Hash the user password with appended salt (algorithm to change variable length data to a fixed length)
  • Re-hash several times (fixed is fine, but random per user would be better)
  • Store the final hash in an encrypted database, the unique-per-user salt in a separate encrypted database, and the random-number-of-hashes-per-user in a third encrypted database — each database on separate systems with separate credentials

Because arcot.com limits me to 10 alpha-numeric characters, I’m given the uneasy impression that they do not hash my password. If they did hash my password they would not care if I put in 20 characters or 2,000 characters, the hash would produce the same 256-character result (regarding length).

Shame on United, Visa, and USAA

Shame on the three of you for working with a third-party service that looks like a man-in-the-middle attack. I applaud you for wanting to improve your security and reduce online fraud, but this implementation is terrible and leads me to question your priority for security.

If you want to increase a security layer, do so from your own sites (which we trust) and not from a website we’ve never heard of. Use of subdomains would be fine. Additionally, permit users to enter very long and very complex passwords. Tools like LastPass automate this process.

Visa and banks in particular need to be vigilant in teaching their customers how to be secure and then practice what they preach. USAA has published several articles about online security and should be ashamed for having any connection to arcot.com’s Verified By Visa implementation.

8 replies on “Verified by Visa and arcot.com function like a man-in-the middle attack”

  1. I found this page because my instinct was to distrust Arcot Systems, for exactly the reasons you have outlined. I completely agree that this is shoddy work that, as a professional software developer, I would be ashamed to call mine.

  2. Same experience, an attempted purchase at one site already has my CC details yet leads me to Arcot site and ask much the same questions and more (DOB).

    The relationship between these sites and my card issuing bank and CC provider may be valid, but there is no way in the world I’m giving my details to this dodgy attempt.

  3. I completely agree. There is not even a cancel button on the page and as far as I am aware no payment has gone through. Needed to contact the seller / website owner to arrange payment over the phone or bank transfer if necessary. If any it is training innocent customers to ignore all these warning signs. DODGY

  4. I agree with you guys. This thing is Kafkan. I still can’t make changes to my flight because the United form keeps kicking out my CVVC number. When the United page ran the little notice about using Arcot or else maybe get held up at payment time, I decided to get my password now. Talk about torture; you’re typing in numbers that you can’t see, and so are making all kinds of errors without knowing what they are. After several tries (I’m 75 and don’t have complete control of my fingers) Apcot told me to get lost. I don’t know if Apcot had any role in screwing up United’s handling of my CVVC number, and I don’t know if I’ll be able to complete the flight change without jumping through the Apcot hoops. Plus I’m out of the country and can’t phone United.

    I guess I’ll have my 80-year-old husband and my 63-year-old neighbor in Texas make the phone call to United for me. Curse the airlines.

  5. Yeah, I was just trying to make a purchase off new egg as well and many of these exacts thought, both about the redirect being suspect and the ridiculous password policy. I shouldn’t be forced to use a less secure password for something linked directly to my credit card and why doesn’t a service being called ‘verified by Visa’ go through visa.com, either that or call it ‘verified by arcot’ so at least it does seem deceptive.

  6. I totally agree this is a dangerous practice – ‘training’ customers to reveal much of personal information to the man in in middle – even to a legit one. It shakes my confidence in the VISA system itself – they should not allow schemes like this one.

    An automatic email or SMS notification about credit card transactions is much better protection against fraud.

  7. This comes up when I try to make a purchase. It did seem a bit shady. So would it be alright if I filled everything out and completing my purchase? Last time I tried that my account was frozen.

Comments are closed.