Introduction
This blogger's post (link unavailable) in 2008 pretty much summed up what happened to me today:
I’m not the kind of guy who falls for those super-obvious identity theft scams. I live online, I work in IT and I don’t really like sports. I’m pretty careful when it comes plugging my credit card into the internet.
But last month, when I was stuck for rail tickets in Europe, I thought I’d slipped up. Turns out, it was just a “security feature.”
I don't live online or work in IT (though I do love sports), but everything else pretty much describes me when it comes to identity theft scams and credit card purchases on the internet. There were times when I thought twice about making online purchases due to my concern of identity theft and transmitting credit card information over the internet. But now, I've seem to let up a bit, which led me to today's scare.
I encountered the same scenario that the author did. I was purchasing something online, and after I checked out and submitted the order, a pop-up window appear, asking me to sign up for "Verified by Visa." It looked something like below:
I didn't really think much about it and proceeded to enter in the required information. It wasn't until after I had submitted the form, and saw the URL that I began to second guess if what I did was a good thing.
Symptoms
First, the URL domain was "securesuite.net" - My head started to ring PHISHING ALERT out of instinct. I didn't think Visa would've used a third party site for a security service?
Second, this was the website I was redirected to (this was the account management page). In my opinion, I was expecting something more professionally done (sorry!) or at least more consistent with Visa.com's website - it is a Visa feature, right?
To top it off, I received an email from the domain @securesuite.net... This was very fishy.
Out of panic, I called my credit card company to confirm if there was anything suspicious about my credit card. I mean, I wasn't concerned about the charge for the purchase because it was what I expected and wanted. I was more concerned about the site I had just submitted my info to. So the end result from calling was that I was offered some identity theft protection feature for a monthly fee, which I quickly accepted. Not sure why, but I did it.
Findings
After some googling around (so much for a lunch break), I found the blog post that I mentioned in the beginning, mentioning that it's legit. I was a little more at ease.
I did some more digging, and discovered that Verified by Visa was a solution by Cyota, which was purchased by RSA Security in 2005. SecureSuite is actually the name of the Cyota solution, an online payment security platform.
If you do a WHOIS domain lookup, the domain "securesuite.net" is owned by
I also had a few friends who confirmed that it is a legitimate security service.
Lessons Learned
So, what did I get out of all of this?
- Just because you've never ran into a phishing scam in the past doesn't mean you won't in the future. I guess I am fortunate that it wasn't. But it does reinforce the need for us to be very cautious when we are making purchases online. This pertains to emails, web forms, URLs, etc. that may look legitimate.
- It's good to know that some part of my mind was alert during the process, though it would not have been any use because it was after the fact. I need to start thinking twice and being more cautious again - I've been letting up too easily. Always think twice about pressing the submit button, and if it doesn't feel right, don't take the risk. It's better to be safe than sorry.
- Verified by Visa (and what was previously known as SecureSuite.net) is legitimate. It's basically a feature that adds an extra password to authorize online transactions with Visa cards, which the company claims to improve/enhance account security.
Visa sure gave me (and I'm sure others as well) a scare there. Why are they using a third-party for this solution? Why was I, a Visa customer, redirected to a site that was not owned by Visa? More importantly, why didn't they tell their customers about it or at least give a warning when purchasing online? Did Visa drop the ball on this? The author thought so, and I agree with him.
Of course, it is up to you (the reader) to determine whether or not you trust the site and the form. My experience with this incident turned out to be just a false alarm, but it doesn't mean that everyone else's will be the same result. As others have mentioned, the forms can be easily created by anyone who wants to steal personal information, so we need to be aware and alert when submitting information to merchants. So we'll leave it at that.
Now I am feeling much better.
My last order of business: Call credit card company and opt-out of the identity theft protection feature.
UPDATE (2/4/12)
Here's some additional information that I found around Verified by Visa. You can check out this URL for merchants that participate in the Verified by Visa program:
https://usa.visa.com/personal/security/vbv/index.jsp
One tip that I can suggest, which I am doing now, is to set up alert notifications of charges on your account (if your card provider has that feature), just so you know immediately when a card charge is happening. That way, you can keep a watch on any suspicious activity if you're still uncertain about Verified by Visa's validity.
