Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

In New Zealand when you pay for something using a Visa card, you get redirected to a "Verified by Visa" page which the domain is "securesuite.co.uk".

That always looks incredibly dodgy to me, not sure why they don't use a visa.com subdomain so it doesn't look like a phishing scam.



These pages are authorization page of an Access Control Server (ACS) in the 3-D Secure flow. Visa/MasterCard designed the scheme, but the spec is open (in a somewhat limited sense), so anyone can implement the ACS as long as you're qualified to see the spec and can get it certified. Banks are free to choose the ACS vendor as long as it's certified. Many banks do provide ACS authorization page at their own domain name, although a many of them just use a third party service just like in your case.


I've seen that in the United States on a completely different domain. I actually changed banks over it when Wells Fargo set it up.

To answer your root cause question: I think it's a hook back to the issuing bank, and Visa themselves are only tangentially involved, AIUI. So things like securesuite are the vendors for the bank. (Am I wrong? That's how it was explained to me once.)


Yeah, it does look dodgy.

Bear in mind that it's also used for Mastercard's SecureCode and possibly other credit card providers as well.


Thank you! I've never signed up for it because of this.


In Serbia it does that too, often with dosgy bank branding and incredibly long and convoluted base64-encoded urls... Weird.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: