I’m not the kind of guy who falls for those super-obvious identity theft scams. I live online, I work in IT and I don’t really like sports. I’m pretty careful when it comes plugging my credit card into the internet.

But last month, when I was stuck for rail tickets in Europe, I thought I’d slipped up. Turns out, it was just a “security feature.”

Here’s the story: Last month, my girlfriend and I had some trouble with our train tickets. Crouching on a hostel bunkbed, hands cramping on the tiny Eee PC keybaord, I was already in a bad mood about having to shell out another ₤180 for new train tickets.

But I was at the official Eurostar website, so at least I wasn’t worried about getting scammed.

Begrudgingly, I entered my name, address, credit card, CVC number, etc. I clicked “Proceed” and was redirected to a third party site, with my bank’s logo on it. And great, it’s asking me for my financial information again!



This screams “phishing scam” to anyone that ever bothers to look at the address bar in their browser.

So after few panicked phone calls to the Visa Fraud line, the Eurostar people and my bank, I find out that not only is my identity safe and sound, SecureSuite.net and their “Verified by Visa” program is legitimate.

Visa really dropped the ball here. This is a terrible security strategy, and here’s why:

People, especially people that aren’t very tech savvy, are trained to not enter any financial information online when the website in the address bar looks fishy. A good example of “looking fishy” would be when a website in the address bar has absolutely nothing to do with the website you think you’re visiting. In this example, SecureSuite.net has nothing to do with any of the organizations I’m dealing with: Eurostar, Visa, or my bank.

Here are three steps Visa could take to fix this process:

  1. Ditch SecureSuite.net. This is not a familiar name. I have a Visa card, and an RBC account — I don’t have any association with some company called “SecureSuite.” Everything needs to go through domains owned by one of the companies I’m familiar with, and that I trust.
  2. Publicize this. Send emails to customers, make phone calls, hand out pamphlets. Your new security features should never look like a scam — and part of the reason this looked so much like a scam is that I’d never heard of Verified by Visa.
  3. If you absolutely must have vendors, like Eurostar, redirect customers to a domain that they aren’t going to recognize, make sure they give a warning. Even something simple, like “You will now be redirected to our security partners, SecureSuite.net. This is intended, and is not a browser hijack.”