CC shared secret
Peter Tomlinson
ukcrypto at chiark.greenend.org.uk
Wed, 06 Aug 2008 11:11:56 +0100
Did they offer you the chance to log in somewhere and change the pwd?
Peter
Roland Perry wrote:
> I just got an email (which seems to be genuine) from one of my credit
> card companies saying they have enroled me (unsolicited) in "Verified
> by Visa", and my password will be the answer to one of the "shared
> secrets" used during login to my online account with them.
>
> I wonder if that means they have a copy of that "shared secret answer"
> in the clear, in order to pass it to Visa - or are both organisations
> using the same one-way hash? Or is it something different, like the
> V-b-V dialogue when I make a purchase actually being "franchised" by
> my bank, with Visa not having the data at all?