CC shared secret
Nicholas Bohm
ukcrypto at chiark.greenend.org.uk
Wed, 06 Aug 2008 11:29:26 +0100
James Firth wrote:
> Roland Perry wrote:
>> I just got an email (which seems to be genuine) from one of my credit
>> card companies saying they have enroled me (unsolicited) in "Verified by
>> Visa", and my password will be the answer to one of the "shared secrets"
>> used during login to my online account with them.
>>
>> I wonder if that means they have a copy of that "shared secret answer"
>> in the clear, in order to pass it to Visa - or are both organisations
>> using the same one-way hash? Or is it something different, like the
>> V-b-V dialogue when I make a purchase actually being "franchised" by my
>> bank, with Visa not having the data at all?
>
> As far as I am aware, the authentication is actually done by your bank, the
> transaction being proxied by the Verified by Visa architecture.
The reflects my experience; but if the authentication fails to recognise
my password (or the required characters from it), it merely requires me
to reset it, and then accepts the use of the reset password. So not
very stringent.
(In fact I think this may reflect the corresponding Mastercard process,
rather than Visa; but same difference probably.)
Nicholas
--
Salkyns, Great Canfield, Takeley,
Bishop's Stortford CM22 6SX, UK
Phone 01279 870285 (+44 1279 870285)
Mobile 07715 419728 (+44 7715 419728)
PGP public key ID: 0x899DD7FF. Fingerprint:
5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF