CC shared secret

[Michael Simpson]

On 8/6/08, Roland Perry <lists@internetpolicyagency.com> wrote:
> I just got an email (which seems to be genuine) from one of my credit card
> companies saying they have enroled me (unsolicited) in "Verified by Visa",
> and my password will be the answer to one of the "shared secrets" used
> during login to my online account with them.
>
> I wonder if that means they have a copy of that "shared secret answer" in
> the clear, in order to pass it to Visa - or are both organisations using the
> same one-way hash? Or is it something different, like the V-b-V dialogue
> when I make a purchase actually being "franchised" by my bank, with Visa not
> having the data at all?
> --
> Roland Perry


Davey Winder did a piece on this in PCPro this month

<http://www.pcpro.co.uk/realworld/211110/security-without-a-smile.html>

mike