CC shared secret

Charles Lindsey ukcrypto at chiark.greenend.org.uk
Wed, 06 Aug 2008 18:16:35 +0100 

On Wed, 06 Aug 2008 11:04:16 +0100, Roland Perry  
<lists@internetpolicyagency.com> wrote:

> I just got an email (which seems to be genuine) from one of my credit  
> card companies saying they have enroled me (unsolicited) in "Verified by  
> Visa", and my password will be the answer to one of the "shared secrets"  
> used during login to my online account with them.
>
> I wonder if that means they have a copy of that "shared secret answer"  
> in the clear, in order to pass it to Visa - or are both organisations  
> using the same one-way hash? Or is it something different, like the  
> V-b-V dialogue when I make a purchase actually being "franchised" by my  
> bank, with Visa not having the data at all?

I subscribed long ago to the corrresponding MasterCard scheme. It all  
seems to me to be pretty secure - the only problem being that very few  
merchants have yet agreed to implement it, so you still run the usual  
risks when using such merchants.

The other oddity is that they (Natrwest/RBS in my case) have outsourced  
the operation to a gang called CYCOTA somewhere in San Francisco, and it  
is the CYCOTA certificate that you see when you make the secure website  
connection. So I have to assume (and IMO it is a reasonable assumption)  
that CYCOTA are running a properly secured outfit (i.e. at least as secure  
as Natwest/RBS, and surely more secure than Amazon and the like).

The way it works is this. When you give your Card Number to the Merchant,  
and they attempt to verify it through the usual channels, they get told  
that the card is signed up to VbV (or rather the corresponding Mastercard  
thing). They then transfer you to the CYCOTA site (whose certificate you  
then see) and you negotiate with CYCOTA using your  
password/secrets/whatever (quite convenient actually, because they exhibit  
your secret to you, to prove that they know something that the merchant  
does not know, but you know that they know; so you can choose the secret  
in a way that reminds you which of your various passwords you need to give  
them). When they are convinced you are who you say you are, then they  
inform the merchant accordingly. Your passwprd, secret, etc never go  
through the merchant's site, and you do not have to disclose the magic  
number on the back of the card.

-- 
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131                       
   Web: http://www.cs.man.ac.uk/~chl
Email: chl@clerew.man.ac.uk      Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9      Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5