CC shared secret
Charles Lindsey
ukcrypto at chiark.greenend.org.uk
Thu, 07 Aug 2008 11:34:14 +0100
On Wed, 06 Aug 2008 19:55:48 +0100, Roland Perry
<lists@internetpolicyagency.com> wrote:
> In article <op.ufg59xsy6hl8nm@clerew.man.ac.uk>, Charles Lindsey
> <chl@clerew.man.ac.uk> writes
>> Your passwprd, secret, etc never go through the merchant's site, and
>> you do not have to disclose the magic number on the back of the card.
>
> But to go back to my original question, presumably you *are* disclosing
> it to CYOCOTA, and maybe they have a copy of everyone's secret so they
> can check they match. Or does CYOCTA contact each cardholder's bank in
> real time with a copy of the secret asking "does this match"? And
> hopefully throwing away its copy of the shared secret afterwards.
I think you have to trust CYCOTA to the same extent that you trust your
Bank.
I think (from what I remember) they hand you over to your Bank if you
claim to have forgotten your password, but I do not know whether they
interact directly with your Bank for each transaction. (Actually, a
sensible implementation would be to keep a cache of data for frequentlky
used cards, and to contact the Bank in other cases).
--
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131
Web: http://www.cs.man.ac.uk/~chl
Email: chl@clerew.man.ac.uk Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5