CC shared secret

[Igor Mozolevsky]

2008/8/8 Charles Lindsey <chl@clerew.man.ac.uk>:

> CYCOTA seem to be able to go to the trouble of including the correct bank's
> logo on the page they exhibit, so surely it would not be beyond the wit of
> man to arrange for them to exhibit a certificate traceable to the relevant
> bank. All it needs is a specially constructed key pair with short expiry (so
> there is little rist in letting CYCOTA have the private key), itself signed
> by one of the bank's better known keys which in turn would be signed by the
> usual Verifraud clowns.

Displaying relevant bank logo is simple, you just need to do a BIN
lookup, whereas masquerading as a part of someone else's domain is a
lot more difficult, especially if EV certs are involved. Incidentally,
is it an EV cert that CYCOTA, et al present or is it a plain cert,
does anyone know (none of my CC cards are 3d obsucred)?

Cheers,

--
Igor