Co-op Bank and Verified by Visa

[Peter Fairbrother]

Charles Lindsey wrote:
> On Tue, 23 Jun 2009 22:02:19 +0100, Peter Fairbrother 
> <zenadsl6186 at zen.co.uk> wrote:
> 
>> Charles Lindsey wrote:
> 
>>>  It now seems that the critical page, which is now a subframe of the 
>>> Merchant's site, is now prepared by the Merchant using the format 
>>> provided by the Issuer.
>>
>> The contents of the frame are, I think, provided directly to the user 
>> by the authentication site without the merchant seeing them, though 
>> the merchant sees the CC number and looks up the relevant 
>> authentication site from a directory site - so devious tricks may be 
>> needed.
> 
> No, I don't think that is the case. One of the screenshots in the Manual 
> shows such a suggested window which contains a Merchant's header, and 
> then a frams which includes wording which the merchants is instructed to 
> configure of the form "the following is sent to you by your bank yada 
> yadda click HERE to get back to us if it does not work". 

--- ?dividing line?   ---

And below that
> is the Bank's solicitation to reveal your SecureKey, with no obvious 
> dividing line, nor any suggestion that a sub-sub-frame is involved.
> 
> I agree that if such a sub-sub-frame WERE involved, and it had been 
> provided by the Bank 

it is, it is,

for the merchant to forward to the customer

it goes from the 3G operator (not the bank, or the merchant) to the 
customer, via https

, then
> it could perhaps have been encrypted by the Bank so that the Merchant 
> could not decrypt the clients "personal message" contained therein.

Unless the merchant knows about cross-site scripting attacks - which, 
ooops. most blackhats do.

dunno whether this should be a :) or a :(


-- Peter Fairbrother
>