Co-op Bank and Verified by Visa
Andrew T
cybergibbons at gmail.com
Thu Jun 18 14:19:53 BST 2009
Of the four banks I mentioned, there is nothing to identify themselves
to me outside of my name being in the username - which I have already
provided. One of them uses the domain "securesite.co.uk" - but I have
no way of telling this as the VbV guidelines are to embed the app so
that you cannot inspect the URL.
I realise these are specific implementation issues, but on the whole,
banks seem to have made a hash of it.
Andrew
2009/6/18 Ian Batten <igb at batten.eu.org>:
>
> On 18 Jun 09, at 1312, Nicholas Bohm wrote:
>
>> In my experience the Verified by Visa and Mastercard SecureCode sites
>> show me a memorable phrase of my own choosing (set at registration) as a
>> form of authentication. Weak but better than nothing; and my bank
>> (Coutts) allows me to use a password for these sites which is not the
>> same as anything I use elsewhere. So these are grounds on which you
>> might challenge the Co-op's implementation.
>
> Same for Lloyds TSB. And the initial sign-up site I was first redirected to
> was within the lloydstsb.co.uk domain and had appropriate certificates that
> matched the URL. You set a distinct password, and you set a greeting
> message of your choice, which they should tell you to make very personal but
> don't. You can change that, and you can get a list of all transactions.
> Branded as clicksafe and seems to have been well thought through. It works
> for both Mastercard and Visa off the same infrastructure.
>
> http://www.lloydstsb.com/clicksafe.asp
>
> ian
>
>
>
>
>
--
Andrew
More information about the ukcrypto
mailing list