[Fwd: Re: Co-op Bank and Verified by Visa]

[Nicholas Bohm]

I am forwarding a message from Peter Gutmann because his posts get bounced.

Nicholas Bohm <nbohm at ernest.net> writes:

>The system nevertheless seems fairly feeble.

It's fulfilling it's intended purposes, but its purpose is to prevent
merchant
fraud and not phishing.

  A similarly problematic redirection-based authentication system is used in
  Verified by Visa/MasterCard SecureCode, which redirects users away
from the
  site at which they.re making a purchase to a site unrelated to the online
  store, their bank, or Visa/MasterCard, to enter additional authentication
  information for the purchase.  The reason for doing this is that the
  additional data entered at the external site is never revealed to the
  merchant, avoiding some types of merchant fraud in which they bill
  transactions to cards without the cardholder.s permission (in technical
  terms this out-of-band mechanism provides chargeback liability shift from
  the acquirer, the bank to which the funds are being paid, to the
issuer, the
  bank that issued the card, for cases in which the card owner denies
  authorising the transaction).  According to Visa this type of fraud
accounts
  for about 70% of merchant chargebacks because in an Internet-based
card-not-
  present transaction there.s no cardholder signature available to prove
that
  the transaction was authorised, so the acquiring bank dumps the liability
  for the disputed transaction onto the merchant.  The out-of-band
  authorisation provides the equivalent of the signature on the card
receipt,
  with the incentive for merchants to sign up to the program being the
ability
  to avoid liability for certain types of disputed transactions, and the
  incentive for the banks being the reduction in merchant fraud.

  The manner in which the redirect-based authentication is handled was
left to
  individual banks.  Since banks tend not to employ large numbers of
  cryptographic security protocol designers the result was an initial
flood of
  exquisitely homebrew mechanisms accompanied by sufficient paperwork to
  overwhelm Visa/MasterCard.s auditors, but the process has since
converged on
  the near-universal use of passwords or PINs.

  So the final result is that, as with OpenID, users go to a site
expecting to
  make a purchase and are then redirected to an arbitrary site unrelated to
  anything that they.re expecting to deal with (most banks outsource the
  processing to third parties) where they.re asked to enter additional
  authentication information.  Some banks even allow users to create a new
  Verified by Visa/SecureCode authentication value on the spot if they.ve
  forgotten their current one, proving their identity using their credit
card
  details.  The results have been predictable, with the additional awkward
  steps annoying consumers both due to the inconvenience of the extra action
  that.s required and the fact that it .looks and feels exactly like a low-
  quality phishing scam. [91] and providing no real protection against
  phishing [92], which isn.t really surprising, since it.s designed to
protect
  against merchant fraud and not phishing.

  This process is further confused by the fact that, in order to avoid
popups
  and redirects, some banks have started recommending the use of inline
  iFrames on merchant sites, which means that crooked merchants can
obtain the
  Verified by Visa/SecureCode value directly from the user, bypassing the
  fraud protection that it.s supposed to provide.  Online crime
investigators
  have even observed criminals discussing amongst themselves how much they
  like Verified by Visa because of the false sense of security that it
  provides to their victims (!!).

Peter.