Co-op Bank and Verified by Visa
Andrew Cormack
Andrew.Cormack at ja.net
Thu Jun 18 17:31:06 BST 2009
> -----Original Message-----
> From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto-
> bounces at chiark.greenend.org.uk] On Behalf Of Richard Brooksby
> Sent: 18 June 2009 14:35
> To: UK Cryptography Policy Discussion Group
> Subject: Re: Co-op Bank and Verified by Visa
>
> On 2009-06-18, at 13:12, Nicholas Bohm wrote:
>
> > In my experience the Verified by Visa and Mastercard SecureCode
sites
> > show me a memorable phrase of my own choosing (set at registration)
> > as a
> > form of authentication. ...
>
> Yes, looking at Visa's own web site (see
>
<http://www.visaeurope.com/personal/onlineshopping/verifiedbyvisa/main.
> jsp
> >) it's clear that they intend the banks to allow you to register,
> and to allow you to set your own password.
>
> Co-op have decided to skip both these steps, perhaps in a misguided
> attempt to make things "easier" for their customers. But they've
> damaged customer security by doing so.
>
> An secret for use with Verified by Visa would be OK. Not great, since
> banks are then unwilling to allow you to repudiate "verified"
> transactions, but at least it's not revealing one of your main shared
> secrets with your bank.
My credit card issuer does indeed allow the user to choose their own
recognition phrase and secret, but to set a new secret all you need is
the information that's printed on the credit card and the holder's birth
date. Since I'm contracted to inform the issuer if anyone ever finds out
my secret, should I also let them know whenever anyone displays
knowledge of my birth date, since it's functionally equivalent to the
secret ???
One practical implication is that you should never carry a VbV credit
card and a photo driving licence together :-(
Andrew
More information about the ukcrypto
mailing list