Co-op Bank and Verified by Visa

Charles Lindsey chl at clerew.man.ac.uk
Fri Jun 19 13:15:12 BST 2009 

On Thu, 18 Jun 2009 11:45:55 +0100, Richard Brooksby <rb at ravenbrook.com>  
wrote:

> I'm getting into a battle with the Co-operative Bank over their  
> implementation of the Verified by Visa scheme.  I thought I'd let you  
> know about it, and also see if you agree with my position or have any  
> suggestions.
>
> A few months ago, while shopping online at a random new site, I was  
> asked to enter my "memorable name" in order to verify my Visa card  
> transaction.  The "memorable name" is one of the secrets I share with  
> the Co-op when using on-line or telephone banking.  However, the site  
> that was asking me to enter it was unknown to me.  I closed the window  
> and was unable to shop with that merchant.

Yes, but you have completely failed to give us the critical piece of  
information that we need to assess whether the Coop scheme is secure or  
not.

1. Did the screen you were shown have the secure "padlock" set? If not,  
then for sure ut w as bogus, but...

2. If so, did you examine the certificate chain attached to it, and where  
did that chain show the screen to have come from?

If it was the Coop, then you are fine (assuming you trust Verisign, or  
whoever it was who issued the certificate at the start of the chain).

But more likely, it would be the outfit contracted by Visa, the Coop, or  
some combination thereof, to run the scheme. And that is almost certainly  
going to be CYOTA, based in California and a subsidiary of RSA Security  
Inc.

So if the certificate is from CYOTA, then you are probably safe, though  
you are entitled to demand that from the Coop a confirmation that Cyota  
are their appointed agents for this purpose, and you are equally entitled  
to complain to them that it should have been arranged that they presented  
a certificate naming the Coop, which I am sure would have been possible  
(but they will just say "But that is what all the banks do" and decline to  
take it further).

BTW, it seems that I erroneoulsy referred to that company as CYCOTA during  
an earlier discussion of this topic on this list. AFAICS, the system is  
well thought out and secure, and I have had no hesitation in using it with  
the few merchants I have encountered who have signed up to it.

But I agree with the remarks of others that the Coop implementation of the  
scheme is ermarkably lax, with no secret hint provided to convince you it  
is them, and no opportunity to change your password.

-- 
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131                       
   Web: http://www.cs.man.ac.uk/~chl
Email: chl at clerew.man.ac.uk      Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9      Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5

More information about the ukcrypto mailing list