Co-op Bank and Verified by Visa

[Andrew T]

2009/6/19 Charles Lindsey <chl at clerew.man.ac.uk>:
> 1. Did the screen you were shown have the secure "padlock" set? If not, then
> for sure ut w as bogus, but...
>
> 2. If so, did you examine the certificate chain attached to it, and where
> did that chain show the screen to have come from?

By virtue of the fact that the "Merchant Deployment Best Practices"
supplied by Visa say that it is best to put the VbV into a inline
frame, it makes it difficult to find out the certificate chain, and
even when you do they terminate with some third party that I've not
heard of.

As others have stated, VbV seems to exist to prevent merchant fraud.
Is it impossible to conceive that a company willing to commit this
fraud would also be willing to develop a man-in-the-middle attack
using VbV?

-- 
Andrew