Co-op Bank and Verified by Visa

Richard Brooksby rb at ravenbrook.com
Fri Jun 19 13:59:55 BST 2009 

On 2009-06-19, at 13:15, Charles Lindsey wrote:

> On Thu, 18 Jun 2009 11:45:55 +0100, Richard Brooksby <rb at ravenbrook.com 
> > wrote:
>
>> I'm getting into a battle with the Co-operative Bank over their  
>> implementation of the Verified by Visa scheme.  I thought I'd let  
>> you know about it, and also see if you agree with my position or  
>> have any suggestions.
>>
>> A few months ago, while shopping online at a random new site, I was  
>> asked to enter my "memorable name" in order to verify my Visa card  
>> transaction.  The "memorable name" is one of the secrets I share  
>> with the Co-op when using on-line or telephone banking.  However,  
>> the site that was asking me to enter it was unknown to me.  I  
>> closed the window and was unable to shop with that merchant.
>
> Yes, but you have completely failed to give us the critical piece of  
> information that we need to assess whether the Coop scheme is secure  
> or not.

I don't think this was the complete and utter failure that you think  
it was.  I'll explain.  But thanks for making me shake out this  
particular area of the problem.

> 1. Did the screen you were shown have the secure "padlock" set? If  
> not, then for sure ut w as bogus, but...

Ah, sorry, this appeared in the screenshot, but when I tried to post  
my message with that it was rejected for being over 20Kb.

The site did have a padlock.  That in itself is not at all reassuring  
-- see below.

> 2. If so, did you examine the certificate chain attached to it, and  
> where did that chain show the screen to have come from?

As it happens, the certificate is from Neteller PLC (www.netbanx.com)  
issued direct by VeriSign.  I'd never heard of netbanx.com or Neteller  
PLC and there is no chain involving my bank.

Besides which, although I am capable of checking this stuff (and did  
at the time) this is true of almost no Co-op customers.  That means  
this is not a scheme suitable for consumers.  Warnings like "don't  
enter your password unless the address is www.co-operativebank.co.uk  
AND you can see the padlock" are much better for the general public  
(though not perfect).

> But more likely, it would be the outfit contracted by Visa, the  
> Coop, or some combination thereof, to run the scheme. And that is  
> almost certainly going to be CYOTA, based in California and a  
> subsidiary of RSA Security Inc.

It wasn't and there is no chain to them either.

As far as I can tell, Visa are allowing merchants to do this  
themselves.  So you will get requests to enter your secret from random  
organisations you've never heard of.

It's not difficult for a password collector to get a certificate from  
VeriSign.  It doesn't prove any connection or authorisation from my  
bank, or give me any confidence that their operation is secure.

> But I agree with the remarks of others that the Coop implementation  
> of the scheme is ermarkably lax, with no secret hint provided to  
> convince you it is them, and no opportunity to change your password.

Worse, they make you use your existing password.  Once the VbV man-in- 
the-middle collects that, they have a much better chance of stealing  
your money over the phone, and the bank insisting that it's your fault.

---
Richard Brooksby <rb at ravenbrook.com>  Senior Consultant
Ravenbrook Limited <http://www.ravenbrook.com/>
Voice: +44 777 9996245  Fax: +44 870 1641432
AIM: hothquist  Yahoo: gresque  Jabber: hothquist at jabber.org
LinkedIn: <http://www.linkedin.com/in/richardbrooksby>

More information about the ukcrypto mailing list