Co-op Bank and Verified by Visa
Peter Fairbrother
zenadsl6186 at zen.co.uk
Sat Jun 20 03:09:08 BST 2009
Ian Batten wrote:
>
> On 18 Jun 09, at 1312, Nicholas Bohm wrote:
>
>> In my experience the Verified by Visa and Mastercard SecureCode sites
>> show me a memorable phrase of my own choosing (set at registration) as a
>> form of authentication. Weak but better than nothing; and my bank
>> (Coutts) allows me to use a password for these sites which is not the
>> same as anything I use elsewhere. So these are grounds on which you
>> might challenge the Co-op's implementation.
>
> Same for Lloyds TSB. And the initial sign-up site I was first
> redirected to was within the lloydstsb.co.uk domain and had appropriate
> certificates that matched the URL. You set a distinct password, and you
> set a greeting message of your choice, which they should tell you to
> make very personal but don't. You can change that, and you can get a
> list of all transactions. Branded as clicksafe and seems to have been
> well thought through. It works for both Mastercard and Visa off the
> same infrastructure.
>
> http://www.lloydstsb.com/clicksafe.asp
>
> ian
The personal recognition/memorable/greeting phrase provides almost zero
added security, it's absolutely straightforward for a criminal to get
hold of it. See my last post for details.
It's also fairly simple for a crooked merchant to do a similar thing,
and get the customer's VbV passphrase - there is nothing to say that the
popup they present is from the bank rather than from their server, a
simple MitM attack.
If the first transaction between merchant and customer is actually
completed then there are some historical IP address problems for the
crooked merchant, but they are solvable.
-- Peter Fairbrother
More information about the ukcrypto
mailing list