Co-op Bank and Verified by Visa

Nicholas Bohm nbohm at ernest.net
Sat Jun 20 10:53:30 BST 2009 

Peter Fairbrother wrote:
> Ian Batten wrote:
>>
>> On 18 Jun 09, at 1312, Nicholas Bohm wrote:
>>
>>> In my experience the Verified by Visa and Mastercard SecureCode sites
>>> show me a memorable phrase of my own choosing (set at registration) as a
>>> form of authentication.  Weak but better than nothing; and my bank
>>> (Coutts) allows me to use a password for these sites which is not the
>>> same as anything I use elsewhere.  So these are grounds on which you
>>> might challenge the Co-op's implementation.
>>
>> Same for Lloyds TSB.  And the initial sign-up site I was first
>> redirected to was within the lloydstsb.co.uk domain and had
>> appropriate certificates that matched the URL.  You set a distinct
>> password, and you set a greeting message of your choice, which they
>> should tell you to make very personal but don't.  You can change that,
>> and you can get a list of all transactions.  Branded as clicksafe and
>> seems to have been well thought through.  It works for both Mastercard
>> and Visa off the same infrastructure.
>>
>> http://www.lloydstsb.com/clicksafe.asp
>>
>> ian
> 
> The personal recognition/memorable/greeting phrase provides almost zero
> added security, it's absolutely straightforward for a criminal to get
> hold of it. See my last post for details.
> 
> 
> It's also fairly simple for a crooked merchant to do a similar thing,
> and get the customer's VbV passphrase - there is nothing to say that the
> popup they present is from the bank rather than from their server, a
> simple MitM attack.
> 
> If the first transaction between merchant and customer is actually
> completed then there are some historical IP address problems for the
> crooked merchant, but they are solvable.

To be fair to the systems, they ask for three characters from the
password, and not the same three each time.  Attacks would have to be
repeated often enough to get enough characters before they could be
executed reliably.  (Well, apart from the wholly insecure option to
reset the password, if that's still operational in the way I met it.)

Nicholas
-- 
Salkyns, Great Canfield, Takeley,
Bishop's Stortford CM22 6SX, UK

Phone  01279 870285    (+44 1279 870285)
Mobile  07715 419728    (+44 7715 419728)

PGP public key ID: 0x899DD7FF.  Fingerprint:
5248 1320 B42E 84FC 1E8B  A9E6 0912 AE66 899D D7FF

More information about the ukcrypto mailing list