Co-op Bank and Verified by Visa

[Peter Fairbrother]

Nicholas Bohm wrote:

> To be fair to the systems, they ask for three characters from the
> password, and not the same three each time.  Attacks would have to be
> repeated often enough to get enough characters before they could be
> executed reliably.  

Yes, that makes a single operation a bit too hard to be worthwhile for a 
fraudster - but if he can do two operations then he has about a 10% 
chance of getting the required letters for a third attempt, the exact 
figure depending on the number of letters in the phrase - I don't know 
the distribution of lengths so I can't calculate it, but it's over 10% 
for 9 letters.

And a clever fraudster would jump at a 10% chance. Also, he can do 
multiple attempts at online fraud and only complete the ones with 
letters he has, raising the odds of success a lot more.

If the same phrase is used for online banking then he has to get all the 
letters before he can use it to clean out the victim's bank, including 
overdrafts - but as most phrases are memorable, he has a fairly good 
chance of guessing the rest from the approximately 5 letters he gets 
from two operations.


As for getting two operations from the same customer, repeat business 
may provide some opportunities, and there are several behavioural tricks 
which can be employed - eg "I can't complete your order, please resubmit 
if you want a partial order", "please resubmit for our discount" - or 
even the much simpler "payment refused, please try again".



However afaict most banks ask for the whole phrase. And even if only a 
few percent of the banks ask for the whole phrase the single-operation 
fraud is worthwhile.


-- Peter Fairbrother