Co-op Bank and Verified by Visa
Charles Lindsey
chl at clerew.man.ac.uk
Mon Jun 22 11:48:13 BST 2009
On Fri, 19 Jun 2009 13:30:45 +0100, Andrew T <cybergibbons at gmail.com>
wrote:
> 2009/6/19 Charles Lindsey <chl at clerew.man.ac.uk>:
>> 2. If so, did you examine the certificate chain attached to it, and
>> where
>> did that chain show the screen to have come from?
>
> By virtue of the fact that the "Merchant Deployment Best Practices"
> supplied by Visa say that it is best to put the VbV into a inline
> frame, it makes it difficult to find out the certificate chain, and
> even when you do they terminate with some third party that I've not
> heard of.
Well that is clearly bad advice. But all the examples I have seen, which
have used the equivalent Mastercard/Maestro mechanism, have popped up a
separate window, so finding the certificate is no problem. If it comes
from CYOTA, then I am prepared to trust it (just).
>
> As others have stated, VbV seems to exist to prevent merchant fraud.
> Is it impossible to conceive that a company willing to commit this
> fraud would also be willing to develop a man-in-the-middle attack
> using VbV?
>
Again, the Mastercard/Maestro scheme appears to be aimed at protecting the
customer.
--
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131
Web: http://www.cs.man.ac.uk/~chl
Email: chl at clerew.man.ac.uk Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
More information about the ukcrypto
mailing list