Co-op Bank and Verified by Visa
Andrew T
cybergibbons at gmail.com
Mon Jun 22 11:56:05 BST 2009
http://www.visaeurope.com/documents/vbv/verifiedbyvisa_merchantdeploymentbestpractices.pdf
2009/6/22 Charles Lindsey <chl at clerew.man.ac.uk>:
> On Fri, 19 Jun 2009 13:30:45 +0100, Andrew T <cybergibbons at gmail.com> wrote:
>
>> 2009/6/19 Charles Lindsey <chl at clerew.man.ac.uk>:
>
>>> 2. If so, did you examine the certificate chain attached to it, and where
>>> did that chain show the screen to have come from?
>>
>> By virtue of the fact that the "Merchant Deployment Best Practices"
>> supplied by Visa say that it is best to put the VbV into a inline
>> frame, it makes it difficult to find out the certificate chain, and
>> even when you do they terminate with some third party that I've not
>> heard of.
>
> Well that is clearly bad advice. But all the examples I have seen, which
> have used the equivalent Mastercard/Maestro mechanism, have popped up a
> separate window, so finding the certificate is no problem. If it comes from
> CYOTA, then I am prepared to trust it (just).
>>
>> As others have stated, VbV seems to exist to prevent merchant fraud.
>> Is it impossible to conceive that a company willing to commit this
>> fraud would also be willing to develop a man-in-the-middle attack
>> using VbV?
>>
> Again, the Mastercard/Maestro scheme appears to be aimed at protecting the
> customer.
>
> --
> Charles H. Lindsey ---------At Home, doing my own thing------------------------
> Tel: +44 161 436 6131
> Web: http://www.cs.man.ac.uk/~chl
> Email: chl at clerew.man.ac.uk Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
> PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
>
>
--
Andrew
More information about the ukcrypto
mailing list