Co-op Bank and Verified by Visa

[Peter Fairbrother]

Charles Lindsey wrote:
> On Fri, 19 Jun 2009 13:30:45 +0100, Andrew T <cybergibbons at gmail.com> 
> wrote:
> 
>> 2009/6/19 Charles Lindsey <chl at clerew.man.ac.uk>:
> 
>>> 2. If so, did you examine the certificate chain attached to it, and 
>>> where
>>> did that chain show the screen to have come from?
>>
>> By virtue of the fact that the "Merchant Deployment Best Practices"
>> supplied by Visa say that it is best to put the VbV into a inline
>> frame, it makes it difficult to find out the certificate chain, and
>> even when you do they terminate with some third party that I've not
>> heard of.
> 
> Well that is clearly bad advice. But all the examples I have seen, which 
> have used the equivalent Mastercard/Maestro mechanism, have popped up a 
> separate window, so finding the certificate is no problem. 


In practice it's entirely up to the seller's website which technology 
they use, popup, frame or iframe. Most sellers use the same technology 
whether the authentication is done by SecureCode or VbV, and your 
experience is probably either limited or atypical.

 From the Mastercard SecureCode Merchant Implementation Manual:

"MasterCard strongly recommends against the use of newer frame
technologies such as iFrames and floating .Net frames as some 
cardholders set their browsers to block such elements."

That's the only mention of an iframe in the entire manual, but there is 
a big section on using frames, which they most definitely allow - in 
fact they require it.


Mastercard do not *allow* popups any more! Merchants who use popups are 
required to change their technology, although afaict it's not at all 
well policed:

"MasterCard explicitly prohibits this type of implementation. Any
merchant still supporting the use of a pop-up authentication window must
modify its implementation."


http://www.mastercard.com/za/wce/PDF/smi-manual.pdf

If it comes
> from CYOTA, then I am prepared to trust it (just).
>>
>> As others have stated, VbV seems to exist to prevent merchant fraud.
>> Is it impossible to conceive that a company willing to commit this
>> fraud would also be willing to develop a man-in-the-middle attack
>> using VbV?
>>
> Again, the Mastercard/Maestro scheme appears to be aimed at protecting 
> the customer.

Eh? How's that then, and how is it different from any other 3D Secure 
system, say VbV?

Or did you mean "appears to be" as in it looks like that, with many 
mentions of increased customer security on the fluff websites, while in 
fact it isn't? That's true of VbV as well.



One glaring weakness in the 3D Secure protocol (VbV and Securecard are 
implementations of the 3D protocol) is apparent from the name - 3D 
stands for 3 domains, the acquirer, the issuer - and the third operating 
domain, which is neither.

It's at least two elementary security 101 mistakes: rule number two, 
Keep it simple, simple limits where the enemy can attack, and rule 
number three, Limit the people you trust, only they can betray you - the 
third domain has to be trusted. Two domains would be much better, and 
incidentally would also make it easier for the customer to verify that 
the authentication is being done by their bank, as in rule two.



-- Peter Fairbrother