Co-op Bank and Verified by Visa

Charles Lindsey chl at clerew.man.ac.uk
Tue Jun 23 12:19:28 BST 2009 

On Mon, 22 Jun 2009 19:39:05 +0100, Peter Fairbrother  
<zenadsl6186 at zen.co.uk> wrote:

>  From the Mastercard SecureCode Merchant Implementation Manual:
>
> "MasterCard strongly recommends against the use of newer frame
> technologies such as iFrames and floating .Net frames as some  
> cardholders set their browsers to block such elements."
>
> That's the only mention of an iframe in the entire manual, but there is  
> a big section on using frames, which they most definitely allow - in  
> fact they require it.
>
>
> Mastercard do not *allow* popups any more! Merchants who use popups are  
> required to change their technology, although afaict it's not at all  
> well policed:

Yes, I have just read thropugh their whole manual, and I am distinctly  
unimpressed - much less secure than it appeared to be when it first came  
out.

It now seems that the critical page, which is now a subframe of the  
Merchant's site, is now prepared by the Merchant using the format provided  
by the Issuer. So it would seem that the Merchant gets to see the  
"personal greeting" that the Issuer asks to be placed there. So no longer  
any need for the devious tricks that you showed to us yesterday.

And then I have to find some means of getting hold of the Certificate that  
accompanies that subframe, to see whether it is from the Issuer (or his  
agent). I imagine I could dig it out with a bit of hassle.

And then I need some assurance that when I fill in my Securecode and press  
"Send" it will indeed go direct to the Issuer's (Agent's) site rather than  
via the Merchant (but at least I now know that it is encrypted by some key  
certified to belong to the Issuer('s agent).

And looking at all those screens depicted in Mastercar's Manual, there is  
not a single padlock to be seen anywhere :-( .
>
> "MasterCard explicitly prohibits this type of implementation. Any
> merchant still supporting the use of a pop-up authentication window must
> modify its implementation."
>
>
> http://www.mastercard.com/za/wce/PDF/smi-manual.pdf

>> Again, the Mastercard/Maestro scheme appears to be aimed at protecting  
>> the customer.
>
> Eh? How's that then, and how is it different from any other 3D Secure  
> system, say VbV?

Actually, from reading that Manual, its purpose is to give the Merchant  
some assurance that the card had been used by its genuine owner, and  
Matercard provides some guarantees against repudiation by the cistomer.

-- 
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131                       
   Web: http://www.cs.man.ac.uk/~chl
Email: chl at clerew.man.ac.uk      Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9      Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5

More information about the ukcrypto mailing list