Co-op Bank and Verified by Visa
Peter Fairbrother
zenadsl6186 at zen.co.uk
Tue Jun 23 21:35:31 BST 2009
Ian Batten wrote:
> On Mon, June 22, 2009 11:48, Charles Lindsey wrote:
>
>> Well that is clearly bad advice. But all the examples I have seen, which
>> have used the equivalent Mastercard/Maestro mechanism, have popped up a
>> separate window, so finding the certificate is no problem. If it comes
>> from CYOTA, then I am prepared to trust it (just).
>
> I've just spent two quid on a day's 3G service, and that used Lloyd's
> Clicksafe.
Okay. I'm a little confused here, can you give some more details, as below?
The certificate is www.clicksafe.lloydstsb.com (or was it
> .co.uk) directly signed by Verisign and Firefox displayed a blue Lloydstsb
> tag in the top bar (not a green EV, sadly).
Was this in a popup window?
Some retailers use iFrames or frames, it's up to them, and 3D Secure
don't insist on any particular technology (though SecureCode don't allow
popups, in theory).
Was it in a signup or reset password window?
LLoyds Clicksafe T&C's say they use RSA Security Ireland Ltd., or a
subsidiary, to do the verification for them, so afaict (unless RSASI are
operating using the lloyds.com name, which would be - ugly) in a normal
transaction a Lloyds certificate wouldn't be used, and in many cases, eg
if the retailer uses an iFrame, the certificate wouldn't be visible.
BTW1, The logo is not in any way a secure object, anyone can put any
logo they like in a top bar, if the bar supports logos.
BTW2, /censored/ (re: faking URLs and certificates)
So it would be good if the
> bank told you to look for that, but once you know that it's the LTSB
> certificate that you're expecting then you're on fairly solid ground.
Lloyds Clicksafe T&C's are hosted at securesuite.co.uk, so in a normal
or iFrame transaction the certificate may be a securesuite.co.uk
certificate.
Besides which, the banks don't insist the merchant uses popups direct to
themselves, which would much harder to fake - and you are not the
average punter, who has a hard time checking whether there is a padlock
displayed.
-- Peter Fairbrother
More information about the ukcrypto
mailing list