Co-op Bank and Verified by Visa

[Peter Fairbrother]

Charles Lindsey wrote:

> Yes, I have just read thropugh their whole manual, and I am distinctly 
> unimpressed - much less secure than it appeared to be when it first came 
> out.
> 
> It now seems that the critical page, which is now a subframe of the 
> Merchant's site, is now prepared by the Merchant using the format 
> provided by the Issuer. 

The contents of the frame are, I think, provided directly to the user by 
the authentication site without the merchant seeing them, though the 
merchant sees the CC number and looks up the relevant authentication 
site from a directory site - so devious tricks may be needed.



The directory site (Mastercard and Visa operate one each) gets a whole 
lot of personal information though, every time you use your card online 
they know about it, and who you traded with...

...which raises the interesting question of whether and in what 
circumstances a CC number is personally identifying information, the 
directory site may well not know your name etc., just the CC number, but 
I haven't looked into that.

For real privacy, the directory site  only really needs to know the 
first part of the CC number which identifies the issuer, but I think 
they get it all.

As do the authentication sites. Which may be why Lloyds use RSA Ireland 
for authentication, to keep it in the EU.


-- Peter Fairbrother