Co-op Bank and Verified by Visa

[Charles Lindsey]

On Tue, 23 Jun 2009 22:02:19 +0100, Peter Fairbrother  
<zenadsl6186 at zen.co.uk> wrote:

> Charles Lindsey wrote:

>>  It now seems that the critical page, which is now a subframe of the  
>> Merchant's site, is now prepared by the Merchant using the format  
>> provided by the Issuer.
>
> The contents of the frame are, I think, provided directly to the user by  
> the authentication site without the merchant seeing them, though the  
> merchant sees the CC number and looks up the relevant authentication  
> site from a directory site - so devious tricks may be needed.

No, I don't think that is the case. One of the screenshots in the Manual  
shows such a suggested window which contains a Merchant's header, and then  
a frams which includes wording which the merchants is instructed to  
configure of the form "the following is sent to you by your bank yada  
yadda click HERE to get back to us if it does not work". And below that is  
the Bank's solicitation to reveal your SecureKey, with no obvious dividing  
line, nor any suggestion that a sub-sub-frame is involved.

I agree that if such a sub-sub-frame WERE involved, and it had been  
provided by the Bank for the merchant to forward to the customer, then it  
could perhaps have been encrypted by the Bank so that the Merchant could  
not decrypt the clients "personal message" cointained therein.

But I am not sure that is technically possible, especially if a DH key is  
to be negotiated, because that requires direct handshakes between the Bank  
and the Client which the Merchant-in-the-Middle cannot interfere with.

-- 
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131                       
   Web: http://www.cs.man.ac.uk/~chl
Email: chl at clerew.man.ac.uk      Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9      Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5