Verfied by Visa finally gets outed

Paul Barnfather lists at
Tue Oct 19 18:30:30 BST 2010

> Just like they've been saying since its launch.  Why they went for an
> embedded (IFRAMEd) approach when world+dog could see this masked the SSL
> certificate info from all but the most curious of visitors is still beyond
> me.

I notice they're now claiming that the "personal assurance message" is
the approved way to ensure that VbV dialog box is genuine.

Surely it's fairly trivial for a site to send a (hidden, bogus)
request to VbV and scrape the personal assurance message that comes
back, then display the message in a phishing dialog to get the victims

Or is the VbV system secure against this attack? I still feel
uncomfortable with it.

More information about the ukcrypto mailing list