Verfied by Visa finally gets outed
Dave Howe
DaveHowe at gmx.co.uk
Tue Oct 19 19:03:48 BST 2010
On 19/10/2010 18:30, Paul Barnfather wrote:
>> Just like they've been saying since its launch. Why they went for an
>> embedded (IFRAMEd) approach when world+dog could see this masked the SSL
>> certificate info from all but the most curious of visitors is still beyond
>> me.
>
> I notice they're now claiming that the "personal assurance message" is
> the approved way to ensure that VbV dialog box is genuine.
>
> Surely it's fairly trivial for a site to send a (hidden, bogus)
> request to VbV and scrape the personal assurance message that comes
> back, then display the message in a phishing dialog to get the victims
> password?
>
> Or is the VbV system secure against this attack? I still feel
> uncomfortable with it.
I would think that, given the source site is iFramed, it would be
trivial for a site to just MitM the whole thing, record what you
submitted, and write it into a convenient database for later use.
More information about the ukcrypto
mailing list