Verfied by Visa finally gets outed

Dave Howe DaveHowe at
Tue Oct 19 19:03:48 BST 2010

On 19/10/2010 18:30, Paul Barnfather wrote:
>> Just like they've been saying since its launch.  Why they went for an
>> embedded (IFRAMEd) approach when world+dog could see this masked the SSL
>> certificate info from all but the most curious of visitors is still beyond
>> me.
> I notice they're now claiming that the "personal assurance message" is
> the approved way to ensure that VbV dialog box is genuine.
> Surely it's fairly trivial for a site to send a (hidden, bogus)
> request to VbV and scrape the personal assurance message that comes
> back, then display the message in a phishing dialog to get the victims
> password?
> Or is the VbV system secure against this attack? I still feel
> uncomfortable with it.

I would think that, given the source site is iFramed, it would be
trivial for a site to just MitM the whole thing, record what you
submitted, and write it into a convenient database for later use.

More information about the ukcrypto mailing list