Verfied by Visa finally gets outed

Peter Fairbrother zenadsl6186 at zen.co.uk
Wed Oct 20 23:28:50 BST 2010 

Paul Barnfather wrote:
>> Just like they've been saying since its launch.  Why they went for an
>> embedded (IFRAMEd) approach when world+dog could see this masked the SSL
>> certificate info from all but the most curious of visitors is still beyond
>> me.
> 
> I notice they're now claiming that the "personal assurance message" is
> the approved way to ensure that VbV dialog box is genuine.
> 
> Surely it's fairly trivial for a site to send a (hidden, bogus)
> request to VbV and scrape the personal assurance message that comes
> back, then display the message in a phishing dialog to get the victims
> password?
> 
> Or is the VbV system secure against this attack? I still feel
> uncomfortable with it.


No, it isn't secure against it.

I'd link to the archives if I knew how, but here is a post Re: Co-op 
Bank and Verified by Visa from 19:47 19/06/09

-- Peter Fairbrother







Andrew T wrote:
 > 2009/6/19 Charles Lindsey <chl at clerew.man.ac.uk>:
 >> 1. Did the screen you were shown have the secure "padlock" set? If 
not, then
 >> for sure ut w as bogus, but...
 >>
 >> 2. If so, did you examine the certificate chain attached to it, and 
where
 >> did that chain show the screen to have come from?
 >
 > By virtue of the fact that the "Merchant Deployment Best Practices"
 > supplied by Visa say that it is best to put the VbV into a inline
 > frame, it makes it difficult to find out the certificate chain, and
 > even when you do they terminate with some third party that I've not
 > heard of.
 >
 > As others have stated, VbV seems to exist to prevent merchant fraud.
 > Is it impossible to conceive that a company willing to commit this
 > fraud would also be willing to develop a man-in-the-middle attack
 > using VbV?
 >

It isn't just such a company, any crook can do it.



Verified by Visa/Mastercard SecureCode

Want to steal a few billion? Consider this:

I'm supposedly selling something online. I set up a website and get a 
hosting company to provide a webserver. If I am careful, it's impossible 
to trace who I am.

I don't have Verified by Visa/Mastercard SecureCode etc (VbV), or any 
other credit card arrangements, I'm not actually a registered merchant, 
I don't need to do anything. Obviously, I can't be traced that way.

I buy a website certificate so a padlock appears on-screen when needed. 
That's straightforward to do, I just call myself xyz.com and get a 
certificate which says I am xyz.com. Again, there is no trace to me.

The certificate is not linked to my bank (I don't actually have a bank), 
nor is it linked to the victim-to-be's bank in any way, and it does not 
need to be. Linking wouldn't do any good anyway.

Most of the rest of this fraud is done by the webserver. I don't have to 
do anything by hand, or be online, or be anywhere I could get caught. 
Holiday in the Bahamas, maybe?

The victim-to-be, the "mark", enters his order on my website, and then 
enters his details, including his credit card number.

The webserver then gets the mark's personal recognition phrase, if it's 
used, by entering the mark's details in another, genuine, merchant site 
which uses VbV.

The webserver has already ordered something from the genuine site, and 
is at the payments page. It has the mark's details including his credit 
card number, so it's straightforward to get his recognition phrase, it 
simply enters the mark's details into the genuine website, and the 
genuine site will supply the recognition phrase.

The webserver then closes the connection to the genuine site. The 
genuine site thinks it's an aborted transaction, of which there are very 
many, and does nothing.

Next, the webserver puts up a frame in the mark's browser purporting to 
be a VbV frame, with a website certificate and therefore a padlock, and 
also containing the mark's personal recognition phrase. It's 
pixel-by-pixel identical to a genuine VbV frame.

*The mark sees the padlock and his personal recognition phrase, and 
enters his VbV passphrase. This is what his bank has told him to do.*

I now have the mark's VbV passphrase, and can use it to commit online 
fraud etc.

If the same passphrase is used for telephone banking, and at least one 
bank insists on this, I can also work out who the mark's bank is from 
the first part of the credit card number. I then phone their bank and 
steal all their money.



Once the mark has deleted or overwritten his browser cache and browsing 
history etc there is no backtrace to the scam, or to my website, apart 
from the mark's memory; so he'll have a hard time proving anything to 
his bank, or to a Court.



Verified by Visa/Mastercard SecureCode should be scrapped. Today.



By the way, there are several strategies which can extend the life of 
the site and the fraud. For instance I can tell the mark that I'm out of 
stock and his money has not been debited. I can actually send the goods, 
if they are cheap - most marks won't notice a small debit is missing, or 
complain that a debit on their statement isn't there! If I wait a while 
before collecting he will probably have forgotten all about it by then. 
There are several more.

BTW2, there is a deliberate omission (or two) here which might make it 
possible to detect the fraud and maybe catch the crook. Most security 
people and the more intelligent crooks will be able to work out what it 
is though, and get around it; the omission is mostly to deter script 
kiddies.


-- Peter Fairbrother

More information about the ukcrypto mailing list