Verfied by Visa finally gets outed
zenadsl6186 at zen.co.uk
Wed Oct 20 23:28:50 BST 2010
Paul Barnfather wrote:
>> Just like they've been saying since its launch. Why they went for an
>> embedded (IFRAMEd) approach when world+dog could see this masked the SSL
>> certificate info from all but the most curious of visitors is still beyond
> I notice they're now claiming that the "personal assurance message" is
> the approved way to ensure that VbV dialog box is genuine.
> Surely it's fairly trivial for a site to send a (hidden, bogus)
> request to VbV and scrape the personal assurance message that comes
> back, then display the message in a phishing dialog to get the victims
> Or is the VbV system secure against this attack? I still feel
> uncomfortable with it.
No, it isn't secure against it.
I'd link to the archives if I knew how, but here is a post Re: Co-op
Bank and Verified by Visa from 19:47 19/06/09
-- Peter Fairbrother
Andrew T wrote:
> 2009/6/19 Charles Lindsey <chl at clerew.man.ac.uk>:
>> 1. Did the screen you were shown have the secure "padlock" set? If
>> for sure ut w as bogus, but...
>> 2. If so, did you examine the certificate chain attached to it, and
>> did that chain show the screen to have come from?
> By virtue of the fact that the "Merchant Deployment Best Practices"
> supplied by Visa say that it is best to put the VbV into a inline
> frame, it makes it difficult to find out the certificate chain, and
> even when you do they terminate with some third party that I've not
> heard of.
> As others have stated, VbV seems to exist to prevent merchant fraud.
> Is it impossible to conceive that a company willing to commit this
> fraud would also be willing to develop a man-in-the-middle attack
> using VbV?
It isn't just such a company, any crook can do it.
Verified by Visa/Mastercard SecureCode
Want to steal a few billion? Consider this:
I'm supposedly selling something online. I set up a website and get a
hosting company to provide a webserver. If I am careful, it's impossible
to trace who I am.
I don't have Verified by Visa/Mastercard SecureCode etc (VbV), or any
other credit card arrangements, I'm not actually a registered merchant,
I don't need to do anything. Obviously, I can't be traced that way.
I buy a website certificate so a padlock appears on-screen when needed.
That's straightforward to do, I just call myself xyz.com and get a
certificate which says I am xyz.com. Again, there is no trace to me.
The certificate is not linked to my bank (I don't actually have a bank),
nor is it linked to the victim-to-be's bank in any way, and it does not
need to be. Linking wouldn't do any good anyway.
Most of the rest of this fraud is done by the webserver. I don't have to
do anything by hand, or be online, or be anywhere I could get caught.
Holiday in the Bahamas, maybe?
The victim-to-be, the "mark", enters his order on my website, and then
enters his details, including his credit card number.
The webserver then gets the mark's personal recognition phrase, if it's
used, by entering the mark's details in another, genuine, merchant site
which uses VbV.
The webserver has already ordered something from the genuine site, and
is at the payments page. It has the mark's details including his credit
card number, so it's straightforward to get his recognition phrase, it
simply enters the mark's details into the genuine website, and the
genuine site will supply the recognition phrase.
The webserver then closes the connection to the genuine site. The
genuine site thinks it's an aborted transaction, of which there are very
many, and does nothing.
Next, the webserver puts up a frame in the mark's browser purporting to
be a VbV frame, with a website certificate and therefore a padlock, and
also containing the mark's personal recognition phrase. It's
pixel-by-pixel identical to a genuine VbV frame.
*The mark sees the padlock and his personal recognition phrase, and
enters his VbV passphrase. This is what his bank has told him to do.*
I now have the mark's VbV passphrase, and can use it to commit online
If the same passphrase is used for telephone banking, and at least one
bank insists on this, I can also work out who the mark's bank is from
the first part of the credit card number. I then phone their bank and
steal all their money.
Once the mark has deleted or overwritten his browser cache and browsing
history etc there is no backtrace to the scam, or to my website, apart
from the mark's memory; so he'll have a hard time proving anything to
his bank, or to a Court.
Verified by Visa/Mastercard SecureCode should be scrapped. Today.
By the way, there are several strategies which can extend the life of
the site and the fraud. For instance I can tell the mark that I'm out of
stock and his money has not been debited. I can actually send the goods,
if they are cheap - most marks won't notice a small debit is missing, or
complain that a debit on their statement isn't there! If I wait a while
before collecting he will probably have forgotten all about it by then.
There are several more.
BTW2, there is a deliberate omission (or two) here which might make it
possible to detect the fraud and maybe catch the crook. Most security
people and the more intelligent crooks will be able to work out what it
is though, and get around it; the omission is mostly to deter script
-- Peter Fairbrother
More information about the ukcrypto