3D Secure / Verified By Visa
Charles Lindsey
chl at clerew.man.ac.uk
Wed Apr 17 19:06:20 BST 2013
On Wed, 17 Apr 2013 11:18:15 +0100, Ian Batten <igb at batten.eu.org> wrote:
> Does anyone know more about how it currently works than Wikipedia and
> Murdoch and Anderson 2010 [1] and high-level descriptions for
> application writers [2]?
>
> Originally, it took you to an iFrame which prompted you for a password
> you had previously agreed with the issuer. Later, for me at least
> (Lloyds TSB) it instead put up the Verified by Visa or its Mastercard
> equivalent logo, said it was authenticating, and then immediately
> succeeded. I assumed, without checking, that it had dropped a random
> cookie which the issuer regarded as sufficient proof the card hadn't
> been stolen. Not ideal, but better than nothing, and avoids having to
> type the password.
I am usually taken to the Natwest/RBS VBY page, and there I am always
expected to divulge my password (or part of it, Natwest et al don#t ask
for a full password, presumably to avoid replay attacks).
However, the VBY page always appears like part of the Merchant's page, so
how easy would it be for the Merchant to put up a fake VBV page, and then
use it in a man-in-the-middle attack?
--
Charles H. Lindsey ---------At Home, doing my own
thing------------------------
Tel: +44 161 436 6131 Web:
http://www.cs.man.ac.uk/~chl
Email: chl at clerew.man.ac.uk Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU,
U.K.
PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4
AB A5
More information about the ukcrypto
mailing list