3D Secure / Verified By Visa

Charles Lindsey chl at clerew.man.ac.uk
Wed Apr 17 19:06:20 BST 2013

On Wed, 17 Apr 2013 11:18:15 +0100, Ian Batten <igb at batten.eu.org> wrote:

> Does anyone know more about how it currently works than Wikipedia and  
> Murdoch and Anderson 2010 [1] and high-level descriptions for  
> application writers [2]?
> Originally, it took you to an iFrame which prompted you for a password  
> you had previously agreed with the issuer.  Later, for me at least  
> (Lloyds TSB) it instead put up the Verified by Visa or its Mastercard  
> equivalent logo, said it was authenticating, and then immediately  
> succeeded.  I assumed, without checking, that it had dropped a random  
> cookie which the issuer regarded as sufficient proof the card hadn't  
> been stolen.   Not ideal, but better than nothing, and avoids having to  
> type the password.

I am usually taken to the Natwest/RBS VBY page, and there I am always  
expected to divulge my password (or part of it, Natwest et al don#t ask  
for a full password, presumably to avoid replay attacks).

However, the VBY page always appears like part of the Merchant's page, so  
how easy would it be for the Merchant to put up a fake VBV page, and then  
use it in a man-in-the-middle attack?

Charles H. Lindsey ---------At Home, doing my own  
Tel: +44 161 436 6131                         Web:  
Email: chl at clerew.man.ac.uk      Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU,  
PGP: 2C15F1A9      Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4  

More information about the ukcrypto mailing list