3D Secure / Verified By Visa

Peter Fairbrother zenadsl6186 at zen.co.uk
Thu Apr 18 00:48:10 BST 2013

On 17/04/13 19:06, Charles Lindsey wrote:
> On Wed, 17 Apr 2013 11:18:15 +0100, Ian Batten <igb at batten.eu.org> wrote:
>> Does anyone know more about how it currently works than Wikipedia and
>> Murdoch and Anderson 2010 [1] and high-level descriptions for
>> application writers [2]?
>> Originally, it took you to an iFrame which prompted you for a password
>> you had previously agreed with the issuer. Later, for me at least
>> (Lloyds TSB) it instead put up the Verified by Visa or its Mastercard
>> equivalent logo, said it was authenticating, and then immediately
>> succeeded. I assumed, without checking, that it had dropped a random
>> cookie which the issuer regarded as sufficient proof the card hadn't
>> been stolen. Not ideal, but better than nothing, and avoids having to
>> type the password.
> I am usually taken to the Natwest/RBS VBY page, and there I am always
> expected to divulge my password (or part of it, Natwest et al don#t ask
> for a full password, presumably to avoid replay attacks).
> However, the VBY page always appears like part of the Merchant's page,
> so how easy would it be for the Merchant to put up a fake VBV page, and
> then use it in a man-in-the-middle attack?

Extremely easy. I hear VBV have a something on the page by which you can 
tell it's from them, but an attacker can get that very easily and put it 
on the fake page he sends you.

One things is, can an attacker use it to defraud you/the banks, and 
actually get away with some ill-gotten cash? Difficult, but probably not 
impossible. I haven't heard of it happening.

I just click the "no thanks" button. Never registered, registering 
doesn't do anything for me.

-- Peter Fairbrother

More information about the ukcrypto mailing list