Verfied by Visa finally gets outed
Paul Barnfather
lists at barnfather.net
Tue Oct 19 18:30:30 BST 2010
> Just like they've been saying since its launch. Why they went for an
> embedded (IFRAMEd) approach when world+dog could see this masked the SSL
> certificate info from all but the most curious of visitors is still beyond
> me.
I notice they're now claiming that the "personal assurance message" is
the approved way to ensure that VbV dialog box is genuine.
Surely it's fairly trivial for a site to send a (hidden, bogus)
request to VbV and scrape the personal assurance message that comes
back, then display the message in a phishing dialog to get the victims
password?
Or is the VbV system secure against this attack? I still feel
uncomfortable with it.
More information about the ukcrypto
mailing list