On Wed, 27 Aug 2008 17:00:11 +0100, "Tim" wrote:

David Woolley wrote:
I've deferred registering with VbV and I haven't used Mastercard online,
for a long time, but, does the system authenticate itself to you, and
does that authentication depend on a shared secret, but not pass it over
the wire? If not, it is vulnerable to a man in the middle attack, and
you need to check the SSL certificate and ignore the way it authenticates
itself to you.

"Reece Bythell" wrote
Speaking for Securecode only (I don't have a VbV card), the system can be
user-configured to offer you a greeting which only the card owner should
know. The greeting is completely separate from the authentication
credentials.

That's a shared "secret" that *is* passed over-the-wire. So,
as the man said, it is vulnerable to a man-in-the-middle attack.


The personal greeting, as well as the box for entering your SecureCode
password, appears in an entirely separate secure pop-up window that
comes directly from your bank. The merchant (assuming that's what you
meant by man-in-the middle) doesn't see any of the information
contained in that browser window.

Chris