Thread: Mastercard Securecode
View Single Post
  #6  
Old August 27th 08, 11:24 PM posted to uk.finance
Tim Woodall
external usenet poster
  
Posts: 171
Default Mastercard Securecode
On Thu, 28 Aug 2008 04:48:53 +0800,
Chris Blunt wrote:
On Wed, 27 Aug 2008 17:00:11 +0100, "Tim" wrote:

David Woolley wrote:
I've deferred registering with VbV and I haven't used Mastercard online,
for a long time, but, does the system authenticate itself to you, and
does that authentication depend on a shared secret, but not pass it over
the wire? If not, it is vulnerable to a man in the middle attack, and
you need to check the SSL certificate and ignore the way it authenticates
itself to you.

"Reece Bythell" wrote
Speaking for Securecode only (I don't have a VbV card), the system can be
user-configured to offer you a greeting which only the card owner should
know. The greeting is completely separate from the authentication
credentials.

That's a shared "secret" that *is* passed over-the-wire. So,
as the man said, it is vulnerable to a man-in-the-middle attack.


The personal greeting, as well as the box for entering your SecureCode
password, appears in an entirely separate secure pop-up window that
comes directly from your bank. The merchant (assuming that's what you
meant by man-in-the middle) doesn't see any of the information
contained in that browser window.

Not when I use it. The popup is in a domain called securesite.co.uk (or
possibly securesuite.co.uk, I can't remember for certain) with a
certificate issued to cyota (or something like that).

It would be trivial for a merchant to display a popup that looked
identical (except possibly this personal greeting - but I've never
been asked/told what to expect and so I suspect nor have many other
people), grab three characters of the code and then say "failed" and
send the person to the real site for the second attempt.

I suspect (although I don't know) that if you actually allow the popup
window then you can't even tell what domain you're connecting to - I
block popup windows so it opens in a new tab so I get to see the domain.

Tim.

--
God said, "div D = rho, div B = 0, curl E = - @B/@t, curl H = J + @D/@t,"
and there was light.

http://www.woodall.me.uk/ http://www.locofungus.btinternet.co.uk/
Ads
 

Credit Cards - Girard Perregaux Watches - MPAA - Credit Card Consolidation - Ringtones