On Thu, 28 Aug 2008 00:10:22 +0100, Mike Barnes
wrote:

In uk.finance, Chris Blunt wrote:
On Wed, 27 Aug 2008 17:00:11 +0100, "Tim" wrote:

"Reece Bythell" wrote
Speaking for Securecode only (I don't have a VbV card), the system can be
user-configured to offer you a greeting which only the card owner should
know. The greeting is completely separate from the authentication
credentials.

That's a shared "secret" that *is* passed over-the-wire. So,
as the man said, it is vulnerable to a man-in-the-middle attack.


The personal greeting, as well as the box for entering your SecureCode
password, appears in an entirely separate secure pop-up window that
comes directly from your bank. The merchant (assuming that's what you
meant by man-in-the middle) doesn't see any of the information
contained in that browser window.

AAMOI, when you see it, how do you know it came directly from your bank?

Because the window displays the personal greeting which I agreed with
my credit card company when I registered for SecureCode. That phrase
is known only to me and them.

It seems a lot of people are reporting that they don't see any
personal greeting, and in any case have never been asked to set one up
with their bank. I'm guessing a bit here, but I think those may be
people who registered for SecureCode while performing a transaction
with a merchant, rather than directly at their bank's online banking
system. For those cases, I've no idea how they could be sure where the
pop-up window originates from.

Chris