Thread: Mastercard Securecode
View Single Post
  #10  
Old August 28th 08, 09:56 AM posted to uk.finance
google@woodall.me.uk[_2_]
external usenet poster
  
Posts: 75
Default Mastercard Securecode
On Aug 28, 12:25 am, Chris Blunt wrote:
On Thu, 28 Aug 2008 00:10:22 +0100, Mike Barnes



wrote:
In uk.finance, Chris Blunt wrote:
On Wed, 27 Aug 2008 17:00:11 +0100, "Tim" wrote:

"Reece Bythell" wrote
Speaking for Securecode only (I don't have a VbV card), the system can be
user-configured to offer you a greeting which only the card owner should
know. The greeting is completely separate from the authentication
credentials.

That's a shared "secret" that *is* passed over-the-wire. So,
as the man said, it is vulnerable to a man-in-the-middle attack.

The personal greeting, as well as the box for entering your SecureCode
password, appears in an entirely separate secure pop-up window that
comes directly from your bank. The merchant (assuming that's what you
meant by man-in-the middle) doesn't see any of the information
contained in that browser window.

AAMOI, when you see it, how do you know it came directly from your bank?

Because the window displays the personal greeting which I agreed with
my credit card company when I registered for SecureCode. That phrase
is known only to me and them.

It seems a lot of people are reporting that they don't see any
personal greeting, and in any case have never been asked to set one up
with their bank. I'm guessing a bit here, but I think those may be
people who registered for SecureCode while performing a transaction
with a merchant, rather than directly at their bank's online banking
system. For those cases, I've no idea how they could be sure where the
pop-up window originates from.

Probably because we were forced into it against our will and better
judgement. IIRC, for the first couple of times it appeared there was a
"no thanks" button but after that it was compulsory (true for every
single card I own) I have NEVER had any official information EVER
about VbV. And as the ONLY extra piece of information needed to change
the password over what I tell the merchant already, is my DOB, it
seems like a complete waste of time.

The only good thing I can see about it is that if anyone is ever taken
in by an obvious phishing scam and the bank tries to claim that the
customer was negligent then VbV can be used to show that real
authentic banking sites also look like obvious phishing scams.

Tim.
Ads
 

Credit Cards - Personal Loans - Bad Credit Mortgages - Credit Counseling - Montana Music