On Jan 31, 7:50*am, Postman Pat wrote:
David Woolley wrote

Jonathan Bryce wrote:
Some researchers at Cambridge University say that Verified by Visa and
Mastercard Secure Code have security problems.

There's nothing new here for anyone who has been following this group, but
it is still an interesting read.

And they make the common assumption that vendors/card processor using
this system actually serve the form from Cyota. *Many of them don't, or
at least didn't, including major card processors, and British Gas. *They
copy the form into their own page, and go man in the middle on the
outbound leg.

VBV is a PITA. I use Firefox with the No-script plug-in and VBV
usually fails due to the way it is implemented.

Anyway, even when it works, it fails to recognise my password, so I go
for the "not yet enrolled" option and knock up a pwd there and then.
They have have dozens of passwords for me now, and I am sure I am not
alone.

I was able to reset my password using my birthdate but I was shocked
to learn that in some cases even that's not required. The best
strategy is then to set up a new password each time, since a thief
could have set up the new password as well.