"Reece Bythell" wrote
Speaking for Securecode only (I don't have a VbV card),
the system can be user-configured to offer you a greeting
which only the card owner should know. The greeting is
completely separate from the authentication credentials.

"Tim" wrote:
That's a shared "secret" that *is* passed over-the-wire. So,
as the man said, it is vulnerable to a man-in-the-middle attack.


Chris Blunt wrote:
The personal greeting, as well as the box for entering your
SecureCode password, appears in an entirely separate secure
pop-up window that comes directly from your bank. ...

Ah, but how do you know **for sure** that it is
coming *directly* from your bank/VbV/SecureCode,
and not via a "man-in-the-middle"?

Chris Blunt wrote:
... The merchant (assuming that's what
you meant by man-in-the middle) ...

Not necessarily the merchant, no -- anyone who manages to
install themself in the middle of the connection between you and
your bank/VbV/SC (by whatever means - eg DNS attack).

Chris Blunt wrote:
... doesn't see any of the information
contained in that browser window.

But if there is a "man-in-the-middle", then any information
sent from your bank/VbV/SC would go to the man
in the middle first, who would just pass it on to you...

Mike Barnes wrote:
AAMOI, when you see it, how do you know it came directly from your bank?

"Chris Blunt" wrote
Because the window displays the personal greeting which I
agreed with my credit card company when I registered for
SecureCode. That phrase is known only to me and them.

.... and a "man-in-the-middle" who pretends to be
VbV/SC to you, and pretends to be you to VbV/SC.

The scammer would pass the details that you give to them
(thinking they are VbV/SC) on to VbV/SC; VbV/SC then sends
back a message to them which includes your "personal greeting",
which the scammer simply forwards on to you (real-time).

See?

How can you be sure that you're talking *directly*
to your bank, and not via a man-in-the-middle?

On Thu, 28 Aug 2008 08:50:10 +0100, Mike Barnes
wrote:

In uk.finance, Chris Blunt wrote:
On Thu, 28 Aug 2008 00:10:22 +0100, Mike Barnes
wrote:

In uk.finance, Chris Blunt wrote:
On Wed, 27 Aug 2008 17:00:11 +0100, "Tim" wrote:

"Reece Bythell" wrote
Speaking for Securecode only (I don't have a VbV card), the system can be
user-configured to offer you a greeting which only the card owner should
know. The greeting is completely separate from the authentication
credentials.

That's a shared "secret" that *is* passed over-the-wire. So,
as the man said, it is vulnerable to a man-in-the-middle attack.


The personal greeting, as well as the box for entering your SecureCode
password, appears in an entirely separate secure pop-up window that
comes directly from your bank. The merchant (assuming that's what you
meant by man-in-the middle) doesn't see any of the information
contained in that browser window.

AAMOI, when you see it, how do you know it came directly from your bank?

Because the window displays the personal greeting which I agreed with
my credit card company when I registered for SecureCode. That phrase
is known only to me and them.

It seems a lot of people are reporting that they don't see any
personal greeting, and in any case have never been asked to set one up
with their bank. I'm guessing a bit here, but I think those may be
people who registered for SecureCode while performing a transaction
with a merchant, rather than directly at their bank's online banking
system. For those cases, I've no idea how they could be sure where the
pop-up window originates from.

Understood. What I was concerned about was the case of registering the
personal greeting during a merchant transaction. If that can't happen,
OK.

AAMOI what information do you have to provide to the retailer in order
to get the secure pop-up window from the bank, with your personal
greeting, displayed? Presumably there needs to be some safeguard so that
only you can do it.

Just the normal card details that you would normally enter as part of
an online purchase. If they identify the card as being enrolled in
SecureCode the window pops up. Once you recognise the personal
greeting as being authentic you enter your password in the box, the
window closes and the merchant confirms that the transaction has been
approved.

If the card issuer doesn't participate in SecureCode then the
transaction will be handled just like any other.

Chris

Mike Barnes wrote:
AAMOI what information do you have to provide to the
retailer in order to get the secure pop-up window from the
bank, with your personal greeting, displayed? Presumably
there needs to be some safeguard so that only you can do it.

"Chris Blunt" wrote
Just the normal card details that you would normally enter as part
of an online purchase. If they identify the card as being enrolled in
SecureCode the window pops up. Once you recognise the personal
greeting as being authentic you enter your password in the box, ...

You mean you don't even try to make sure that the
pop-up has come directly from your bank/VbV/SC?

"Mike Barnes" wrote
AAMOI, ...

AAMOI?

In uk.finance, Chris Blunt wrote:
On Thu, 28 Aug 2008 08:50:10 +0100, Mike Barnes
wrote:

AAMOI what information do you have to provide to the retailer in order
to get the secure pop-up window from the bank, with your personal
greeting, displayed? Presumably there needs to be some safeguard so that
only you can do it.

Just the normal card details that you would normally enter as part of
an online purchase. If they identify the card as being enrolled in
SecureCode the window pops up. Once you recognise the personal
greeting as being authentic you enter your password in the box, the
window closes and the merchant confirms that the transaction has been
approved.

It sounds as if anyone armed with your credit card details could start a
transaction using them and obtain your personal greeting. How, then, can
you be sure that a pop-up window containing your personal greeting
actually comes from your bank? Or have I missed something?

--
Mike Barnes

On Thu, 28 Aug 2008 10:20:52 +0100, "Tim" wrote:

"Reece Bythell" wrote
Speaking for Securecode only (I don't have a VbV card),
the system can be user-configured to offer you a greeting
which only the card owner should know. The greeting is
completely separate from the authentication credentials.

"Tim" wrote:
That's a shared "secret" that *is* passed over-the-wire. So,
as the man said, it is vulnerable to a man-in-the-middle attack.


Chris Blunt wrote:
The personal greeting, as well as the box for entering your
SecureCode password, appears in an entirely separate secure
pop-up window that comes directly from your bank. ...

Ah, but how do you know **for sure** that it is
coming *directly* from your bank/VbV/SecureCode,
and not via a "man-in-the-middle"?

Chris Blunt wrote:
... The merchant (assuming that's what
you meant by man-in-the middle) ...

Not necessarily the merchant, no -- anyone who manages to
install themself in the middle of the connection between you and
your bank/VbV/SC (by whatever means - eg DNS attack).

Chris Blunt wrote:
... doesn't see any of the information
contained in that browser window.

But if there is a "man-in-the-middle", then any information
sent from your bank/VbV/SC would go to the man
in the middle first, who would just pass it on to you...

Mike Barnes wrote:
AAMOI, when you see it, how do you know it came directly from your bank?

"Chris Blunt" wrote
Because the window displays the personal greeting which I
agreed with my credit card company when I registered for
SecureCode. That phrase is known only to me and them.

... and a "man-in-the-middle" who pretends to be
VbV/SC to you, and pretends to be you to VbV/SC.

The scammer would pass the details that you give to them
(thinking they are VbV/SC) on to VbV/SC; VbV/SC then sends
back a message to them which includes your "personal greeting",
which the scammer simply forwards on to you (real-time).

See?

How can you be sure that you're talking *directly*
to your bank, and not via a man-in-the-middle?


I see your point.

I don't know what safeguards, if any, are in place in the system to
ensure that can't happen.

Chris

In uk.finance, Tim wrote:
"Mike Barnes" wrote
AAMOI, ...

AAMOI?

Google is your friend, but to save you the trouble:
"As A Matter of Interest".

--
Mike Barnes

On Thu, 28 Aug 2008 10:45:56 +0100, Mike Barnes
wrote:

In uk.finance, Chris Blunt wrote:
On Thu, 28 Aug 2008 08:50:10 +0100, Mike Barnes
wrote:

AAMOI what information do you have to provide to the retailer in order
to get the secure pop-up window from the bank, with your personal
greeting, displayed? Presumably there needs to be some safeguard so that
only you can do it.

Just the normal card details that you would normally enter as part of
an online purchase. If they identify the card as being enrolled in
SecureCode the window pops up. Once you recognise the personal
greeting as being authentic you enter your password in the box, the
window closes and the merchant confirms that the transaction has been
approved.

It sounds as if anyone armed with your credit card details could start a
transaction using them and obtain your personal greeting. How, then, can
you be sure that a pop-up window containing your personal greeting
actually comes from your bank? Or have I missed something?

If its the correct personal greeting and its contained in a secure
browser window then I have a reasonable degree of confidence. Of
course I don't have any absolute certainty that there isn't some
fraudulent activity going on that I'm unaware of. Of all the risks
that I'm exposed to in everyday life, that possibility comes well down
the list of things that might keep me awake at night.

Chris

Tim wrote:

"Mike Barnes" wrote
AAMOI, ...

AAMOI?

As a matter of interest?

"Chris Blunt" wrote
If its the correct personal greeting and its contained in a secure
browser window then I have a reasonable degree of confidence.

All that means is that you're reasonably sure no-one
will intercept the message between you and the secure
server that you're talking to; unfortunately, that secure
server might easily be a "man-in-the-middle"...



"Chris Blunt" wrote
Of course I don't have any absolute certainty that there isn't
some fraudulent activity going on that I'm unaware of. Of all the
risks that I'm exposed to in everyday life, that possibility comes
well down the list of things that might keep me awake at night.