Has anyone used this system and did it work? Recently I made an online
payment to tmobile through my tmobile account. Part of the way through
the process the Mastercard Securecode window popped up and prompted me
for some details. At first I thought it was a scam or some phishing
thing. Anyway, I continued along and it told me I had failed
authentication, however the payment still went through.
Now o2 are using the same system but my payment didn't get through
when I failed authentication this morning.

Does the Securecode system offer any advantage over the previous
method of online payment. Seems a total pain to me.

Stephen2 wrote:
Has anyone used this system and did it work? Recently I made an online
payment to tmobile through my tmobile account. Part of the way through
the process the Mastercard Securecode window popped up and prompted me
for some details. At first I thought it was a scam or some phishing

On what basis did you decide it was not? I suspect you will find that
you were talking to some non-EEC system with no obvious connection with
Mastercard. At least that is the case if you try and pre-register for
Verified by Visa, and, I'm pretty certain, Securecode. What I don't
know, but suspect, is that that is still the case when you subsequently
get verified.

Chances are that it was legitimate, but see my recent, "Verifying Vefied
by Visa" thread.

thing. Anyway, I continued along and it told me I had failed

If you provided existing credentials, not pre-registered for Securcode,
there is a serious usability problem with security implications. You
should change the credentials you gave to it, on the system to which
they really belong.

authentication, however the payment still went through.
Now o2 are using the same system but my payment didn't get through
when I failed authentication this morning.

Does the Securecode system offer any advantage over the previous
method of online payment. Seems a total pain to me.

I've deferred registering with VbV and I haven't used Mastercard online,
for a long time, but, does the system authenticate itself to you, and
does that authentication depend on a shared secret, but not pass it over
the wire? If not, it is vulnerable to a man in the middle attack, and
you need to check the SSL certificate and ignore the way it
authenticates itself to you.

Unfortunately, the number of people who know enough to challenge the
authenticity of these systems is so small that they can't get beyond the
first line support people.

David Woolley wrote:

I've deferred registering with VbV and I haven't used Mastercard online,
for a long time, but, does the system authenticate itself to you, and
does that authentication depend on a shared secret, but not pass it over
the wire? If not, it is vulnerable to a man in the middle attack, and
you need to check the SSL certificate and ignore the way it authenticates
itself to you.

Speaking for Securecode only (I don't have a VbV card), the system can be
user-configured to offer you a greeting which only the card owner should
know. The greeting is completely separate from the authentication credentials.

Reece

David Woolley wrote:
I've deferred registering with VbV and I haven't used Mastercard online,
for a long time, but, does the system authenticate itself to you, and
does that authentication depend on a shared secret, but not pass it over
the wire? If not, it is vulnerable to a man in the middle attack, and
you need to check the SSL certificate and ignore the way it authenticates
itself to you.

"Reece Bythell" wrote
Speaking for Securecode only (I don't have a VbV card), the system can be
user-configured to offer you a greeting which only the card owner should
know. The greeting is completely separate from the authentication
credentials.

That's a shared "secret" that *is* passed over-the-wire. So,
as the man said, it is vulnerable to a man-in-the-middle attack.

On Wed, 27 Aug 2008 17:00:11 +0100, "Tim" wrote:

David Woolley wrote:
I've deferred registering with VbV and I haven't used Mastercard online,
for a long time, but, does the system authenticate itself to you, and
does that authentication depend on a shared secret, but not pass it over
the wire? If not, it is vulnerable to a man in the middle attack, and
you need to check the SSL certificate and ignore the way it authenticates
itself to you.

"Reece Bythell" wrote
Speaking for Securecode only (I don't have a VbV card), the system can be
user-configured to offer you a greeting which only the card owner should
know. The greeting is completely separate from the authentication
credentials.

That's a shared "secret" that *is* passed over-the-wire. So,
as the man said, it is vulnerable to a man-in-the-middle attack.


The personal greeting, as well as the box for entering your SecureCode
password, appears in an entirely separate secure pop-up window that
comes directly from your bank. The merchant (assuming that's what you
meant by man-in-the middle) doesn't see any of the information
contained in that browser window.

Chris

On Thu, 28 Aug 2008 04:48:53 +0800,
Chris Blunt wrote:
On Wed, 27 Aug 2008 17:00:11 +0100, "Tim" wrote:

David Woolley wrote:
I've deferred registering with VbV and I haven't used Mastercard online,
for a long time, but, does the system authenticate itself to you, and
does that authentication depend on a shared secret, but not pass it over
the wire? If not, it is vulnerable to a man in the middle attack, and
you need to check the SSL certificate and ignore the way it authenticates
itself to you.

"Reece Bythell" wrote
Speaking for Securecode only (I don't have a VbV card), the system can be
user-configured to offer you a greeting which only the card owner should
know. The greeting is completely separate from the authentication
credentials.

That's a shared "secret" that *is* passed over-the-wire. So,
as the man said, it is vulnerable to a man-in-the-middle attack.


The personal greeting, as well as the box for entering your SecureCode
password, appears in an entirely separate secure pop-up window that
comes directly from your bank. The merchant (assuming that's what you
meant by man-in-the middle) doesn't see any of the information
contained in that browser window.

Not when I use it. The popup is in a domain called securesite.co.uk (or
possibly securesuite.co.uk, I can't remember for certain) with a
certificate issued to cyota (or something like that).

It would be trivial for a merchant to display a popup that looked
identical (except possibly this personal greeting - but I've never
been asked/told what to expect and so I suspect nor have many other
people), grab three characters of the code and then say "failed" and
send the person to the real site for the second attempt.

I suspect (although I don't know) that if you actually allow the popup
window then you can't even tell what domain you're connecting to - I
block popup windows so it opens in a new tab so I get to see the domain.

Tim.

--
God said, "div D = rho, div B = 0, curl E = - @B/@t, curl H = J + @D/@t,"
and there was light.

http://www.woodall.me.uk/ http://www.locofungus.btinternet.co.uk/

In uk.finance, Chris Blunt wrote:
On Wed, 27 Aug 2008 17:00:11 +0100, "Tim" wrote:

"Reece Bythell" wrote
Speaking for Securecode only (I don't have a VbV card), the system can be
user-configured to offer you a greeting which only the card owner should
know. The greeting is completely separate from the authentication
credentials.

That's a shared "secret" that *is* passed over-the-wire. So,
as the man said, it is vulnerable to a man-in-the-middle attack.


The personal greeting, as well as the box for entering your SecureCode
password, appears in an entirely separate secure pop-up window that
comes directly from your bank. The merchant (assuming that's what you
meant by man-in-the middle) doesn't see any of the information
contained in that browser window.

AAMOI, when you see it, how do you know it came directly from your bank?

--
Mike Barnes

On Thu, 28 Aug 2008 00:10:22 +0100, Mike Barnes
wrote:

In uk.finance, Chris Blunt wrote:
On Wed, 27 Aug 2008 17:00:11 +0100, "Tim" wrote:

"Reece Bythell" wrote
Speaking for Securecode only (I don't have a VbV card), the system can be
user-configured to offer you a greeting which only the card owner should
know. The greeting is completely separate from the authentication
credentials.

That's a shared "secret" that *is* passed over-the-wire. So,
as the man said, it is vulnerable to a man-in-the-middle attack.


The personal greeting, as well as the box for entering your SecureCode
password, appears in an entirely separate secure pop-up window that
comes directly from your bank. The merchant (assuming that's what you
meant by man-in-the middle) doesn't see any of the information
contained in that browser window.

AAMOI, when you see it, how do you know it came directly from your bank?

Because the window displays the personal greeting which I agreed with
my credit card company when I registered for SecureCode. That phrase
is known only to me and them.

It seems a lot of people are reporting that they don't see any
personal greeting, and in any case have never been asked to set one up
with their bank. I'm guessing a bit here, but I think those may be
people who registered for SecureCode while performing a transaction
with a merchant, rather than directly at their bank's online banking
system. For those cases, I've no idea how they could be sure where the
pop-up window originates from.

Chris

In uk.finance, Chris Blunt wrote:
On Thu, 28 Aug 2008 00:10:22 +0100, Mike Barnes
wrote:

In uk.finance, Chris Blunt wrote:
On Wed, 27 Aug 2008 17:00:11 +0100, "Tim" wrote:

"Reece Bythell" wrote
Speaking for Securecode only (I don't have a VbV card), the system can be
user-configured to offer you a greeting which only the card owner should
know. The greeting is completely separate from the authentication
credentials.

That's a shared "secret" that *is* passed over-the-wire. So,
as the man said, it is vulnerable to a man-in-the-middle attack.


The personal greeting, as well as the box for entering your SecureCode
password, appears in an entirely separate secure pop-up window that
comes directly from your bank. The merchant (assuming that's what you
meant by man-in-the middle) doesn't see any of the information
contained in that browser window.

AAMOI, when you see it, how do you know it came directly from your bank?

Because the window displays the personal greeting which I agreed with
my credit card company when I registered for SecureCode. That phrase
is known only to me and them.

It seems a lot of people are reporting that they don't see any
personal greeting, and in any case have never been asked to set one up
with their bank. I'm guessing a bit here, but I think those may be
people who registered for SecureCode while performing a transaction
with a merchant, rather than directly at their bank's online banking
system. For those cases, I've no idea how they could be sure where the
pop-up window originates from.

Understood. What I was concerned about was the case of registering the
personal greeting during a merchant transaction. If that can't happen,
OK.

AAMOI what information do you have to provide to the retailer in order
to get the secure pop-up window from the bank, with your personal
greeting, displayed? Presumably there needs to be some safeguard so that
only you can do it.

--
Mike Barnes

On Aug 28, 12:25 am, Chris Blunt wrote:
On Thu, 28 Aug 2008 00:10:22 +0100, Mike Barnes



wrote:
In uk.finance, Chris Blunt wrote:
On Wed, 27 Aug 2008 17:00:11 +0100, "Tim" wrote:

"Reece Bythell" wrote
Speaking for Securecode only (I don't have a VbV card), the system can be
user-configured to offer you a greeting which only the card owner should
know. The greeting is completely separate from the authentication
credentials.

That's a shared "secret" that *is* passed over-the-wire. So,
as the man said, it is vulnerable to a man-in-the-middle attack.

The personal greeting, as well as the box for entering your SecureCode
password, appears in an entirely separate secure pop-up window that
comes directly from your bank. The merchant (assuming that's what you
meant by man-in-the middle) doesn't see any of the information
contained in that browser window.

AAMOI, when you see it, how do you know it came directly from your bank?

Because the window displays the personal greeting which I agreed with
my credit card company when I registered for SecureCode. That phrase
is known only to me and them.

It seems a lot of people are reporting that they don't see any
personal greeting, and in any case have never been asked to set one up
with their bank. I'm guessing a bit here, but I think those may be
people who registered for SecureCode while performing a transaction
with a merchant, rather than directly at their bank's online banking
system. For those cases, I've no idea how they could be sure where the
pop-up window originates from.

Probably because we were forced into it against our will and better
judgement. IIRC, for the first couple of times it appeared there was a
"no thanks" button but after that it was compulsory (true for every
single card I own) I have NEVER had any official information EVER
about VbV. And as the ONLY extra piece of information needed to change
the password over what I tell the merchant already, is my DOB, it
seems like a complete waste of time.

The only good thing I can see about it is that if anyone is ever taken
in by an obvious phishing scam and the bank tries to claim that the
customer was negligent then VbV can be used to show that real
authentic banking sites also look like obvious phishing scams.

Tim.