[clug] Verified by Visa
Michael James
michael at james.st
Tue May 12 02:32:15 GMT 2009
Who has encountered "Verified by Visa"?
Does it ring all your security alarm bells?
It asks for your institutional internet banking password
from a pane within the vendors HTTPS site.
If you have set your own Personal Authentication Message (PAM)
it prompts with the phrase you selected,
so it knows a secret it got from your bank.
But given that the page you are being presented with
is controlled by an un-trusted vendor,
how can you be confident that the site
hasn't done some man-in-the-middle trick
to find and re-present the your PAM?
If you haven't set it, the PAM is something like,
"Welcome to secure internet banking".
And presenting that text will reel in hordes of suckers.
At St George there is no way to divorce the password you must type
to make a purchase using visa, from your internet baking password.
Specifically the password can't be:
a one time password SMSed to your mobile (which would be brilliant).
another password that you set along with your PAM.
I'm shopping for another bank, anyone know a bank
that allows a separate (preferably one-time) visa password?
michaelj
--
Well theme my KDE4 emoticons disgusted. What has Linux come to?
Michael James clug3 at james.st
More information about the linux
mailing list