[clug] Verified by Visa

Michael James michael at james.st
Tue May 12 02:32:15 GMT 2009

Who has encountered "Verified by Visa"?

Does it ring all your security alarm bells?

It asks for your institutional internet banking password
  from a pane within the vendors HTTPS site.

If you have set your own Personal Authentication Message (PAM)
  it prompts with the phrase you selected,
  so it knows a secret it got from your bank.

But given that the page you are being presented with
  is controlled by an un-trusted vendor,
how can you be confident that the site
  hasn't done some man-in-the-middle trick
  to find and re-present the your PAM?

If you haven't set it, the PAM is something like,
  "Welcome to secure internet banking".
And presenting that text will reel in hordes of suckers.

At St George there is no way to divorce the password you must type
  to make a purchase using visa, from your internet baking password.

Specifically the password can't be:
   a one time password SMSed to your mobile (which would be brilliant).
   another password that you set along with your PAM.

I'm shopping for another bank, anyone know a bank
  that allows a separate (preferably one-time) visa password?


Well theme my KDE4 emoticons disgusted. What has Linux come to?
Michael James		clug3 at james.st

More information about the linux mailing list