[clug] Verified by Visa
clug at zhasper.com
Tue May 12 02:49:59 GMT 2009
I've seen this, from st. george. However, every time I've seen it it's been
on a page hosted by st. george - the merchant sites (iirc) has a redirect to
a Visa site, which redirects to stgeorge.
On Tue, May 12, 2009 at 12:32 PM, Michael James <michael at james.st> wrote:
> Who has encountered "Verified by Visa"?
> Does it ring all your security alarm bells?
> It asks for your institutional internet banking password
> from a pane within the vendors HTTPS site.
> If you have set your own Personal Authentication Message (PAM)
> it prompts with the phrase you selected,
> so it knows a secret it got from your bank.
> But given that the page you are being presented with
> is controlled by an un-trusted vendor,
> how can you be confident that the site
> hasn't done some man-in-the-middle trick
> to find and re-present the your PAM?
> If you haven't set it, the PAM is something like,
> "Welcome to secure internet banking".
> And presenting that text will reel in hordes of suckers.
> At St George there is no way to divorce the password you must type
> to make a purchase using visa, from your internet baking password.
> Specifically the password can't be:
> a one time password SMSed to your mobile (which would be brilliant).
> another password that you set along with your PAM.
> I'm shopping for another bank, anyone know a bank
> that allows a separate (preferably one-time) visa password?
> Well theme my KDE4 emoticons disgusted. What has Linux come to?
> Michael James clug3 at james.st
> linux mailing list
> linux at lists.samba.org
More information about the linux