[clug] Verified by Visa
nathanosullivan at mail1.bris.mammothmedia.com.au
Tue May 12 02:39:06 GMT 2009
This scheme is known as "3-D Secure", http://en.wikipedia.org/wiki/3-D_Secure has some background
----- "Michael James" <michael at james.st> wrote:
> Who has encountered "Verified by Visa"?
> Does it ring all your security alarm bells?
> It asks for your institutional internet banking password
> from a pane within the vendors HTTPS site.
> If you have set your own Personal Authentication Message (PAM)
> it prompts with the phrase you selected,
> so it knows a secret it got from your bank.
> But given that the page you are being presented with
> is controlled by an un-trusted vendor,
> how can you be confident that the site
> hasn't done some man-in-the-middle trick
> to find and re-present the your PAM?
> If you haven't set it, the PAM is something like,
> "Welcome to secure internet banking".
> And presenting that text will reel in hordes of suckers.
> At St George there is no way to divorce the password you must type
> to make a purchase using visa, from your internet baking password.
> Specifically the password can't be:
> a one time password SMSed to your mobile (which would be
> another password that you set along with your PAM.
> I'm shopping for another bank, anyone know a bank
> that allows a separate (preferably one-time) visa password?
> Well theme my KDE4 emoticons disgusted. What has Linux come to?
> Michael James clug3 at james.st
> linux mailing list
> linux at lists.samba.org
More information about the linux