nick at ccl4.org
Fri Oct 2 11:34:15 BST 2009
On Fri, Oct 02, 2009 at 03:13:35AM -0700, Ovid wrote:
> --- On Fri, 2/10/09, Nicholas Clark <nick at ccl4.org> wrote:
> > From: Nicholas Clark <nick at ccl4.org>
> > > 2. No insistence on 3dsecure (because really, it's
> > horrifically
> > > insecure).
> > And badly implemented by quite a few providers.
> > (There's XML, and a DTD. If the XML validates against the
> > DTD, that means
> > that it's *VALID*, dammit, so don't reject it)
> > However, one can't take payments from Maestro unless one
> > has 3D insecure.
> > (And it seems that even easyJet are no longer large enough
> > to wiggle out
> > of that one)
> OK, I give. That's two references to how insecure 3D secure is. Given that I know nothing about it other than the annoying fact that I've forgotten my password for it, could someone explain why its broken?
There's a description about how little it takes to reset the password in the
link Tom gave:
Ben Laurie explains it here:
It's indistinguishable from a phising scam.
Even better, which Ben doesn't cover, is that some banks have implemented it by
outsourcing it to a third party, which then serves the pages from *its* domain.
(Rather than having DNS delegated, so that 3dinsecure.rbs.gov.uk is a CNAME
pointing to an IP owned and hosted by the outsourcer)
So you get a popup saying "I'm from your bank; tell me your secrets" popping
up in new window (believe it or not, originally with branding guidelines that
were "don't show a URL bar etc"), served from a domain which is nothing to do
with your bank.
And often this is the first time that you, the card holder, have encountered
the thing. Because your bank didn't bother to tell you about it in a
communication from them that you trust is from them.
It's almost like some enterprising chap in Nigeria wrote the specs for the
banks, to save the the costs of having to do it themselves.
More information about the london.pm