Payment Providers

Nicholas Clark nick at
Fri Oct 2 11:34:15 BST 2009

On Fri, Oct 02, 2009 at 03:13:35AM -0700, Ovid wrote:
> --- On Fri, 2/10/09, Nicholas Clark <nick at> wrote:
> > From: Nicholas Clark <nick at>
> > > 2. No insistence on 3dsecure (because really, it's
> > horrifically  
> > > insecure).
> > 
> > And badly implemented by quite a few providers.
> > (There's XML, and a DTD. If the XML validates against the
> > DTD, that means
> > that it's *VALID*, dammit, so don't reject it)
> > 
> > However, one can't take payments from Maestro unless one
> > has 3D insecure.
> > (And it seems that even easyJet are no longer large enough
> > to wiggle out
> > of that one)
> OK, I give.  That's two references to how insecure 3D secure is. Given that I know nothing about it other than the annoying fact that I've forgotten my password for it, could someone explain why its broken?

There's a description about how little it takes to reset the password in the
link Tom gave:

Ben Laurie explains it here:

It's indistinguishable from a phising scam.

Even better, which Ben doesn't cover, is that some banks have implemented it by
outsourcing it to a third party, which then serves the pages from *its* domain.

(Rather than having DNS delegated, so that is a CNAME
pointing to an IP owned and hosted by the outsourcer)

So you get a popup saying "I'm from your bank; tell me your secrets" popping
up in new window (believe it or not, originally with branding guidelines that
were "don't show a URL bar etc"), served from a domain which is nothing to do
with your bank.

And often this is the first time that you, the card holder, have encountered
the thing. Because your bank didn't bother to tell you about it in a
communication from them that you trust is from them.

It's almost like some enterprising chap in Nigeria wrote the specs for the
banks, to save the the costs of having to do it themselves.

Nicholas Clark

More information about the mailing list