Payment Providers
David Precious
davidp at preshweb.co.uk
Fri Oct 2 12:07:24 BST 2009
On Friday 02 October 2009 11:13:35 Ovid wrote:
> OK, I give. That's two references to how insecure 3D secure is. Given that
> I know nothing about it other than the annoying fact that I've forgotten my
> password for it, could someone explain why its broken?
Well, there's the fact that, for years, we've been trying to educate Internet
users not to enter details into untrusted websites, and now all of a sudden
they're expected to trust some random page that appears in a popup/iframe from
some domain entirely unrelated to the one they're in the middle of trying to
give their card details to? Like, for instance, securesuite.co.uk - would you
trust that random domain? (Incidentally, that's the domain that RSA forgot to
renew at one point...!)
See, for instance,
http://ambrand.com/2006/09/06/is-securesuitecouk-a-phishing-scam
It's a poor attempt towards three-factor authentication, but relying upon
entering a password - which will be picked up by the same keylogging/sniffing
techniques they'd use to grab the rest of your details if you're entering them
on a compromised machine. However, now, the bank has shifted liability to the
customer, claiming that since the transaction was authorised with their
"secret password", they have no right to repudiate the transaction.
Cheers
Dave P
More information about the london.pm
mailing list