Payment Providers

David Precious davidp at
Fri Oct 2 12:07:24 BST 2009

On Friday 02 October 2009 11:13:35 Ovid wrote:
> OK, I give.  That's two references to how insecure 3D secure is. Given that
> I know nothing about it other than the annoying fact that I've forgotten my
> password for it, could someone explain why its broken?

Well, there's the fact that, for years, we've been trying to educate Internet 
users not to enter details into untrusted websites, and now all of a sudden 
they're expected to trust some random page that appears in a popup/iframe from 
some domain entirely unrelated to the one they're in the middle of trying to 
give their card details to?  Like, for instance, - would you 
trust that random domain?  (Incidentally, that's the domain that RSA forgot to 
renew at one point...!)

See, for instance,

It's a poor attempt towards three-factor authentication, but relying upon 
entering a password - which will be picked up by the same keylogging/sniffing 
techniques they'd use to grab the rest of your details if you're entering them 
on a compromised machine.  However, now, the bank has shifted liability to the 
customer, claiming that since the transaction was authorised with their 
"secret password", they have no right to repudiate the transaction.


Dave P

More information about the mailing list