Verified by visa

Nov. 14th, 2004 12:11 am
ewx: (Default)
[personal profile] ewx

I had my first "verified by visa" popup today.

If this means nothing to you, what happens is: you try buy something online with your credit card. When you hit the submit button in whatever online shop it is, a popup window appears and asks you to confirm the amount. The idea is that the popup is securely connected to your credit card provider, so that they can have confirmation of the order direct from you rather than through the merchant. You enter a password so the provider knows that it's you they're talking to and they approve the transaction. A few days later your new toys arrive and several weeks later you have to pay for them.

I find myself unconvinced by the current implementation.

At least in the case of the place I was buying from the popup turned off all the window furniture and embedded the output from the card provider in a frame. That is to say, you didn't get to see the URL displayed by the web browser: you just had the text of the web page. So you can't tell from that that you're really talking to your card provider. (Any idiot can copy a web page.)

The mechanism includes a workaround for this: when you register you choose a password that the provider uses to authenticate themselves to you. But a crooked merchant could make the same request your web browser does, and redisplay the results to you with the numbers changed to what you expected, and then send your answer back to the card provider. (This is harder for a crook to do, but they only have to do it once.)

As far as I can see the only thing preventing such a man-in-the-middle attack on this protocol is the user checking the origin of the popup, which (i) has been made maximally inconvenient (ii) you're not told to do (iii) it uses a different URL from your bank anyway. (The same hostname turns up when you register so you do have something to compare with - but will it be the same in 12 months time?)

(I'm assuming that comparing apparent URLs is a sound thing to do, which is probably optimistic.)

I have a chip and PIN card too, now, but haven't been asked for the PIN yet, despite having gone to the effort of remembering it, and despite having shopped at at least place which visibly had the kit for it.

(will be screened)
(will be screened if not validated)
If you don't have an account you can create one now.
HTML doesn't work in the subject.
More info about formatting

If you are unable to use this captcha for any reason, please contact us by email at support@dreamwidth.org

 
Notice: This account is set to log the IP addresses of everyone who comments.
Links will be displayed as unclickable URLs to help prevent spam.

Profile

ewx: (Default)
Richard Kettlewell
https://www.greenend.org.uk/rjk/

November 2025

S M T W T F S
      1
2345678
91011121314 15
1617 181920 2122
23242526272829
30      

Most Popular Tags

Active Entries

Expand Cut Tags

No cut tags
Top of page