VISA: All Your Password Are Belong to Us
John R. Levine
johnl at iecc.com
Tue Dec 4 00:30:12 EST 2001
>Visa Starts Password Service to Fight Online Fraud
I took a look at the description of the scheme, with links at:
http://www.usa.visa.com/business/merchants/verified_online_purchases.html
It seems pretty straightforward. When a merchant gets a customer's
card number, the merchant queries (via an SSL link) a Visa server to
find out whether the card has a password. If it does, the merchant (or
apparently some componentware of Visa's) asks for the password or
a smart-card swipe and sends that along, again via SSL, with the
rest of the transaction data for approval. The incentive for the
merchant is that Visa promises that password-verified transactions
aren't subject to some kinds of chargebacks. Nobody expects many
people to sign up for this any time soon.
Other than the inherent problem that all software has bugs, I don't
see any obvious horrible gaping holes, although I was a wee bit
surprised that when I followed the card signup link on Bank of
America's web site I ended up in the cyota.com domain, a software
vendor in Israel, although traceroutes showed that the server in
question was at a web hosting company in Georgia, which is neither in
Israel nor in North Carolina or California where the bank's main
offices are. Why does this not make me feel more secure?
--
John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869
johnl at iecc.com, Village Trustee and Sewer Commissioner, http://iecc.com/johnl,
Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list