VISA: All Your Password Are Belong to Us

Richard Guy Briggs rgb at
Tue Dec 4 03:48:31 EST 2001

On Tue, Dec 04, 2001 at 12:30:12AM -0500, John R. Levine wrote:
> >Visa Starts Password Service to Fight Online Fraud
> I took a look at the description of the scheme, with links at:
> It seems pretty straightforward.  When a merchant gets a customer's
> card number, the merchant queries (via an SSL link) a Visa server to
> find out whether the card has a password.  If it does, the merchant (or
> apparently some componentware of Visa's) asks for the password or
> a smart-card swipe and sends that along, again via SSL, with the
> rest of the transaction data for approval.  The incentive for the
> merchant is that Visa promises that password-verified transactions
> aren't subject to some kinds of chargebacks.  Nobody expects many
> people to sign up for this any time soon.

So what is to stop a merchant from caching the password?  Visa then
swallows the bill?  Or does it get encrypted the same way debit cards
currently do so in Canada?

> Other than the inherent problem that all software has bugs, I don't
> see any obvious horrible gaping holes, although I was a wee bit
> surprised that when I followed the card signup link on Bank of
> America's web site I ended up in the domain, a software
> vendor in Israel, although traceroutes showed that the server in
> question was at a web hosting company in Georgia, which is neither in
> Israel nor in North Carolina or California where the bank's main
> offices are.  Why does this not make me feel more secure?
> -- 
> John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869
> johnl at, Village Trustee and Sewer Commissioner,, 
> Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo at

	slainte mhath, RGB

Richard Guy Briggs           --    ~\                 Auto-Free Ottawa! Canada
<>            --    \@       @           <>
No Internet Wiretapping!        --   _\\/\%___\\/\%        Vote! -- <>

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list