VISA: All Your Password Are Belong to Us

Richard Guy Briggs rgb at conscoop.ottawa.on.ca
Tue Dec 4 03:48:31 EST 2001 

On Tue, Dec 04, 2001 at 12:30:12AM -0500, John R. Levine wrote:
> >Visa Starts Password Service to Fight Online Fraud
> 
> I took a look at the description of the scheme, with links at:
> 
> http://www.usa.visa.com/business/merchants/verified_online_purchases.html
> 
> It seems pretty straightforward.  When a merchant gets a customer's
> card number, the merchant queries (via an SSL link) a Visa server to
> find out whether the card has a password.  If it does, the merchant (or
> apparently some componentware of Visa's) asks for the password or
> a smart-card swipe and sends that along, again via SSL, with the
> rest of the transaction data for approval.  The incentive for the
> merchant is that Visa promises that password-verified transactions
> aren't subject to some kinds of chargebacks.  Nobody expects many
> people to sign up for this any time soon.

So what is to stop a merchant from caching the password?  Visa then
swallows the bill?  Or does it get encrypted the same way debit cards
currently do so in Canada?

> Other than the inherent problem that all software has bugs, I don't
> see any obvious horrible gaping holes, although I was a wee bit
> surprised that when I followed the card signup link on Bank of
> America's web site I ended up in the cyota.com domain, a software
> vendor in Israel, although traceroutes showed that the server in
> question was at a web hosting company in Georgia, which is neither in
> Israel nor in North Carolina or California where the bank's main
> offices are.  Why does this not make me feel more secure?
> 
> 
> -- 
> John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869
> johnl at iecc.com, Village Trustee and Sewer Commissioner, http://iecc.com/johnl, 
> Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
> 
> 
> 
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

	slainte mhath, RGB

-- 
Richard Guy Briggs           --    ~\                 Auto-Free Ottawa! Canada
<www.TriColour.net>            --    \@       @           <www.flora.org/afo/>
No Internet Wiretapping!        --   _\\/\%___\\/\%        Vote! -- <Green.ca>
<www.FreeSWAN.org>_______GTVS6#790__(*)_______(*)(*)_______<www.Marillion.com>



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list