VISA: All Your Password Are Belong to Us

Enzo Michelangeli em at who.net
Tue Dec 4 02:32:04 EST 2001


Actually, the authentication is not performed by Visa, but by the issuer
(the member bank that has issued the card). Visa only manages a directory
server where the merchant's plugin looks up the first six digits of the card
number (a.k.a. the "issuer BIN") and finds the URL of the "Issuer
Authentication Control Server". The merchant plugin then redirects the
buyer's browser to that server, which in turn authenticates the buyer in any
way it deems fit (normally, a password or PIN). Visa, merchant and acquiring
bank are all out of the authentication loop: the process only involves
issuer and cardholder.

If the authentication is successful, the Issuer ACS certifies the card
number (basically, signing it) and redirects the browser to the merchant's
plugin, which verifies the issuer's signature (through a Visa-issued root
cert) and proceeds. Only then it the transaction submitted for
authorization.

Enzo

----- Original Message -----
From: "John R. Levine" <johnl at iecc.com>
Newsgroups: iecc.lists.cryptography
To: <cryptography at wasabisystems.com>
Sent: Tuesday, December 04, 2001 1:30 PM
Subject: Re: VISA: All Your Password Are Belong to Us


> >Visa Starts Password Service to Fight Online Fraud
>
> I took a look at the description of the scheme, with links at:
>
> http://www.usa.visa.com/business/merchants/verified_online_purchases.html
>
> It seems pretty straightforward.  When a merchant gets a customer's
> card number, the merchant queries (via an SSL link) a Visa server to
> find out whether the card has a password.  If it does, the merchant (or
> apparently some componentware of Visa's) asks for the password or
> a smart-card swipe and sends that along, again via SSL, with the
> rest of the transaction data for approval.  The incentive for the
> merchant is that Visa promises that password-verified transactions
> aren't subject to some kinds of chargebacks.  Nobody expects many
> people to sign up for this any time soon.
>
> Other than the inherent problem that all software has bugs, I don't
> see any obvious horrible gaping holes, although I was a wee bit
> surprised that when I followed the card signup link on Bank of
> America's web site I ended up in the cyota.com domain, a software
> vendor in Israel, although traceroutes showed that the server in
> question was at a web hosting company in Georgia, which is neither in
> Israel nor in North Carolina or California where the bank's main
> offices are.  Why does this not make me feel more secure?
>
>
> --
> John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869
> johnl at iecc.com, Village Trustee and Sewer Commissioner,
http://iecc.com/johnl,
> Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
>
>
>
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to
majordomo at wasabisystems.com




---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com




More information about the cryptography mailing list