On Sun, Apr 11, 2010 at 12:55:48PM +0200, Michael G Schwern wrote: > > I don't think credit card companies live in the same universe we do. > Take Verified By Visa. Its basically a XSS exploit. Worse, it wants me > to make up a secure password to associated with my credit card. The > password MUST be between 6 and 10 characters. If I forget the password, > I can just make up a new one.
And in the UK it shifts fraud liability to the cardholder (because it *must* have been you, it required you to input your password and everything!)[1] Most banks make a 3D-Secure implementation mandatory. I can't get Mastercard Securecode disabled on my CC for example. I did manage to get another 3DS implementation disabled on one of my debit cards, however. HSBC made the bold claim that "since we introduced 3DS, we haven't had a single case of fraud". You can instead read that as "since we introduced 3DS, we've penalised the cardholder every time someone defrauds them rather than actually sorting the problem out and prosecuting the bastards involved" Simplest 3DS attack: 1. Take your grandma's CC and shop online with it 2. Since she doesn't shop online, register her card for 3DS 3. Now you know your grandma's 3DS information and yet she doesn't 4. Your grandma is liable Hardly seems fair on Grandma does it? Now replace 'Grandma' with upper management at Visa / Mastercard and you have a conference. And potentially a jail cell, but go out with a bang. See also chip-and-pin, which also shifts liability in Britain and is the reason all of my cards are chip and signature (where liability is still on the bank). It's somewhat annoying being unable to use a cashpoint, but I have a cunning plan to open another bank account with a chip and pin card and shift a small amount of money to it each week via standing order. --James [1] May not actually be true, but has been upheld by a UK court nonetheless
