On Sun, Apr 11, 2010 at 12:55:48PM +0200, Michael G Schwern wrote: > I don't think credit card companies live in the same universe we do. Take > Verified By Visa. Its basically a XSS exploit. Worse, it wants me to make
Indeed. Originally, for branding reasons, encouraged to be implemented as a pop-up window without an address bar or anything else. *Also*, many UK banks outsource the service to third party companies, so it's a pop-up (well, now iframe) purporting to be from your bank, served from a domain you know nothing about. Also, it's impressive how many banks can't actually implement it correctly. (XML is XML, so stop parsing it with regexps, or whatever it is that causes you to reject isomorphic forms. Also, there's a spec on the size of the window you can create, so why is yours twice as big?) And dear Mastercard* a: The idea of two sets of directory servers is so that if one fails, the other is online and hot. b: If your spec says that one can cache for 24 hours that a range of cards is not enrolled, then please stop trying to say "oh, you didn't even offer 3D insecure" as an attempt to shift fraud liability. If you keep doing that, caching will be disabled and your servers will be hit for *every request* - then lets see what their uptime is. > up a secure password to associated with my credit card. The password MUST > be between 6 and 10 characters. If I forget the password, I can just make > up a new one. > > I'd love to meet their security consultants. How about their security consultants travel to Nigeria (or equivalent) to meet real 419 scammers? They could probably share ideas. > http://www.cerias.purdue.edu/site/blog/post/verified-by-visa-issues/ > http://www.breakitdownblog.com/verified-by-visa-is-useless/ and http://www.lightbluetouchpaper.org/2010/01/26/how-online-card-security-fails/ I solved this by getting a credit card issued by American Express. They don't do *this* kind of stupidity. Nicholas Clark * Might have been Visa. They are hard to tell apart in the clue stakes.
