On Fri, Oct 02, 2009 at 03:13:35AM -0700, Ovid wrote: > --- On Fri, 2/10/09, Nicholas Clark <n...@ccl4.org> wrote: > > > From: Nicholas Clark <n...@ccl4.org> > > > 2. No insistence on 3dsecure (because really, it's > > horrifically > > > insecure). > > > > And badly implemented by quite a few providers. > > (There's XML, and a DTD. If the XML validates against the > > DTD, that means > > that it's *VALID*, dammit, so don't reject it) > > > > However, one can't take payments from Maestro unless one > > has 3D insecure. > > (And it seems that even easyJet are no longer large enough > > to wiggle out > > of that one) > > OK, I give. That's two references to how insecure 3D secure is. Given that I > know nothing about it other than the annoying fact that I've forgotten my > password for it, could someone explain why its broken?
There's a description about how little it takes to reset the password in the link Tom gave: http://econsultancy.com/blog/4356-why-has-google-checkout-dropped-maestro Ben Laurie explains it here: http://www.links.org/?p=591 It's indistinguishable from a phising scam. Even better, which Ben doesn't cover, is that some banks have implemented it by outsourcing it to a third party, which then serves the pages from *its* domain. (Rather than having DNS delegated, so that 3dinsecure.rbs.gov.uk is a CNAME pointing to an IP owned and hosted by the outsourcer) So you get a popup saying "I'm from your bank; tell me your secrets" popping up in new window (believe it or not, originally with branding guidelines that were "don't show a URL bar etc"), served from a domain which is nothing to do with your bank. And often this is the first time that you, the card holder, have encountered the thing. Because your bank didn't bother to tell you about it in a communication from them that you trust is from them. It's almost like some enterprising chap in Nigeria wrote the specs for the banks, to save the the costs of having to do it themselves. Nicholas Clark