On Friday 02 October 2009 11:13:35 Ovid wrote: > OK, I give. That's two references to how insecure 3D secure is. Given that > I know nothing about it other than the annoying fact that I've forgotten my > password for it, could someone explain why its broken?
Well, there's the fact that, for years, we've been trying to educate Internet users not to enter details into untrusted websites, and now all of a sudden they're expected to trust some random page that appears in a popup/iframe from some domain entirely unrelated to the one they're in the middle of trying to give their card details to? Like, for instance, securesuite.co.uk - would you trust that random domain? (Incidentally, that's the domain that RSA forgot to renew at one point...!) See, for instance, http://ambrand.com/2006/09/06/is-securesuitecouk-a-phishing-scam It's a poor attempt towards three-factor authentication, but relying upon entering a password - which will be picked up by the same keylogging/sniffing techniques they'd use to grab the rest of your details if you're entering them on a compromised machine. However, now, the bank has shifted liability to the customer, claiming that since the transaction was authorised with their "secret password", they have no right to repudiate the transaction. Cheers Dave P