Re: Mastercard Securecode

On Thu, 28 Aug 2008 04:48:53 +0800,
Chris Blunt <mail@xxxxxxxxxx> wrote:
On Wed, 27 Aug 2008 17:00:11 +0100, "Tim" <me@xxxxxxx> wrote:

David Woolley wrote:
I've deferred registering with VbV and I haven't used Mastercard online,
for a long time, but, does the system authenticate itself to you, and
does that authentication depend on a shared secret, but not pass it over
the wire? If not, it is vulnerable to a man in the middle attack, and
you need to check the SSL certificate and ignore the way it authenticates
itself to you.

"Reece Bythell" wrote
Speaking for Securecode only (I don't have a VbV card), the system can be
user-configured to offer you a greeting which only the card owner should
know. The greeting is completely separate from the authentication
credentials.

That's a shared "secret" that *is* passed over-the-wire. So,
as the man said, it is vulnerable to a man-in-the-middle attack.


The personal greeting, as well as the box for entering your SecureCode
password, appears in an entirely separate secure pop-up window that
comes directly from your bank. The merchant (assuming that's what you
meant by man-in-the middle) doesn't see any of the information
contained in that browser window.

Not when I use it. The popup is in a domain called securesite.co.uk (or
possibly securesuite.co.uk, I can't remember for certain) with a
certificate issued to cyota (or something like that).

It would be trivial for a merchant to display a popup that looked
identical (except possibly this personal greeting - but I've never
been asked/told what to expect and so I suspect nor have many other
people), grab three characters of the code and then say "failed" and
send the person to the real site for the second attempt.

I suspect (although I don't know) that if you actually allow the popup
window then you can't even tell what domain you're connecting to - I
block popup windows so it opens in a new tab so I get to see the domain.

Tim.

--
God said, "div D = rho, div B = 0, curl E = - @B/@t, curl H = J + @D/@t,"
and there was light.

http://www.woodall.me.uk/ http://www.locofungus.btinternet.co.uk/
.

Relevant Pages

  • Re: Silly question
    ... Windows Authentication on your SQL server and control the access trough SQL ... > So I use window auth to check the user identity inside my ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Authentication how:to
    ... This braindead "security patch", which is a total overkill (and easily could ... When the user clicks on the link, the document is opened> in a new IE window. ... > headers, but when the IE window opens, it does not know of this> authentication, and consequently prompts for it. ... The new IE update> has stopped this method of passing authentication to a URL, ...
    (microsoft.public.inetsdk.programming.webbrowser_ctl)
  • Re: Silly question
    ... >You can use Windows Authentication to authenticate users. ... >usernames stored in your SQL database in a users Table ... >credentials to go to SQL server. ... >> So I use window auth to check the user identity inside ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Basic Authentication and popup windows
    ... The secured site is opened in a separate window. ... This is when the Basic Authentication is performed. ... existing browser window, the authentication details are still valid ...
    (microsoft.public.dotnet.security)
  • Re: Basic Authentication and popup windows
    ... The secured site is opened in a separate window. ... This is when the Basic Authentication is performed. ... existing browser window, the authentication details are still valid ...
    (microsoft.public.dotnet.faqs)