Has anyone used this system and did it work? Recently I made an online
payment to tmobile through my tmobile account. Part of the way through
the process the Mastercard Securecode window popped up and prompted me
for some details. At first I thought it was a scam or some phishing
thing. Anyway, I continued along and it told me I had failed
authentication, however the payment still went through.
Now o2 are using the same system but my payment didn't get through
when I failed authentication this morning.

Does the Securecode system offer any advantage over the previous
method of online payment. Seems a total pain to me.

On Mon, 25 Aug 2008 01:01:00 -0700 (PDT), Stephen2 
wrote:

> Has anyone used this system and did it work? Recently I made an online
> payment to tmobile through my tmobile account. Part of the way through
> the process the Mastercard Securecode window popped up and prompted me
> for some details. At first I thought it was a scam or some phishing
> thing. Anyway, I continued along and it told me I had failed
> authentication, however the payment still went through.
> Now o2 are using the same system but my payment didn't get through
> when I failed authentication this morning.

Have you subscribed to the car's Securecode service?  The username and
password and personal message need to be established as they are not the
same as you use to access your card's online account and statements.

> Does the Securecode system offer any advantage over the previous
> method of online payment. Seems a total pain to me.

I am sure they (MasterCard Secure and Verified by Visa) offer fraud
prevention advantages to the merchants and to the card issuers but I don't
see that they offer any direct and separate advantages to the card holders.

Tony

Stephen2 wrote:
> Has anyone used this system and did it work? Recently I made an online
> payment to tmobile through my tmobile account. Part of the way through
> the process the Mastercard Securecode window popped up and prompted me
> for some details. At first I thought it was a scam or some phishing

On what basis did you decide it was not?  I suspect you will find that 
you were talking to some non-EEC system with no obvious connection with 
Mastercard.  At least that is the case if you try and pre-register for 
Verified by Visa, and, I'm pretty certain, Securecode.  What I don't 
know, but suspect, is that that is still the case when you subsequently 
get verified.

Chances are that it was legitimate, but see my recent, "Verifying Vefied 
by Visa" thread.

> thing. Anyway, I continued along and it told me I had failed

If you provided existing credentials, not pre-registered for Securcode, 
there is a serious usability problem with security implications.  You 
should change the credentials you gave to it, on the system to which 
they really belong.

> authentication, however the payment still went through.
> Now o2 are using the same system but my payment didn't get through
> when I failed authentication this morning.
> 
> Does the Securecode system offer any advantage over the previous
> method of online payment. Seems a total pain to me.

I've deferred registering with VbV and I haven't used Mastercard online, 
for a long time, but, does the system authenticate itself to you, and 
does that authentication depend on a shared secret, but not pass it over 
the wire?  If not, it is vulnerable to a man in the middle attack, and 
you need to check the SSL certificate and ignore the way it 
authenticates itself to you.

Unfortunately, the number of people who know enough to challenge the
authenticity of these systems is so small that they can't get beyond the
first line support people.
>

David Woolley wrote:

> I've deferred registering with VbV and I haven't used Mastercard online, 
> for a long time, but, does the system authenticate itself to you, and 
> does that authentication depend on a shared secret, but not pass it over 
> the wire?  If not, it is vulnerable to a man in the middle attack, and 
> you need to check the SSL certificate and ignore the way it authenticates
>  itself to you.

Speaking for Securecode only (I don't have a VbV card), the system can be
user-configured to offer you a greeting which only the card owner should
know. The greeting is completely separate from the authentication credentials.

Reece

> David Woolley wrote:
>> I've deferred registering with VbV and I haven't used Mastercard online, 
>> for a long time, but, does the system authenticate itself to you, and 
>> does that authentication depend on a shared secret, but not pass it over 
>> the wire?  If not, it is vulnerable to a man in the middle attack, and 
>> you need to check the SSL certificate and ignore the way it authenticates
>>  itself to you.
>
"Reece Bythell" wrote
> Speaking for Securecode only (I don't have a VbV card), the system can be
> user-configured to offer you a greeting which only the card owner should
> know. The greeting is completely separate from the authentication 
> credentials.

That's a shared "secret" that *is* passed over-the-wire.  So,
as the man said, it is vulnerable to a man-in-the-middle attack.

On Wed, 27 Aug 2008 17:00:11 +0100, "Tim"  wrote:

>> David Woolley wrote:
>>> I've deferred registering with VbV and I haven't used Mastercard online, 
>>> for a long time, but, does the system authenticate itself to you, and 
>>> does that authentication depend on a shared secret, but not pass it over 
>>> the wire?  If not, it is vulnerable to a man in the middle attack, and 
>>> you need to check the SSL certificate and ignore the way it authenticates
>>>  itself to you.
>>
>"Reece Bythell" wrote
>> Speaking for Securecode only (I don't have a VbV card), the system can be
>> user-configured to offer you a greeting which only the card owner should
>> know. The greeting is completely separate from the authentication 
>> credentials.
>
>That's a shared "secret" that *is* passed over-the-wire.  So,
>as the man said, it is vulnerable to a man-in-the-middle attack.
>

The personal greeting, as well as the box for entering your SecureCode
password, appears in an entirely separate secure pop-up window that
comes directly from your bank. The merchant (assuming that's what you
meant by man-in-the middle) doesn't see any of the information
contained in that browser window.

Chris

On Thu, 28 Aug 2008 04:48:53 +0800,
    Chris Blunt  wrote:
> On Wed, 27 Aug 2008 17:00:11 +0100, "Tim"  wrote:
>
>>> David Woolley wrote:
>>>> I've deferred registering with VbV and I haven't used Mastercard online, 
>>>> for a long time, but, does the system authenticate itself to you, and 
>>>> does that authentication depend on a shared secret, but not pass it over 
>>>> the wire?  If not, it is vulnerable to a man in the middle attack, and 
>>>> you need to check the SSL certificate and ignore the way it authenticates
>>>>  itself to you.
>>>
>>"Reece Bythell" wrote
>>> Speaking for Securecode only (I don't have a VbV card), the system can be
>>> user-configured to offer you a greeting which only the card owner should
>>> know. The greeting is completely separate from the authentication 
>>> credentials.
>>
>>That's a shared "secret" that *is* passed over-the-wire.  So,
>>as the man said, it is vulnerable to a man-in-the-middle attack.
>>
>
> The personal greeting, as well as the box for entering your SecureCode
> password, appears in an entirely separate secure pop-up window that
> comes directly from your bank. The merchant (assuming that's what you
> meant by man-in-the middle) doesn't see any of the information
> contained in that browser window.
>
Not when I use it. The popup is in a domain called securesite.co.uk (or
possibly securesuite.co.uk, I can't remember for certain) with a
certificate issued to cyota (or something like that).

It would be trivial for a merchant to display a popup that looked
identical (except possibly this personal greeting - but I've never
been asked/told what to expect and so I suspect nor have many other
people), grab three characters of the code and then say "failed" and
send the person to the real site for the second attempt.

I suspect (although I don't know) that if you actually allow the popup
window then you can't even tell what domain you're connecting to - I
block popup windows so it opens in a new tab so I get to see the domain.

Tim.

-- 
God said, "div D = rho, div B = 0, curl E = - @B/@t, curl H = J + @D/@t," 
and there was light.

  http://www.woodall.me.uk/    http://www.locofungus.btinternet.co.uk/

In uk.finance, Chris Blunt wrote:
>On Wed, 27 Aug 2008 17:00:11 +0100, "Tim"  wrote:
>
>>"Reece Bythell" wrote
>>> Speaking for Securecode only (I don't have a VbV card), the system can be
>>> user-configured to offer you a greeting which only the card owner should
>>> know. The greeting is completely separate from the authentication
>>> credentials.
>>
>>That's a shared "secret" that *is* passed over-the-wire.  So,
>>as the man said, it is vulnerable to a man-in-the-middle attack.
>>
>
>The personal greeting, as well as the box for entering your SecureCode
>password, appears in an entirely separate secure pop-up window that
>comes directly from your bank. The merchant (assuming that's what you
>meant by man-in-the middle) doesn't see any of the information
>contained in that browser window.

AAMOI, when you see it, how do you know it came directly from your bank?

-- 
Mike Barnes

On Thu, 28 Aug 2008 00:10:22 +0100, Mike Barnes
 wrote:

>In uk.finance, Chris Blunt wrote:
>>On Wed, 27 Aug 2008 17:00:11 +0100, "Tim"  wrote:
>>
>>>"Reece Bythell" wrote
>>>> Speaking for Securecode only (I don't have a VbV card), the system can be
>>>> user-configured to offer you a greeting which only the card owner should
>>>> know. The greeting is completely separate from the authentication
>>>> credentials.
>>>
>>>That's a shared "secret" that *is* passed over-the-wire.  So,
>>>as the man said, it is vulnerable to a man-in-the-middle attack.
>>>
>>
>>The personal greeting, as well as the box for entering your SecureCode
>>password, appears in an entirely separate secure pop-up window that
>>comes directly from your bank. The merchant (assuming that's what you
>>meant by man-in-the middle) doesn't see any of the information
>>contained in that browser window.
>
>AAMOI, when you see it, how do you know it came directly from your bank?

Because the window displays the personal greeting which I agreed with
my credit card company when I registered for SecureCode. That phrase
is known only to me and them.

It seems a lot of people are reporting that they don't see any
personal greeting, and in any case have never been asked to set one up
with their bank. I'm guessing a bit here, but I think those may be
people who registered for SecureCode while performing a transaction
with a merchant, rather than directly at their bank's online banking
system. For those cases, I've no idea how they could be sure where the
pop-up window originates from.

Chris

In uk.finance, Chris Blunt wrote:
>On Thu, 28 Aug 2008 00:10:22 +0100, Mike Barnes
> wrote:
>
>>In uk.finance, Chris Blunt wrote:
>>>On Wed, 27 Aug 2008 17:00:11 +0100, "Tim"  wrote:
>>>
>>>>"Reece Bythell" wrote
>>>>> Speaking for Securecode only (I don't have a VbV card), the system can be
>>>>> user-configured to offer you a greeting which only the card owner should
>>>>> know. The greeting is completely separate from the authentication
>>>>> credentials.
>>>>
>>>>That's a shared "secret" that *is* passed over-the-wire.  So,
>>>>as the man said, it is vulnerable to a man-in-the-middle attack.
>>>>
>>>
>>>The personal greeting, as well as the box for entering your SecureCode
>>>password, appears in an entirely separate secure pop-up window that
>>>comes directly from your bank. The merchant (assuming that's what you
>>>meant by man-in-the middle) doesn't see any of the information
>>>contained in that browser window.
>>
>>AAMOI, when you see it, how do you know it came directly from your bank?
>
>Because the window displays the personal greeting which I agreed with
>my credit card company when I registered for SecureCode. That phrase
>is known only to me and them.
>
>It seems a lot of people are reporting that they don't see any
>personal greeting, and in any case have never been asked to set one up
>with their bank. I'm guessing a bit here, but I think those may be
>people who registered for SecureCode while performing a transaction
>with a merchant, rather than directly at their bank's online banking
>system. For those cases, I've no idea how they could be sure where the
>pop-up window originates from.

Understood. What I was concerned about was the case of registering the
personal greeting during a merchant transaction.  If that can't happen,
OK.

AAMOI what information do you have to provide to the retailer in order
to get the secure pop-up window from the bank, with your personal
greeting, displayed? Presumably there needs to be some safeguard so that
only you can do it.

-- 
Mike Barnes

On Aug 28, 12:25 am, Chris Blunt  wrote:
> On Thu, 28 Aug 2008 00:10:22 +0100, Mike Barnes
>
>
>
>  wrote:
> >In uk.finance, Chris Blunt wrote:
> >>On Wed, 27 Aug 2008 17:00:11 +0100, "Tim"  wrote:
>
> >>>"Reece Bythell" wrote
> >>>> Speaking for Securecode only (I don't have a VbV card), the system can be
> >>>> user-configured to offer you a greeting which only the card owner should
> >>>> know. The greeting is completely separate from the authentication
> >>>> credentials.
>
> >>>That's a shared "secret" that *is* passed over-the-wire.  So,
> >>>as the man said, it is vulnerable to a man-in-the-middle attack.
>
> >>The personal greeting, as well as the box for entering your SecureCode
> >>password, appears in an entirely separate secure pop-up window that
> >>comes directly from your bank. The merchant (assuming that's what you
> >>meant by man-in-the middle) doesn't see any of the information
> >>contained in that browser window.
>
> >AAMOI, when you see it, how do you know it came directly from your bank?
>
> Because the window displays the personal greeting which I agreed with
> my credit card company when I registered for SecureCode. That phrase
> is known only to me and them.
>
> It seems a lot of people are reporting that they don't see any
> personal greeting, and in any case have never been asked to set one up
> with their bank. I'm guessing a bit here, but I think those may be
> people who registered for SecureCode while performing a transaction
> with a merchant, rather than directly at their bank's online banking
> system. For those cases, I've no idea how they could be sure where the
> pop-up window originates from.
>
Probably because we were forced into it against our will and better
judgement. IIRC, for the first couple of times it appeared there was a
"no thanks" button but after that it was compulsory (true for every
single card I own) I have NEVER had any official information EVER
about VbV. And as the ONLY extra piece of information needed to change
the password over what I tell the merchant already, is my DOB, it
seems like a complete waste of time.

The only good thing I can see about it is that if anyone is ever taken
in by an obvious phishing scam and the bank tries to claim that the
customer was negligent then VbV can be used to show that real
authentic banking sites also look like obvious phishing scams.

Tim.

>>>>"Reece Bythell" wrote
>>>>> Speaking for Securecode only (I don't have a VbV card),
>>>>> the system can be user-configured to offer you a greeting
>>>>> which only the card owner should know. The greeting is
>>>>> completely separate from the authentication credentials.
>>>>
>>> "Tim" wrote:
>>>>That's a shared "secret" that *is* passed over-the-wire.  So,
>>>>as the man said, it is vulnerable to a man-in-the-middle attack.
>>>>
>>>
>> Chris Blunt wrote:
>>>The personal greeting, as well as the box for entering your
>>>SecureCode password, appears in an entirely separate secure
>>>pop-up window that comes directly from your bank. ...

Ah, but how do you know **for sure** that it is
coming *directly* from your bank/VbV/SecureCode,
and not via a "man-in-the-middle"?

>> Chris Blunt wrote:
>>> ... The merchant (assuming that's what
>>> you meant by man-in-the middle) ...

Not necessarily the merchant, no -- anyone who manages to
install themself in the middle of the connection between you and
your bank/VbV/SC (by whatever means - eg DNS attack).

>> Chris Blunt wrote:
>>> ... doesn't see any of the information
>>> contained in that browser window.

But if there is a "man-in-the-middle", then any information
sent from your bank/VbV/SC would go to the man
in the middle first, who would just pass it on to you...

> Mike Barnes wrote:
>>AAMOI, when you see it, how do you know it came directly from your bank?
>
"Chris Blunt" wrote
> Because the window displays the personal greeting which I
> agreed with my credit card company when I registered for
> SecureCode. That phrase is known only to me and them.

... and a "man-in-the-middle" who pretends to be
VbV/SC to you, and pretends to be you to VbV/SC.

The scammer would pass the details that you give to them
(thinking they are VbV/SC) on to VbV/SC;  VbV/SC then sends
back a message to them which includes your "personal greeting",
which the scammer simply forwards on to you (real-time).

See?

How can you be sure that you're talking *directly*
to your bank, and not via a man-in-the-middle?

On Thu, 28 Aug 2008 08:50:10 +0100, Mike Barnes
 wrote:

>In uk.finance, Chris Blunt wrote:
>>On Thu, 28 Aug 2008 00:10:22 +0100, Mike Barnes
>> wrote:
>>
>>>In uk.finance, Chris Blunt wrote:
>>>>On Wed, 27 Aug 2008 17:00:11 +0100, "Tim"  wrote:
>>>>
>>>>>"Reece Bythell" wrote
>>>>>> Speaking for Securecode only (I don't have a VbV card), the system can be
>>>>>> user-configured to offer you a greeting which only the card owner should
>>>>>> know. The greeting is completely separate from the authentication
>>>>>> credentials.
>>>>>
>>>>>That's a shared "secret" that *is* passed over-the-wire.  So,
>>>>>as the man said, it is vulnerable to a man-in-the-middle attack.
>>>>>
>>>>
>>>>The personal greeting, as well as the box for entering your SecureCode
>>>>password, appears in an entirely separate secure pop-up window that
>>>>comes directly from your bank. The merchant (assuming that's what you
>>>>meant by man-in-the middle) doesn't see any of the information
>>>>contained in that browser window.
>>>
>>>AAMOI, when you see it, how do you know it came directly from your bank?
>>
>>Because the window displays the personal greeting which I agreed with
>>my credit card company when I registered for SecureCode. That phrase
>>is known only to me and them.
>>
>>It seems a lot of people are reporting that they don't see any
>>personal greeting, and in any case have never been asked to set one up
>>with their bank. I'm guessing a bit here, but I think those may be
>>people who registered for SecureCode while performing a transaction
>>with a merchant, rather than directly at their bank's online banking
>>system. For those cases, I've no idea how they could be sure where the
>>pop-up window originates from.
>
>Understood. What I was concerned about was the case of registering the
>personal greeting during a merchant transaction.  If that can't happen,
>OK.
>
>AAMOI what information do you have to provide to the retailer in order
>to get the secure pop-up window from the bank, with your personal
>greeting, displayed? Presumably there needs to be some safeguard so that
>only you can do it.

Just the normal card details that you would normally enter as part of
an online purchase. If they identify the card as being enrolled in
SecureCode the window pops up. Once you recognise the personal
greeting as being authentic you enter your password in the box, the
window closes and the merchant confirms that the transaction has been
approved.

If the card issuer doesn't participate in SecureCode then the
transaction will be handled just like any other.

Chris

> Mike Barnes wrote:
>>AAMOI what information do you have to provide to the
>>retailer in order to get the secure pop-up window from the
>>bank, with your personal greeting, displayed? Presumably
>>there needs to be some safeguard so that only you can do it.
>
"Chris Blunt" wrote
> Just the normal card details that you would normally enter as part
> of an online purchase. If they identify the card as being enrolled in
> SecureCode the window pops up. Once you recognise the personal
> greeting as being authentic you enter your password in the box, ...

You mean you don't even try to make sure that the
pop-up has come directly from your bank/VbV/SC?

"Mike Barnes" wrote
> AAMOI, ...

AAMOI?

On Thu, 28 Aug 2008 10:20:52 +0100, "Tim"  wrote:

>>>>>"Reece Bythell" wrote
>>>>>> Speaking for Securecode only (I don't have a VbV card),
>>>>>> the system can be user-configured to offer you a greeting
>>>>>> which only the card owner should know. The greeting is
>>>>>> completely separate from the authentication credentials.
>>>>>
>>>> "Tim" wrote:
>>>>>That's a shared "secret" that *is* passed over-the-wire.  So,
>>>>>as the man said, it is vulnerable to a man-in-the-middle attack.
>>>>>
>>>>
>>> Chris Blunt wrote:
>>>>The personal greeting, as well as the box for entering your
>>>>SecureCode password, appears in an entirely separate secure
>>>>pop-up window that comes directly from your bank. ...
>
>Ah, but how do you know **for sure** that it is
>coming *directly* from your bank/VbV/SecureCode,
>and not via a "man-in-the-middle"?
>
>>> Chris Blunt wrote:
>>>> ... The merchant (assuming that's what
>>>> you meant by man-in-the middle) ...
>
>Not necessarily the merchant, no -- anyone who manages to
>install themself in the middle of the connection between you and
>your bank/VbV/SC (by whatever means - eg DNS attack).
>
>>> Chris Blunt wrote:
>>>> ... doesn't see any of the information
>>>> contained in that browser window.
>
>But if there is a "man-in-the-middle", then any information
>sent from your bank/VbV/SC would go to the man
>in the middle first, who would just pass it on to you...
>
>> Mike Barnes wrote:
>>>AAMOI, when you see it, how do you know it came directly from your bank?
>>
>"Chris Blunt" wrote
>> Because the window displays the personal greeting which I
>> agreed with my credit card company when I registered for
>> SecureCode. That phrase is known only to me and them.
>
>... and a "man-in-the-middle" who pretends to be
>VbV/SC to you, and pretends to be you to VbV/SC.
>
>The scammer would pass the details that you give to them
>(thinking they are VbV/SC) on to VbV/SC;  VbV/SC then sends
>back a message to them which includes your "personal greeting",
>which the scammer simply forwards on to you (real-time).
>
>See?
>
>How can you be sure that you're talking *directly*
>to your bank, and not via a man-in-the-middle?


I see your point.

I don't know what safeguards, if any, are in place in the system to
ensure that can't happen.

Chris

In uk.finance, Chris Blunt wrote:
>On Thu, 28 Aug 2008 08:50:10 +0100, Mike Barnes
> wrote:
>
>>AAMOI what information do you have to provide to the retailer in order
>>to get the secure pop-up window from the bank, with your personal
>>greeting, displayed? Presumably there needs to be some safeguard so that
>>only you can do it.
>
>Just the normal card details that you would normally enter as part of
>an online purchase. If they identify the card as being enrolled in
>SecureCode the window pops up. Once you recognise the personal
>greeting as being authentic you enter your password in the box, the
>window closes and the merchant confirms that the transaction has been
>approved.

It sounds as if anyone armed with your credit card details could start a
transaction using them and obtain your personal greeting. How, then, can
you be sure that a pop-up window containing your personal greeting
actually comes from your bank? Or have I missed something?

-- 
Mike Barnes

On Thu, 28 Aug 2008 10:45:56 +0100, Mike Barnes
 wrote:

>In uk.finance, Chris Blunt wrote:
>>On Thu, 28 Aug 2008 08:50:10 +0100, Mike Barnes
>> wrote:
>>
>>>AAMOI what information do you have to provide to the retailer in order
>>>to get the secure pop-up window from the bank, with your personal
>>>greeting, displayed? Presumably there needs to be some safeguard so that
>>>only you can do it.
>>
>>Just the normal card details that you would normally enter as part of
>>an online purchase. If they identify the card as being enrolled in
>>SecureCode the window pops up. Once you recognise the personal
>>greeting as being authentic you enter your password in the box, the
>>window closes and the merchant confirms that the transaction has been
>>approved.
>
>It sounds as if anyone armed with your credit card details could start a
>transaction using them and obtain your personal greeting. How, then, can
>you be sure that a pop-up window containing your personal greeting
>actually comes from your bank? Or have I missed something?

If its the correct personal greeting and its contained in a secure
browser window then I have a reasonable degree of confidence. Of
course I don't have any absolute certainty that there isn't some
fraudulent activity going on that I'm unaware of. Of all the risks
that I'm exposed to in everyday life, that possibility comes well down
the list of things that might keep me awake at night.

Chris

Tim wrote:

> "Mike Barnes" wrote
>> AAMOI, ...
> 
> AAMOI?

As a matter of interest?

In uk.finance, Tim wrote:
>"Mike Barnes" wrote
>> AAMOI, ...
>
>AAMOI?

Google is your friend, but to save you the trouble:
   "As A Matter of Interest".

-- 
Mike Barnes

"Chris Blunt" wrote
> If its the correct personal greeting and its contained in a secure
> browser window then I have a reasonable degree of confidence.

All that means is that you're reasonably sure no-one
will intercept the message between you and the secure
server that you're talking to;  unfortunately, that secure
server might easily be a "man-in-the-middle"...



"Chris Blunt" wrote
> Of course I don't have any absolute certainty that there isn't
> some fraudulent activity going on that I'm unaware of. Of all the
> risks that I'm exposed to in everyday life, that possibility comes
> well down the list of things that might keep me awake at night.

On Wed, 27 Aug 2008 22:24:29 +0000 (UTC),
    Tim Woodall  wrote:
> On Thu, 28 Aug 2008 04:48:53 +0800,
>     Chris Blunt  wrote:
>> On Wed, 27 Aug 2008 17:00:11 +0100, "Tim"  wrote:
>>
>>>> David Woolley wrote:
>>>>> I've deferred registering with VbV and I haven't used Mastercard online, 
>>>>> for a long time, but, does the system authenticate itself to you, and 
>>>>> does that authentication depend on a shared secret, but not pass it over 
>>>>> the wire?  If not, it is vulnerable to a man in the middle attack, and 
>>>>> you need to check the SSL certificate and ignore the way it authenticates
>>>>>  itself to you.
>>>>
>>>"Reece Bythell" wrote
>>>> Speaking for Securecode only (I don't have a VbV card), the system can be
>>>> user-configured to offer you a greeting which only the card owner should
>>>> know. The greeting is completely separate from the authentication 
>>>> credentials.
>>>
>>>That's a shared "secret" that *is* passed over-the-wire.  So,
>>>as the man said, it is vulnerable to a man-in-the-middle attack.
>>>
>>
>> The personal greeting, as well as the box for entering your SecureCode
>> password, appears in an entirely separate secure pop-up window that
>> comes directly from your bank. The merchant (assuming that's what you
>> meant by man-in-the middle) doesn't see any of the information
>> contained in that browser window.
>>
> Not when I use it. The popup is in a domain called securesite.co.uk (or
> possibly securesuite.co.uk, I can't remember for certain) with a
> certificate issued to cyota (or something like that).
>
That seems to have changed! I've just used my card and I've gone to
secure.barclaycard.co.uk. That's definitely a huge improvement. I'm not
sure if that's a feature of the merchant or something that has changed
(may have been some time ago as I rarely bother to look at the url)

Tim.

-- 
God said, "div D = rho, div B = 0, curl E = - @B/@t, curl H = J + @D/@t," 
and there was light.

  http://www.woodall.me.uk/    http://www.locofungus.btinternet.co.uk/

Chris Blunt wrote:

> I don't know what safeguards, if any, are in place in the system to
> ensure that can't happen.

The only safeguard they have is the SSL certificate that confirms that 
the authenticity of the URL you are connecting to has been checked by 
someone that your browser supplier thinks you should trust to check that 
authenticity (you can further restrict it, but hardly anyone does). 
Whilst that is not perfect, it actually does provide some protection 
against man in the middle attacks (and is the only real reason why web 
site owners need to pay for certificates, and users need to update their 
root certificates).

Unfortunately, the operation of, at least VbV appears to have been 
outsourced to a US company, so when you try to pre-register with VbV you 
find you are talking to a US company with no well known relation with 
your bank or Visa.  I believe Mastercard use the same company.  Worse, 
they are pretending to be based in the UK, by using a uk.co.uk domain name.

 From what's been said in the thread, they also use a tactic used by 
people who want to misrepresent who is providing a service and try to 
suppress the address bar.  Whilst this is certainly a phishing tactic, 
it will be used here for branding purposes, so the interaction appears 
to be branded by Visa/Mastercard or your bank, rather than the company 
that is really doing the work.  I'm assuming here that there hasn't been 
a man in the middle attack on my attempts to pre-register, and that 
Cyota really are VbV's authorised agents.

It does sound, from this thread, as though Barclays may have accepted 
that having an unknown domain name was not a good idea. One suspects 
that they are still outsourcing, but have given the outsourcer the 
credentials needed to use a Barclays sub-domain.

The secret from the bank basically gives you no protection, and is 
presumably there to give the consumer false confidence, because they are 
not able to understand how the SSL protection works, or the the threats 
that it counters.

On Aug 25, 10:34 am, "Anthony R. Gold" 
wrote:
> On Mon, 25 Aug 2008 01:01:00 -0700 (PDT), Stephen2 
> wrote:
>
> > Has anyone used this system and did it work? Recently I made an online
> > payment to tmobile through my tmobile account. Part of the way through
> > the process the Mastercard Securecode window popped up and prompted me
> > for some details. At first I thought it was a scam or some phishing
> > thing. Anyway, I continued along and it told me I had failed
> > authentication, however the payment still went through.
> > Now o2 are using the same system but my payment didn't get through
> > when I failed authentication this morning.
>
> Have you subscribed to the car's Securecode service?  The username and
> password and personal message need to be established as they are not the
> same as you use to access your card's online account and statements.
>
> > Does the Securecode system offer any advantage over the previous
> > method of online payment. Seems a total pain to me.
>
> I am sure they (MasterCard Secure and Verified by Visa) offer fraud
> prevention advantages to the merchants and to the card issuers but I don't
> see that they offer any direct and separate advantages to the card holders.
>
> Tony

I decided to look up my bank's online help on this. They say
SecureCode is valid for  HSBC Premier MasterCard, Gold MasterCard &
Credit Card. Since my card is Solo this new system shouldn't apply yet
online payment systems are still prompting me for SecureCode
authentication and are failing.

I never asked for this, I never received any info from my bank about
it or telling my I have to register for it, it doesn't apply to my
type of card and yet I now seem unable to make online payments (even
though one transaction failed SecureCode authentication and was still
accepted by t-mobile).

So, since it doesn't apply to my card is there anything I can do to
get around this? Or is my Solo card a 'credit card' when it's used for
the purpose of online payments?

On Aug 29, 9:11 am, Stephen2  wrote:
> On Aug 25, 10:34 am, "Anthony R. Gold" 
> wrote:
>
>
>
> > On Mon, 25 Aug 2008 01:01:00 -0700 (PDT), Stephen2 
> > wrote:
>
> > > Has anyone used this system and did it work? Recently I made an online
> > > payment to tmobile through my tmobile account. Part of the way through
> > > the process the Mastercard Securecode window popped up and prompted me
> > > for some details. At first I thought it was a scam or some phishing
> > > thing. Anyway, I continued along and it told me I had failed
> > > authentication, however the payment still went through.
> > > Now o2 are using the same system but my payment didn't get through
> > > when I failed authentication this morning.
>
> > Have you subscribed to the car's Securecode service?  The username and
> > password and personal message need to be established as they are not the
> > same as you use to access your card's online account and statements.
>
> > > Does the Securecode system offer any advantage over the previous
> > > method of online payment. Seems a total pain to me.
>
> > I am sure they (MasterCard Secure and Verified by Visa) offer fraud
> > prevention advantages to the merchants and to the card issuers but I don't
> > see that they offer any direct and separate advantages to the card holders.
>
> > Tony
>
> I decided to look up my bank's online help on this. They say
> SecureCode is valid for  HSBC Premier MasterCard, Gold MasterCard &
> Credit Card. Since my card is Solo this new system shouldn't apply yet
> online payment systems are still prompting me for SecureCode
> authentication and are failing.
>
> I never asked for this, I never received any info from my bank about
> it or telling my I have to register for it, it doesn't apply to my
> type of card and yet I now seem unable to make online payments (even
> though one transaction failed SecureCode authentication and was still
> accepted by t-mobile).
>
> So, since it doesn't apply to my card is there anything I can do to
> get around this? Or is my Solo card a 'credit card' when it's used for
> the purpose of online payments?

A quick call to HSBC confirmed it does apply to any debit or credit
card. I've registered now so hopefully it will work from now on.