>Visa Starts Password Service to Fight Online Fraud I took a look at the description of the scheme, with links at:
http://www.usa.visa.com/business/merchants/verified_online_purchases.html It seems pretty straightforward. When a merchant gets a customer's card number, the merchant queries (via an SSL link) a Visa server to find out whether the card has a password. If it does, the merchant (or apparently some componentware of Visa's) asks for the password or a smart-card swipe and sends that along, again via SSL, with the rest of the transaction data for approval. The incentive for the merchant is that Visa promises that password-verified transactions aren't subject to some kinds of chargebacks. Nobody expects many people to sign up for this any time soon. Other than the inherent problem that all software has bugs, I don't see any obvious horrible gaping holes, although I was a wee bit surprised that when I followed the card signup link on Bank of America's web site I ended up in the cyota.com domain, a software vendor in Israel, although traceroutes showed that the server in question was at a web hosting company in Georgia, which is neither in Israel nor in North Carolina or California where the bank's main offices are. Why does this not make me feel more secure? -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
