On Tue, Dec 04, 2001 at 12:30:12AM -0500, John R. Levine wrote: > >Visa Starts Password Service to Fight Online Fraud > > I took a look at the description of the scheme, with links at: > > http://www.usa.visa.com/business/merchants/verified_online_purchases.html > > It seems pretty straightforward. When a merchant gets a customer's > card number, the merchant queries (via an SSL link) a Visa server to > find out whether the card has a password. If it does, the merchant (or > apparently some componentware of Visa's) asks for the password or > a smart-card swipe and sends that along, again via SSL, with the > rest of the transaction data for approval. The incentive for the > merchant is that Visa promises that password-verified transactions > aren't subject to some kinds of chargebacks. Nobody expects many > people to sign up for this any time soon.
So what is to stop a merchant from caching the password? Visa then swallows the bill? Or does it get encrypted the same way debit cards currently do so in Canada? > Other than the inherent problem that all software has bugs, I don't > see any obvious horrible gaping holes, although I was a wee bit > surprised that when I followed the card signup link on Bank of > America's web site I ended up in the cyota.com domain, a software > vendor in Israel, although traceroutes showed that the server in > question was at a web hosting company in Georgia, which is neither in > Israel nor in North Carolina or California where the bank's main > offices are. Why does this not make me feel more secure? > > > -- > John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 > [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, > Member, Provisional board, Coalition Against Unsolicited Commercial E-mail > > > > --------------------------------------------------------------------- > The Cryptography Mailing List > Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED] slainte mhath, RGB -- Richard Guy Briggs -- ~\ Auto-Free Ottawa! Canada <www.TriColour.net> -- \@ @ <www.flora.org/afo/> No Internet Wiretapping! -- _\\/\%___\\/\% Vote! -- <Green.ca> <www.FreeSWAN.org>_______GTVS6#790__(*)_______(*)(*)_______<www.Marillion.com> --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
