back to article VbyV password reset is childishly simple

Much was made of how easy it was for a hacker to reset Sarah Palin's webmail account password and gain illicit access to emails, but resetting passwords for Verified by Visa - which supposedly makes online transactions more secure - is arguably even easier. To reset Palin's email account a hacker needed to know the Republican …

COMMENTS

This topic is closed for new posts.

Page:

  1. Thomas Baker
    Thumb Down

    I like this comment:

    "We're at the early stages of this system so we need something that allows people to re-register easily. As people get more used to it customer authentication can be ramped up. Some banks are already introducing two-factor authentication for online transactions."

    Imagine a car manufacturer saying:

    "We're at the early stages of this car so we need something that allows people to drive it easily. As people get more used to it we'll add stuff like brakes, lights, seatbelts, bumpers, crumple zones, etc later..."

    The rest of us out here in techie land have to get things right first time, we go through iterative testing, and beta and all that crap; we define a final goal and work towards that goal and don't release a product or a method until that goal has been achieved.

    They're saying, "In the early days, thousands of people could be ripped off, but we'll make it more secure later, honest..."

    What, using the same idiot-minds you're using now? What will it be, another layer of duct tape over the existing layer of duct tape?

    Oh for a government that had any kind of corporate responsibility agenda in its back pocket.

    Balls.

  2. Matthew Flint
    Stop

    You *don't* "talk to your bank"

    Dave says: "You then talk to your bank, nobody else, and when they're finished they bounce you back to a page on the retailers site."

    WRONG! The details are submitted to another party's website. Not the retailer. Not your bank. Not even Visa themselves... Someone like "arcot.com". Ever heard of them? No, me neither.

    (The "arcot.com" example comes from the checkout at "dabs.com")

    I closed my Smile account because of concerns about VbV, and would encourage others to do the same.

  3. Anonymous Coward
    Anonymous Coward

    @Hayden Clark

    "Because the VbV page is a frame, the browser can't report, either by the colour of the URL bar, or by dinky icons in the status area, the verification results for the VbV page. A scammy retailer is thus free to invent their own page, stealing your VbV password. Or you could be redirected by DNS poisoning or crapware on your PC."

    You could deliberately submit an incorrect value the first time. If it's accepted, it wasn't the real deal.

  4. Anonymous Coward
    Anonymous Coward

    @wayne tavitt

    You're on to something there perhaps; a flock of birds, a herd of cows, a wunch of bankers. Works on all sorts of levels.

  5. Kevin Raineri

    Visa/MC are close to better POS and online security

    They're just lagging behind on testing the latest card technology that incorporates One-Time Password token technology into the card itself. OTP generators have already been proven in the corporate security world (RSA, Versign, Entrust, etc.) but the keychain form factor is too clunky for us to carry around. A few weeks ago, Bank of America launched "SafePass", a card token that is essentially a credit card sized OTP generator that displays a 6-digit OTP on the face of the card when the customer squeezes a button on the card. This is great for online banking account access and eventually will secure web and other card-not-present purchases when merchants realize that chargebacks could be eliminated by accepting an OTP card instead of a credit card number.

    At POS, if Visa/MC would modify their security protocol for VbyV and SecureCode slightly, they could dramatically improve the security of credit card transactions online and at POS. For the online world, rather than use a static password that is too easily reset, if they prompt for a One-Time Password that can only be generated by the original card, they eliminate card duplication fraud and copied card numbers being used remotely. For the POS world, a program change that can be downloaded to the terminals would enable an "OTP" transaction type. So the cardholder has a choice: Credit, Debit or OTP. An OTP transaction at POS would prompt the cardholder to press the button on the card, enter the 6-digit OTP plus their PIN.

    I shamelessly admit that I work for one of the OTP card makers but I have been following this "powered card" technology for over 12 years now and have a passion to help protect our identities. The technology exists and it's affordable. Barclay's is testing these cards now so you'll soon see the OTP card in the UK market. We need to stop fradulent transactions at the point of sale, online or otherewise, by using One-Time Passwords built-in to the debit/credit cards. Awareness is the first step toward better solutions. Check out InCard.

Page:

This topic is closed for new posts.

Other stories you might like