Has anyone used this system and did it work? Recently I made an online payment to tmobile through my tmobile account. Part of the way through the process the Mastercard Securecode window popped up and prompted me for some details. At first I thought it was a scam or some phishing thing. Anyway, I continued along and it told me I had failed authentication, however the payment still went through. Now o2 are using the same system but my payment didn't get through when I failed authentication this morning.
Does the Securecode system offer any advantage over the previous method of online payment. Seems a total pain to me.
Have you subscribed to the car's Securecode service? The username and password and personal message need to be established as they are not the same as you use to access your card's online account and statements.
I am sure they (MasterCard Secure and Verified by Visa) offer fraud prevention advantages to the merchants and to the card issuers but I don't see that they offer any direct and separate advantages to the card holders.
On what basis did you decide it was not? I suspect you will find that you were talking to some non-EEC system with no obvious connection with Mastercard. At least that is the case if you try and pre-register for Verified by Visa, and, I'm pretty certain, Securecode. What I don't know, but suspect, is that that is still the case when you subsequently get verified.
Chances are that it was legitimate, but see my recent, "Verifying Vefied by Visa" thread.
If you provided existing credentials, not pre-registered for Securcode, there is a serious usability problem with security implications. You should change the credentials you gave to it, on the system to which they really belong.
I've deferred registering with VbV and I haven't used Mastercard online, for a long time, but, does the system authenticate itself to you, and does that authentication depend on a shared secret, but not pass it over the wire? If not, it is vulnerable to a man in the middle attack, and you need to check the SSL certificate and ignore the way it authenticates itself to you.
Unfortunately, the number of people who know enough to challenge the authenticity of these systems is so small that they can't get beyond the first line support people.
Speaking for Securecode only (I don't have a VbV card), the system can be user-configured to offer you a greeting which only the card owner should know. The greeting is completely separate from the authentication credentials.
The personal greeting, as well as the box for entering your SecureCode password, appears in an entirely separate secure pop-up window that comes directly from your bank. The merchant (assuming that's what you meant by man-in-the middle) doesn't see any of the information contained in that browser window.
Not when I use it. The popup is in a domain called securesite.co.uk (or possibly securesuite.co.uk, I can't remember for certain) with a certificate issued to cyota (or something like that).
It would be trivial for a merchant to display a popup that looked identical (except possibly this personal greeting - but I've never been asked/told what to expect and so I suspect nor have many other people), grab three characters of the code and then say "failed" and send the person to the real site for the second attempt.
I suspect (although I don't know) that if you actually allow the popup window then you can't even tell what domain you're connecting to - I block popup windows so it opens in a new tab so I get to see the domain.
Because the window displays the personal greeting which I agreed with my credit card company when I registered for SecureCode. That phrase is known only to me and them.
It seems a lot of people are reporting that they don't see any personal greeting, and in any case have never been asked to set one up with their bank. I'm guessing a bit here, but I think those may be people who registered for SecureCode while performing a transaction with a merchant, rather than directly at their bank's online banking system. For those cases, I've no idea how they could be sure where the pop-up window originates from.
Understood. What I was concerned about was the case of registering the personal greeting during a merchant transaction. If that can't happen, OK.
AAMOI what information do you have to provide to the retailer in order to get the secure pop-up window from the bank, with your personal greeting, displayed? Presumably there needs to be some safeguard so that only you can do it.
Probably because we were forced into it against our will and better judgement. IIRC, for the first couple of times it appeared there was a "no thanks" button but after that it was compulsory (true for every single card I own) I have NEVER had any official information EVER about VbV. And as the ONLY extra piece of information needed to change the password over what I tell the merchant already, is my DOB, it seems like a complete waste of time.
The only good thing I can see about it is that if anyone is ever taken in by an obvious phishing scam and the bank tries to claim that the customer was negligent then VbV can be used to show that real authentic banking sites also look like obvious phishing scams.
Ah, but how do you know **for sure** that it is coming *directly* from your bank/VbV/SecureCode, and not via a "man-in-the-middle"?
Not necessarily the merchant, no -- anyone who manages to install themself in the middle of the connection between you and your bank/VbV/SC (by whatever means - eg DNS attack).
But if there is a "man-in-the-middle", then any information sent from your bank/VbV/SC would go to the man in the middle first, who would just pass it on to you...
"Chris Blunt" wrote
... and a "man-in-the-middle" who pretends to be VbV/SC to you, and pretends to be you to VbV/SC.
The scammer would pass the details that you give to them (thinking they are VbV/SC) on to VbV/SC; VbV/SC then sends back a message to them which includes your "personal greeting", which the scammer simply forwards on to you (real-time).
See?
How can you be sure that you're talking *directly* to your bank, and not via a man-in-the-middle?
Just the normal card details that you would normally enter as part of an online purchase. If they identify the card as being enrolled in SecureCode the window pops up. Once you recognise the personal greeting as being authentic you enter your password in the box, the window closes and the merchant confirms that the transaction has been approved.
If the card issuer doesn't participate in SecureCode then the transaction will be handled just like any other.
It sounds as if anyone armed with your credit card details could start a transaction using them and obtain your personal greeting. How, then, can you be sure that a pop-up window containing your personal greeting actually comes from your bank? Or have I missed something?
If its the correct personal greeting and its contained in a secure browser window then I have a reasonable degree of confidence. Of course I don't have any absolute certainty that there isn't some fraudulent activity going on that I'm unaware of. Of all the risks that I'm exposed to in everyday life, that possibility comes well down the list of things that might keep me awake at night.
BeanSmart website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.