"Chris Blunt" wrote
All that means is that you're reasonably sure no-one will intercept the message between you and the secure server that you're talking to; unfortunately, that secure server might easily be a "man-in-the-middle"...
"Chris Blunt" wrote
That seems to have changed! I've just used my card and I've gone to secure.barclaycard.co.uk. That's definitely a huge improvement. I'm not sure if that's a feature of the merchant or something that has changed (may have been some time ago as I rarely bother to look at the url)
Tim.
The only safeguard they have is the SSL certificate that confirms that the authenticity of the URL you are connecting to has been checked by someone that your browser supplier thinks you should trust to check that authenticity (you can further restrict it, but hardly anyone does). Whilst that is not perfect, it actually does provide some protection against man in the middle attacks (and is the only real reason why web site owners need to pay for certificates, and users need to update their root certificates).
Unfortunately, the operation of, at least VbV appears to have been outsourced to a US company, so when you try to pre-register with VbV you find you are talking to a US company with no well known relation with your bank or Visa. I believe Mastercard use the same company. Worse, they are pretending to be based in the UK, by using a uk.co.uk domain name.
From what's been said in the thread, they also use a tactic used by people who want to misrepresent who is providing a service and try to suppress the address bar. Whilst this is certainly a phishing tactic, it will be used here for branding purposes, so the interaction appears to be branded by Visa/Mastercard or your bank, rather than the company that is really doing the work. I'm assuming here that there hasn't been a man in the middle attack on my attempts to pre-register, and that Cyota really are VbV's authorised agents.
It does sound, from this thread, as though Barclays may have accepted that having an unknown domain name was not a good idea. One suspects that they are still outsourcing, but have given the outsourcer the credentials needed to use a Barclays sub-domain.
The secret from the bank basically gives you no protection, and is presumably there to give the consumer false confidence, because they are not able to understand how the SSL protection works, or the the threats that it counters.
I decided to look up my bank's online help on this. They say SecureCode is valid for HSBC Premier MasterCard, Gold MasterCard & Credit Card. Since my card is Solo this new system shouldn't apply yet online payment systems are still prompting me for SecureCode authentication and are failing.
I never asked for this, I never received any info from my bank about it or telling my I have to register for it, it doesn't apply to my type of card and yet I now seem unable to make online payments (even though one transaction failed SecureCode authentication and was still accepted by t-mobile).
So, since it doesn't apply to my card is there anything I can do to get around this? Or is my Solo card a 'credit card' when it's used for the purpose of online payments?
A quick call to HSBC confirmed it does apply to any debit or credit card. I've registered now so hopefully it will work from now on.
BeanSmart website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.