{"id":1017,"date":"2008-10-24T10:01:12","date_gmt":"2008-10-24T18:01:12","guid":{"rendered":"\/?p=1017"},"modified":"2008-10-24T10:01:12","modified_gmt":"2008-10-24T18:01:12","slug":"the-emperors-new-clothes","status":"publish","type":"post","link":"https:\/\/www.identityblog.com\/?p=1017","title":{"rendered":"The Emperor&#39;s new clothes"},"content":{"rendered":"<p>The UK&#39;s <a href=\"http:\/\/www.theregister.co.uk\/\">Register <\/a>has been running a a series of articles by <a href=\"http:\/\/search.theregister.co.uk\/?author=John%20Leyden\">John Leyden<\/a>\u00a0\u00a0(<a href=\"http:\/\/www.theregister.co.uk\/2008\/10\/23\/vbyv_analysis\/\">here<\/a>, <a href=\"http:\/\/www.theregister.co.uk\/2008\/08\/07\/verified_by_visa_compulsion\">here <\/a>and <a href=\"http:\/\/www.theregister.co.uk\/2008\/10\/23\/vbyv_password_reset\/\">here<\/a>) about <a href=\"http:\/\/www.visaeurope.com\/merchant\/handlingvisapayments\/cardnotpresent\/verifiedbyvisa.jsp\">Verified By Visa. (VByV)\u00a0<\/a>\u00a0Verified By Visa uses the same kind of &#8220;site redirection&#8221; I&#39;ve written about many times with respect to OpenID and other password-based federation technologies &#8211; but in this case it is a banking password that can be stolen.<\/p>\n<p>The phishing scenario is simple enough.\u00a0 If you happen onto an &#8220;evil&#8221; site and are tricked into purchasing something, it can &#8220;misdirect&#8221; your browser to a counterfeit VByV signon page.\u00a0 As John explains, you have little chance, as a user, of knowing you are being duped, but once you enter your password it is available to the evil site for both instant use an future reuse.\u00a0 Those familiar with this site will understand that this is yet another example of an attack that <strong>cannot be made against Information Card users.<\/strong><\/p>\n<p>Beyond focussing attention on the phishing problems inherent in &#8220;site redirection&#8221; approaches,\u00a0John argues that\u00a0the system &#8211; though\u00a0claiming to be more secure &#8211; is actually\u00a0just as <strong>vulnerable<\/strong> as\u00a0non-VByV mechanisms.\u00a0\u00a0He then\u00a0argues &#8211; and I have know knowledge as to whether this is\u00a0the case &#8211;\u00a0that the false claims about increased security are being used to\u00a0reject complaints by end-users about irregularities and fraudulent purchases made in their name.\u00a0 If that were true, it would be scandalous.<\/p>\n<p>Friends, this is a case of &#8220;The Writing on the Wall&#8221;.\u00a0 I think people in the industry should see John&#39;s work as\u00a0a sign of what&#39;s to come.\u00a0 \u00a0He is the guy in the fable who is\u00a0shouting out that\u00a0&#8220;the Emperor has no\u00a0clothes!&#8221;\u00a0\u00a0And he&#39;s doing it\u00a0cogently to\u00a0the wide readership of the Register.<\/p>\n<p>If I were an advisor to the emperor at this point\u00a0I would\u00a0insist on\u00a0two things:\u00a0<\/p>\n<ol>\n<li>admit the vulnerability of all systems based on &#8220;site redirection&#8221;; and<\/li>\n<li>start getting into phishing-resistant technologies like Information Cards while one&#39;s modesty\u00a0can still be protected.<\/li>\n<\/ol>\n<p>John makes his points without the stench of jargon.\u00a0 In spite of this,\u00a0North American readers will require a dictionary to follow what he&#39;s saying (I did).\u00a0\u00a0I&#39;m talking here about a dictionary of British idioms (thanks to my friend Richard Turner for boosting my vocabulary on this one)\u00a0:<\/p>\n<p style=\"padding-left: 30px;\"><span style=\"font-size: 10pt; font-family: \"><strong>punter <\/strong><\/span><em><span style=\"font-size: 10pt; font-family: \">n<\/span><\/em><span style=\"font-size: 10pt; font-family: \"> guy. A punter is usually a customer of some sort (the word originally meant someone who was placing bets at a racecourse)&#8230;<\/span><\/p>\n<p><span style=\"font-size: x-small; font-family: Verdana;\">To see a bit of\u00a0what mainstream press worldwide will be writing about as the paucity of redirection technology for long-tail scenarios is concerned, I do suggest looking first hand at these articles.\u00a0 One small <a href=\"http:\/\/www.theregister.co.uk\/2008\/10\/23\/vbyv_analysis\/\">taste<\/a>:<\/span><\/p>\n<p style=\"padding-left: 30px;\">Both Verified by Visa (VbyV) and MasterCard&#39;s equivalent SecureCode service are marketed as offering extra security checks to online purchases. Importantly, the schemes also transfer liability for bogus transactions away from merchants who use the system back towards banks (and perhaps ordinary e-commerce punters).<\/p>\n<p style=\"padding-left: 30px;\">Online shoppers who buy goods and service with participating retailers are asked to submit a VbyV or SecureCode password to authorise transactions. These additional checks are typically submitted via a website affiliated to a card-issuing bank but with no obvious connection to a user&#39;s bank.<\/p>\n<p style=\"padding-left: 30px;\">Punters aren&#39;t informed up front that a merchant has signed up to Verified by Visa. Sites used to authenticate a VbyV or SecureCode password routinely deliver a dialogue box using a pop-up window or inline frame, making it difficult to detect whether or not a site is genuine.<\/p>\n<p style=\"padding-left: 30px;\">The appearance of phishing attacks hunting for Verified by Visa passwords are among the reasons some punters are wary of the technology.<\/p>\n<p style=\"padding-left: 30px;\">Once obtained by fraudsters, either by direct phishing attack or through other more subtle forms of social engineering trickery, VbyV login credentials make it easier for crooks to make purchases online while simultaneously making it harder for consumers to deny responsibility for a fraudulent transaction&#8230;<\/p>\n<p style=\"padding-left: 30px;\">The little-publicised mandatory use of the technology by some banks means that those with reservations have an uphill struggle to opt out of the scheme&#8230;<\/p>\n<p style=\"padding-left: 30px;\">Verified by Visa and Mastercard SecureCode are there purely to protect the banks, not the card holder. They offer zero additional protection to the consumer, but allow the bank to claim that transactions using purloined credit card credentials were really made by the card holder. It is as simple as that.<\/p>\n<p style=\"padding-left: 30px;\">[More <a href=\"http:\/\/www.theregister.co.uk\/2008\/10\/23\/vbyv_analysis\/\">here<\/a>}.<\/p>\n<p style=\"padding-left: 30px;\">\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Does an Internet purchase turn you into a &#8220;punter&#8221;?<\/p>\n","protected":false},"author":68,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[63,62,13,2,7],"tags":[],"_links":{"self":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/1017"}],"collection":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/users\/68"}],"replies":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1017"}],"version-history":[{"count":0,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/1017\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1017"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1017"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1017"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}