Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

While 3DSecure and Verified by Visa is a good idea in theory, the implementation is a mess. For example, my bank requires me to enter my banking username and password into the banking website, which is loaded via an iframe inside the merchants site. How is a regular user supposed to verify that the iframe loaded his banking website and not some phishing website?


My bank is marginally better than this and includes a string I set when I first configured 3D Secure in the iframe, but its still a mess and asking for phishing attacks.


Sounds like a problem with your bank. Mine prompts me for a token that is sent to my phone where it also shows me what transaction i confirm. In addition the iframe pops up a memorable message I can configure to verify that it's a frame from the bank. Even in the absence of ssl this would be safe.


> In addition the iframe pops up a memorable message I can configure to verify that it's a frame from the bank. Even in the absence of ssl this would be safe.

No, they can do a replay attack on this setup when not encrypted


It's a transaction bound short lived one time token. Nothing you can replay.


The memorable message isn't.


Sure, but that memorable message is not really all that useful on a non SSL page, but it's also not particularly important from a security point of view.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: