My Austrian bank embeds a 2FA system on the iframe. I get an authentication code on my phone and enter that. It typically asks that when shipping to a new address or dirst use of a vendor that uses 3dsecure
While 3DSecure and Verified by Visa is a good idea in theory, the implementation is a mess. For example, my bank requires me to enter my banking username and password into the banking website, which is loaded via an iframe inside the merchants site. How is a regular user supposed to verify that the iframe loaded his banking website and not some phishing website?
My bank is marginally better than this and includes a string I set when I first configured 3D Secure in the iframe, but its still a mess and asking for phishing attacks.
Sounds like a problem with your bank. Mine prompts me for a token that is sent to my phone where it also shows me what transaction i confirm. In addition the iframe pops up a memorable message I can configure to verify that it's a frame from the bank. Even in the absence of ssl this would be safe.
> In addition the iframe pops up a memorable message I can configure to verify that it's a frame from the bank. Even in the absence of ssl this would be safe.
No, they can do a replay attack on this setup when not encrypted
Sure, but that memorable message is not really all that useful on a non SSL page, but it's also not particularly important from a security point of view.