[gst]

While 3DSecure and Verified by Visa is a good idea in theory, the implementation is a mess. For example, my bank requires me to enter my banking username and password into the banking website, which is loaded via an iframe inside the merchants site. How is a regular user supposed to verify that the iframe loaded his banking website and not some phishing website?

[jon-wood]

My bank is marginally better than this and includes a string I set when I first configured 3D Secure in the iframe, but its still a mess and asking for phishing attacks.

[the_mitsuhiko]

Sounds like a problem with your bank. Mine prompts me for a token that is sent to my phone where it also shows me what transaction i confirm. In addition the iframe pops up a memorable message I can configure to verify that it's a frame from the bank. Even in the absence of ssl this would be safe.

[Natanael_L]

> In addition the iframe pops up a memorable message I can configure to verify that it's a frame from the bank. Even in the absence of ssl this would be safe.

No, they can do a replay attack on this setup when not encrypted

[the_mitsuhiko]

It's a transaction bound short lived one time token. Nothing you can replay.

[Natanael_L]

The memorable message isn't.

[the_mitsuhiko]

Sure, but that memorable message is not really all that useful on a non SSL page, but it's also not particularly important from a security point of view.