undefined | Better HN

0 pointsderefr1y ago0 comments

No, (Visa) 3D Secure is challenge-response. It pops the iframe on behalf of your bank, sure, but the iframe itself is operated on a white-labelled basis by Visa (with your bank's insignia put there because Visa knows the bank logos by CCN BIN prefix.) The iframe (i.e. Visa) says it sent you an SMS verification code; you plug the code into their iframe; and transaction continues. You never need to log into your bank.

Note how there's no point in MITMing that flow by presenting a phishing version of the confirmation iframe—all the iframe is asking for is the code, and the code is single-use, and all it can be used for is to approve that one transaction.

0 comments

3 comments · 1 top-level

kevincox1y ago· 2 in thread

My banks ask for a password in that iframe. Not some type of one-time-code. Although I have mostly Mastercard cards, so maybe Mastercard just screwed it up?

If it was just an OTP why would the iframe even be necessary? The main site could just send it.

derefrOP1y ago

> My banks as for a password in that iframe. Not done type of one-time-code.

Maybe there's an option for this that a bank can choose when "enabling" 3D Secure? Seems stupid, though. Never experienced it personally.

> If it was just an OTP why would yhe iframe even be necessary?

90% of 3D Secure isn't the user interaction, it's browser integrity checking and permacookie-based submission deduplication. Essentially the iframe delivers a payload similar to the one used by Cloudflare Turnstile. That kind of thing could run in the context of a website (like Cloudflare Turnstile does), but it's a lot easier to manage when it's on its own secure origin without other scripts able to mess with it.

jonathanlydall1y ago

It’s not necessarily an OTP, it’s any form of additional verification that the bank decides to implement.

My bank allows me to switch between SMS or USSD.

When in France in late 2000s the bank did a stupid “virtual PIN pad”, which I suppose was better than nothing, but only barely.

But the point is that the system could allow any kind of verification including new and modern Passkeys.

j / k navigate · click thread line to collapse