Address Bar
Martin Atkins
mart at degeneration.co.uk
Wed Mar 25 17:57:24 UTC 2009
Allen Tom wrote:
> Do you have more details about the verified by visa process? I'm not
> familiar with it.
>
> I actually bought something online this morning, and I noticed that the
> merchant's checkout confirmation page mentioned something about portions
> of the screen being rendered by my credit card issuer in an iframe,
> which I thought was a weird thing to tell to the end user.
>
I'm by no means an expert on 3D-Secure (which is the technology
underlying Verified By Visa), but the flow seems very similar to OpenID:
* Merchant does "discovery" on your credit card to find out who your
provider is.
* Merchant sends you to that provider where the provider authenticates
you by some means -- in my case, I get asked to enter three letters out
of a secret word and some other security questions, but I assume this
varies from provider to provider -- and sends an assertion back to the
merchant.
* The merchant recieves the assertion and processes the transaction.
The ever-reliable Wikipedia tells me that the Verified By Visa brand of
the protocol recommends loading the provider's UI in an iframe in order
to *stop* users seeing the address bar, because many savvy users mistook
it for a phishing scam:
http://ambrand.com/2006/09/06/is-securesuitecouk-a-phishing-scam/
(one might argue that this would be less of an issue if the issuing
banks served the data in their own domain rather than outsourcing it,
but I digress.)
The "criticism" section of the Wikipedia page on 3D-secure details a
bunch of problems that OpenID implementors have also encountered.
More information about the user-experience
mailing list