Firefox 32 moves to kill MITM attacks The Mozilla Foundation has stepped up its efforts to improve browser security with the launch of Firefox 32, adding public key pinning to try and protect users from man-in-the-middle and other attacks. The change is among a bunch of enhancements offered in the new version, now available for Windows, Mac, Linux and Android …
Does this kill off my most hated MITM vector also known as 'Verified by Visa'?
That is such a secure model that as long as you know some basic trivia about a person you can reset the password. I no longer bother trying to remember it and do my best to avoid sites that inflict it on me.
Verified by visa
Ah yes verified by visa... I've had this on a few occasions where I've gone to buy tickets and that extra layer of security has kicked in and I've been presented with random questions to answer that they think nobody else would be able to answer such as these gems -
What street have you been associated with?
Great question rock solid. You get given four answers three of which the streets don't exist according to a quick check of Google maps
Which of the following persons have you been associated with?
Another four answers three of which even my nieces and nephews would be able to deduce are completely made up names usually old fashioned first names with a rarely heard of surname... The remaining one had my surname and was my brother.. Never figured out how they knew it was my brother and to put his name in there as I am 100% certain I've never sent him money from that account and we've never resided at the same property for at least 20 years. Spooky one that I've never figured it out
Which phone number have you been associated with
Again four answers two dud area codes and one right area code and a clearly dud phone number and the right one.
It might be annoying that you have to pass a second stage of verification to complete a purchase but it does protect against fraud. It protects the merchant (because fraudsters won't bother with a site which is protected this way). It protects your card from fraudulent activity. And It gives Visa / Mastercard the chance to do extra authentication and traffic analysis that might spot fraudulent activity in progress - e.g. a bunch of failed transactions across an IP block in Romania is not a pattern that individual stores might spot but Visa / Master could.
And there is no reason either that the security questions have to be correct. If you're asked your mother's maiden name then enter something non obvious - e.g. Kerplop. If your asked your first car then enter Horsemax 5000. And so on. Store the answers in Password Safe so you can reference them. Now you're safe.
And there is no reason either that the security questions have to be correct. If you're asked your mother's maiden name then enter something non obvious - e.g. Kerplop. If your asked your first car then enter Horsemax 5000. And so on. Store the answers in Password Safe so you can reference them. Now you're safe.
The thing is I never set any of the security questions. I have no idea where it got my brothers name from and it also asked me which postcode I'd been associated with and the correct answer was one where this particular visa account had never been registered. Not sure how they generate these questions, but I've definitely not set them, because otherwise I would've put wrong answers to the questions, because as with what we've seen regarding Apple ID accounts you can use social engineering to get the correct answers
Assuming endpoint support for DNSSEC, DANE (RFC6698) achieves something similar. http://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities
Also, unless I've missed something, with the pinning approach your initial (and therefore subsequent visits) to the site are still at risk?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
