Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: Why is “Verified by Visa” integrated as an iFrame?
4 points by andor 4 days ago | hide | past | favorite | 5 comments
The PSD2 regulation in the Euro-zone now requires two-factor authentication for online credit card payments. So for every payment with my credit card, "Verified by Visa" or "Mastercard SecureCode" pop up and ask me to authenticate. Depending on the bank, the authentication can require the same credentials used to login to the online banking account.

The authentication requirement is a bit of a hassle (CC network should bear the fraud risk), but the part that seems absurd to me is that the integration is done as an iFrame. That means ordinary users are now trained to enter their banking credentials on random websites—the opposite of what they learned in years of phishing education.

Does anyone understand how it came to this?

I've only ever seen it as a redirect to the bank website? (And with my bank that then asks for me to confirm the transaction with an authenticator app, it doesn't request otherwise usable credentials)

It used to be a redirect, but lately I have only seen the iFrame version.

ah ok. Now that I think about it, not gotten the prompt in quite a while either way, so might have changed now.

iframe offers sandbox to your data. it allows websites to show info such as your email address from Google or services without said websites knowing your address. or to like a tweet with your account. or to leave a comment through Facebook. or to display targeted ads. or to enter credentials with somewhat safer environment. I say somewhat because it is safer done right but there will always be people entering their private crypto keys that totally throw off the statistics.

idk if iframe limits what the host site can read from the embedded site, but it could add more security because the host site can’t get your bank data.

As far as getting users accustomed to entering data in iframes, the average user won’t be able to tell what part of a site is iframe or not. And idk how much of a difference it makes if you can tell - any random site you enter your data could potentially steal it.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact