Verified by VISA
-
Verified by VISA is the biggest WTF I've ever seen.
Let me summarize a shopping experience I just had with Verified by VISA (this is the first time I've seen it):
I
go to buy a domain. I put in my credit card, plus the 3 digits on the
back, and all the rest of the stuff. I hit 'Order'. It pops up a
window, out of nowhere, which is loading the site 'saferpay.com',
non-SSL. That site forwards me to 'securesuite.net', which is
SSL-signed. I have never heard of either of these sites, and the names
don't fill me with confidence. If they were .visa.com or
.rbcroyalbank.com, then I'd feel better.
This suspicious popup
that I wasn't expecting asked me for my full name, my 3-digit verifier
(which I had already endered), and asked me to create a password, with
the condition that it had to be 6-15 characters, with no spaces
(wtf?). I gave it a new (decent) password, that was about 12
characters, no spaces. It said "Sorry, your password can't have
spaces". Broken JavaScript? So I hit 'Cancel' because I don't like
the looks of any of this, and the site I was at says, "thank you for
your payment!" ... so wtf, did it actually go through?
After
verifying that it did indeed fail, I went back through it, gave it the
weak 6-alphabetic password that I generally use for random sites, and
it gladly accepted that and the payment went through.
This really bothers me. They call this bull---err, crap online security? Please. Let's go over the list of WTFs:
- Paying with a credit card, I got a weird popup from a strange site (redirected from an insecure site) asking for my CC info
- The site asks for information that I had already given
- The password policy threw out my strong password and accepted my weak password
- It was impossible to tell if the verification even worked
I honestly can't believe this happened..
-
Yep... it's just about the most pointless thing I ever saw - I eventually gave in and signed up; hooray, yet another secure password to write down somewhere that it'll hopefully never be seen.
It's a good thing phishers aren't too clever yet - I've been writing modules for Apache which dynamically tweak the output, and can inject HTML... 2+2=$40000?
-
I'd be very worried that it isn't some sort of spyware/CC harvesting system.
They can be very deceptive sometimes,
I had to deal with one laptop that had around 150 different spyware programs. Good old mcafee had done sweet FA to help the system, in fact, it had actually never scanned a single file, but thats a different (and far scarier) story.
What happened though, was during a definitions update (the first time it had done them), a window popped up. This window had the mcafee logo, everything. It basically said 'your 3 month trial has expiered, you can update it buy buying a full copy in a store, or you can purchase a new license online to update the definitions.' It then had a bunch of links down the bottom to different update options, 6 months, 12, all for fairly reasonable prices too.
Something about it was suspecious though, it then became obvious. I couldn't right click. I moved the window (the minimize button was missing and it was set as topmost) and behind it was a messagebox informing me the definitions update was successful. The thing that got me is that I very nearly fell for it myself, and I'm very cynical of anything web related.
That said the other WTFs in that version of mcafee were simply mind boggling. It could only run with IE having the internet security zone set to 'low' for a start (medium would not work)...
-
Mastercard have one of these too. You can sign up to create a username/password to go with your credit card, and then it'll prompt you to enter them when purchasing something with the card at a later date (on sites which bother to implement this, which is not many).
But... on the dialog where you enter your password, there's a link you can click on that says something like "I don't want to do this today", and it'll just approve the transaction without a password.
Quite what this is supposed to accomplish, I am unable to tell.
(Of course you have to realise that credit card companies don't care about credit card fraud - they are in the business of passing the costs of fraud on to the merchant, so their "security" measures have always been a joke, and the absolute minimum required by law)
-
For some reason secure passwords and banks don't seem to go together.
My bank uses case insensitive passwords. You have to use at least 6 chars. But this is sadly one of the most secure I've seen. They actually allow non-alpha chars (only letter case get mangled).
The bank behind my credit card (different to the above bank) thinks that fixed length 6 char passwords are OK. To make matters worse, they are again case-insensitive, but this time they also only allow letters and numbers. Don't worry though... They require at least one number and one letter (ie, can't have all numbers or all letters). Oh, and they tighten security by having a pain in the backside on screen Java keyboard... So no banking in OSes that don't have a full JVM installed, and no banking from computers without a mouse plugged in.
Another bank I know uses the exact same onscreen keyboard thing, but at least they don't have fixed length passwords.
Australian banks BTW.
-
Credit card security is no different than airport security. It's not about making things more secure, it's about making them seem secure. After all, cash isn't king online (eBay in particular doesn't even allow you to use it). If they can convince their customers that paying online with their credit card is safe, they become the real winners of the e-commerce industry.
And if you want another real e-commerce WTF, look at eBay's cash policy. Just days after they suddenly announced cash sales would no longer be allowed, they started banning hundreds of sellers who still claimed to accept cash (i.e. hadn't updated their postings yet). This happened to one of my favorite sellers, somebody who I had dealt with in cash many times. No warning ahead of time, no opportunity for discussion after the fact. I guess some of us didn't realize that paying with cash had become a sin.
-
The real WTF is that you actually went back thru it a second time. I woulda bailed out as soon as I saw anything odd. There's more than one place to buy a domain.
-
I had a similar experience a few weeks ago. I opened a new bank account a few months ago, but decided I rather liked my old one better. So I emailed them and asked how difficult it is to transfer funds between the two accounts. "You're in luck!" they tell me, we just started a new service that can do that! So I gave it a whirl...
First click and I'm transferred to some third-party web site. Not liking this already.
Create an account, okay, this is pretty standard, although I already have an "account" at the bank web site.
Account creation requires my SSN. Umm, don't like this, but let's see where we're going...
Next screen, enter the name of the bank you want to transfer to/from, the account number, and routing number. Again, pretty standard stuff.
And the end of my experience, enter the user name and password you use on the other bank's web site... sure, and some Pakistani will have that account cleared out in under two minutes. Good bye.
I'm not sure what I was expecting, but this was not it. I think I'm going to close both accounts and start over...
-
[quote user="unklegwar"]
The real WTF is that you actually went back thru it a second time. I woulda bailed out as soon as I saw anything odd. There's more than one place to buy a domain.
[/quote]
I would have loved to have bailed out right away, but the domain was already on that registrar, and transferring it to another seemed troublesome.
