Verified by VISA is the biggest WTF I've ever seen.
Let me summarize a shopping experience I just had with Verified by VISA (this is the first time I've seen it):
I go to buy a domain. I put in my credit card, plus the 3 digits on the back, and all the rest of the stuff. I hit 'Order'. It pops up a window, out of nowhere, which is loading the site 'saferpay.com', non-SSL. That site forwards me to 'securesuite.net', which is SSL-signed. I have never heard of either of these sites, and the names don't fill me with confidence. If they were .visa.com or .rbcroyalbank.com, then I'd feel better.
This suspicious popup that I wasn't expecting asked me for my full name, my 3-digit verifier (which I had already endered), and asked me to create a password, with the condition that it had to be 6-15 characters, with no spaces (wtf?). I gave it a new (decent) password, that was about 12 characters, no spaces. It said "Sorry, your password can't have spaces". Broken JavaScript? So I hit 'Cancel' because I don't like the looks of any of this, and the site I was at says, "thank you for your payment!" ... so wtf, did it actually go through?
After verifying that it did indeed fail, I went back through it, gave it the weak 6-alphabetic password that I generally use for random sites, and it gladly accepted that and the payment went through.
This really bothers me. They call this bull---err, crap online security? Please. Let's go over the list of WTFs:
- Paying with a credit card, I got a weird popup from a strange site (redirected from an insecure site) asking for my CC info
- The site asks for information that I had already given
- The password policy threw out my strong password and accepted my weak password
- It was impossible to tell if the verification even worked
I honestly can't believe this happened..
