Clan x86
Technical (Development, Security, etc.) => General Security Information => Topic started by: iago on November 12, 2006, 12:50:19 am
-
Verified by VISA is the biggest WTF I've ever seen.
Let me summarize a shopping experience I just had with Verified by VISA (this is the first time I've seen it):
I go to buy a domain. I put in my credit card, plus the 3 digits on the back, and all the rest of the stuff. I hit 'Order'. It pops up a window, out of nowhere, which is loading the site 'saferpay.com', non-SSL. That site forwards me to 'securesuite.net', which is SSL-signed. I have never heard of either of these sites, and the names don't fill me with confidence. If they were .visa.com or .rbcroyalbank.com, then I'd feel better.
This suspicious popup that I wasn't expecting asked me for my full name, my 3-digit verifier (which I had already endered), and asked me to create a password, with the condition that it had to be 6-15 characters, with no spaces (wtf?). I gave it a new (decent) password, that was about 12 characters, no spaces. It said "Sorry, your password can't have spaces". Broken JavaScript? So I hit 'Cancel' because I don't like the looks of any of this, and the site I was at says, "thank you for your payment!" ... so wtf, did it actually go through?
After verifying that it did indeed fail, I went back through it, gave it the weak 6-alphabetic password that I generally use for random sites, and it gladly accepted that and the payment went through.
This really bothers me. They call this bull---err, crap online security? Please. Let's go over the list of WTFs:
- Paying with a credit card, I got a weird popup from a strange site (redirected from an insecure site) asking for my CC info
- The site asks for information that I had already given
- The password policy threw out my strong password and accepted my weak password
- It was impossible to tell if the verification even worked
I honestly can't believe this happened..
-
That's not been my experience with VBV, but the only time I've actually used VBV was on wal-mart.com. *shrug*
-
I've been forced to use a similar service using my debit card on Newegg recently. The downfalls I observed didn't lead me to accept such a grim prognosis of my opinion on the matter, but I definitely agree with you here. That's terrible.
-
Yeah.. I don't know if I would have filled any of that out. I would have probably called my bank and asked them what was going on. If they didn't know, I would have them get me the number of someone who does know what is going on.
-
You better watch your credit card statements. That just doesn't seem right.
-
I do watch them, but I know it's right -- it's just extremely stupid.