Clan x86

Technical (Development, Security, etc.) => General Security Information => Topic started by: iago on November 12, 2006, 12:50:19 am

Title: Verified by VISA
Post by: iago on November 12, 2006, 12:50:19 am

Verified by VISA is the biggest WTF I've ever seen.

Let me summarize a shopping experience I just had with Verified by VISA (this is the first time I've seen it):

I go to buy a domain.  I put in my credit card, plus the 3 digits on the back, and all the rest of the stuff.  I hit 'Order'.  It pops up a window, out of nowhere, which is loading the site 'saferpay.com', non-SSL.  That site forwards me to 'securesuite.net', which is SSL-signed.  I have never heard of either of these sites, and the names don't fill me with confidence.  If they were .visa.com or .rbcroyalbank.com, then I'd feel better.

This suspicious popup that I wasn't expecting asked me for my full name, my 3-digit verifier (which I had already endered), and asked me to create a password, with the condition that it had to be 6-15 characters, with no spaces (wtf?).  I gave it a new (decent) password, that was about 12 characters, no spaces.  It said "Sorry, your password can't have spaces".  Broken JavaScript?  So I hit 'Cancel' because I don't like the looks of any of this, and the site I was at says, "thank you for your payment!" ... so wtf, did it actually go through?

After verifying that it did indeed fail, I went back through it, gave it the weak 6-alphabetic password that I generally use for random sites, and it gladly accepted that and the payment went through. 

This really bothers me.  They call this bull---err, crap online security?  Please.  Let's go over the list of WTFs:
- Paying with a credit card, I got a weird popup from a strange site (redirected from an insecure site) asking for my CC info
- The site asks for information that I had already given
- The password policy threw out my strong password and accepted my weak password
- It was impossible to tell if the verification even worked

I honestly can't believe this happened..

Title: Re: Verified by VISA
Post by: MyndFyre on November 12, 2006, 01:31:57 am

That's not been my experience with VBV, but the only time I've actually used VBV was on wal-mart.com.  *shrug*

Title: Re: Verified by VISA
Post by: Sidoh on November 12, 2006, 02:49:08 am

I've been forced to use a similar service using my debit card on Newegg recently.  The downfalls I observed didn't lead me to accept such a grim prognosis of my opinion on the matter, but I definitely agree with you here.  That's terrible.

Title: Re: Verified by VISA
Post by: AntiVirus on November 27, 2006, 11:23:00 am

Yeah.. I don't know if I would have filled any of that out.  I would have probably called my bank and asked them what was going on.  If they didn't know, I would have them get me the number of someone who does know what is going on.

Title: Re: Verified by VISA
Post by: Killer360 on November 30, 2006, 10:28:24 pm

You better watch your credit card statements. That just doesn't seem right.

Title: Re: Verified by VISA
Post by: iago on December 01, 2006, 09:35:15 am

I do watch them, but I know it's right -- it's just extremely stupid.