Today I ran into an excellent example of false security – with horrible usability to boot. I was helping my landlady to purchase a laptop online using a Visa card. At the checkout step, a screen appeared that we did not understand. It came from Visa itself and asked for the password associated with the credit card.
The password form was in an IFRAME, so the address bar did not light up green. I did not bother to check the security certificate by hand, or else I might not have dared to continue at all.
But we did read the FAQ that was linked to. As it turned out, this “optional” ‘Verified by Visa’ system makes online purchases more secure. It did not seem at all optional. Well, only more secure then. Right?
Wrong. How exactly does one get a Verified by Visa password? Let's click the “forgot your password” button and find out. To reset the password, you need to specify:
- the 3-digit card validation code
- your name, as written on the card
- the card expiry date
- the year and month of your birth
The first three of these four pieces of information are written on your credit card, and also submitted in any web form that involves a credit card purchase. By assumption, an attacker already has this information, or else the extra password protection wouldn't serve any purpose. So the only extra piece of information that is asked for is your birth year and month. Not exactly information that is hard to find, or even to brute-force if you put your mind to it. They might as well have skipped the password and asked for your birth date instead.
But well, it doesn't make you any less secure, so we continued to set up a password. First attempt failed: “use letters and numbers only”. Because, you know, secure passwords do not involve special characters at all. Second attempt: “please use both letters and numbers”. If you're going to use stupid limitations, at least tell me beforehand. Third attempt: “please use between 8 and 12 characters”. By now it seemed more like a CAPTCHA to me.
Then, finally, the password was accepted and we could proceed… to the next error message. Turns out that NoScript blocked the transaction, even with Javascript turned on. If NoScript does that to you, it probably means that you're doing something very, very wrong. But finally, after convincing NoScript that it was okay, the payment got through.
Stupidity can, in rare cases, be forgiven. But not if you're the largest credit card issuer in the world.