Dear Visa (A Letter From the Land of Security WTF)

[flwyd]

This is a rambling description of my attempts at purchasing items online. It could probably be tightened up a bit for humorous effect, but my main interest was in documenting frustration so that I can refer back to it if some random charges appear on my card tomorrow. If nothing else, it serves as a reminder that nothing is quite as simple as handing some paper currency to a person and walking away with a bag of stuff.

Dear Visa,

You are, in many ways, in the businesses of electronic financial security and customer convenience. The following, therefore, should not happen:

1. I select my online purchase and enter my credit card information and shipping address.
   
2. I look away and look back to see a mostly-white window with a "Verified By Visa" logo and my credit union's logo and (as I recall) some text indicating that JavaScript wasn't enabled.
   
3. I enable verifiedbyvisa.com and mycardsecure.com (IIRC) via NoScript.
   
4. The page asks me to enter my security code, and the last four digits of my SSN and phone number.
   
5. I submit such information.
   
6. I am asked to create and verify a password.
   
7. The next page shows the Verified By Visa logo and the logo of my credit union. And a message that a popup was blocked. And nothing else.
   
8. I allow the popup window.
   
9. The main Firefox window is no longer active, but no popup window is visible.
   
10. I activate exposé and see the popup window and select it.
    
11. I still can't see the popup window. I select Zoom from the Window menu and it sizes itself.
    
12. The popup window has a submit button informing me that I should update my profile.
    
13. Clicking the submit button does nothing.
    
14. Back to the main window, there's still nothing but two logos.
    
15. I turn on Firebug and start inspecting JavaScript functions and the DOM.
    
16. I figure out which function was supposed to be run when the page loads and execute it through the console.
    
17. I am redirected to an IIS error page at verifiedbyvisa.com
    
18. I try the main page of verifiedbyvisa.com and receive another error page.
    
19. I wonder what kind of credit card company doesn't maintain the home page for their security service.
    
20. Um... have I made a purchase? Or am I in post-purchase/pre-receipt transaction limbo?
    
21. I check my bank balance. My current and available balances are within two dollars, so the site hasn't charged me yet.
    
22. I WHOIS verifiedbyvisa.com. Looks legit. I google verifiedbyvisa. The first page is on visa.com and has the same logo I saw before. It links to FAQs, "Solutions," places to shop, and more. Clicking on any of them leads to an error, though. What kind of credit card company has dead links all over their security system section?
    
23. I return to the site and add my item again. Now it thinks I want two. Yay! Reduce quantity.
    
24. I hit check out. Again.
    
25. I enter my billing and shipping information again. Note that the credit card number and security code fields are not of type Password, so Firefox suggests them.
    
26. I get redirected to a verifiedbyvisa page again.
    
27. I note it has a "Personal Message" which reminds me that I came up with a different password for this service a few years ago when buying tickets for a concert.
    
28. Based on the message, I try two variations on a password. It asks me for the card's security code, expiration date, and the last four of my SSN and phone number. Then it asks me for a new password.
    
29. I enter what I thought my password was before and jot down a super secret note which has enough information for me to guess the password again.
    
30. I am redirected to my original site of purchase.
    
31. I print a copy of my receipt.
    

Internet Explorer is still used by over half of web users, but I think Firefox is around a quarter. NoScript is one of the most popular plugins for Firefox. Other browsers let you turn off JavaScript as well, just not as flexibly. Many users concerned about security browse with JavaScript turned off. It would behoove a credit card company to design their secure payment system in such a way that security-minded users don't have to disable enhanced security in order to make online purchases. This game is 12 years old. You'd think somebody would have figured it out.