Thanks for posting this! I’ve always thought this about it too.
The processes is hateful.
The mind boggles at Visa, Mastercard and banks thinking this was an okay solution and approving it. The password reset process is stupid beyond belief too.
Zero thought went into how it works, looks like it was given to the lowest qualified by incompetent (hello cheap outsourced contractors!) and that either no-one at Visa or Mastercard bothered to look at it or they had no idea what they were looking at when they signed off on it.
Mild tangent:
My own bank, Natwest, is horrible too.
* For years it was frame based and only worked in very specific versions of specific browsers (well, it worked in all them, equally poorly, they just had a lame header detection routine that I had to work around by pretending to be IE when using a Mac).
* They don’t seem to know what CSRF tokens are. They certainly don’t know how to implement them properly.
* They don’t know how to handle cache expiry, HTTP headers or sessions. Anytime you hit back or do an unexpected action – *boom* the session expires. When this happens you need to go through 4-5 screens to log back in (and through all the annoyances detailed below).
* While trying to login they try and flog an antivirus product they get kickbacks on that is not even available for my operating system (you’ll remember they check this to prevent you logging on and this message occurs even when the user agent header is not forged, so it’s not like they don’t know).
* The next button jumps about all over the place between the multiple login screens and as pages are loading because of advertising images with missing ‘height’ attributes (apparently even remotely valid HTML is beyond them) so you have to wait for each page to load painfully slowly in full or you will end up clicking on something that whisks you away to another page, and causing you to have to restart the whole onerous login process.
It’s all just awful. It’s gotten less awful, but it’s still embarrassingly bad.
Most free to use services and social sites like Twitter and Facebook and *massively multiplayer video games* have better security models than Visa/Mastercard/online banks – at least with online games I know when someone has accessed my account or attempt to reset my details – and I can get either a key (physical or software to run on my phone) or authenticate only specific computers.
It’s sad that my virtual currencies are more secure than my bank or credit card accounts.