Joshua Juran wrote:
I want them to test their site with Firefox, observe that it asks to
save the password with the plaintext credit card number as the user
name, and realize that this is a bad idea.
For extra credit, they might realize that asking for the same password a
second time is (at best) pointless in any case.
I don't think credit card companies live in the same universe we do. Take
Verified By Visa. Its basically a XSS exploit. Worse, it wants me to make up
a secure password to associated with my credit card. The password MUST be
between 6 and 10 characters. If I forget the password, I can just make up a
new one.
I'd love to meet their security consultants.
http://www.cerias.purdue.edu/site/blog/post/verified-by-visa-issues/
http://www.breakitdownblog.com/verified-by-visa-is-useless/
--
"Clutter and overload are not an attribute of information,
they are failures of design"
-- Edward Tufte
