Our old monitor seems to be on its last legs, so I've just been to Scan's website (from where, >10 years ago, the now dieing monitor was bought) to replace it. Found one I liked, then tried to pay for it. Unfortunately, like most online merchants, they've been bullied into implementing 3D secure (aka Verified by Visa/MasterCard SecureCode).
Oh how I laughed when NoScript popped up a warning saying that it just blocked a XSS attack from www.securesuite.co.uk (which was trying to POST back to www.scan.co.uk).</sarcasm>
So, not only does the user experience to all intents and purposes look exactly like a phishing attempt, a successful payment gets blocked by security software. Thus, in order for 3D to work (remember this protocol is designed to make the purchasing on the web "more secure"), I have to make my PC less secure?!?
Anyone would think this had been designed by a government.</despair>
Some institutions that need to be secure get it, most do not. You quickly come to realise that a lot of so called "security" is actually "security theatre". It sort of looks secure and that's more important that being secure.
I'm no banking or security expert but it is very clear that lots of things that should be secure are not well done. Sometimes it's because real security is hard and it may put off customers, sometimes it because the marketing people are in charge and sometimes I can't fathom why it's done...
Most Windows machine get infected at one time or another. Ignoring some of the weakness in the design the main reason is that most Windows users do not know what they are doing - they have not the faintest clue. Is it any wonder that web site are insecure...
