Yesterday I was helping a friend order something online. It was the first time she'd used her Visa card to purchase something on the internet, so she had to go through the steps to create a Verified By Visa password. Verified By Visa is a service that Visa performs that basically creates an out-of-band authentication whenever you make a purchase with participating retailers. So basically, it adds another bit of authentication to your purchase - not only do you need the credit card details and CVV, but also this password you set up with Visa.
Let me back up: I had to look at the code because I looked at the "Verified By Visa" FAQ pages about password requirements and they said that the password policies are set by the card issuer. Well then.
So I looked through the code, found the alerts about the password policy, and finally found the offending code:
else if( (/\W/).test(document.passwdForm.pin1.value) || (document.passwdForm.pin1.value.length < 6) || (document.passwdForm.pin1.value.length > 8) )I almost couldn't believe it, but I know people are idiots. The reason it wouldn't accept the password is that PASSWORDS CANNOT BE LONGER THAN EIGHT CHARACTERS, and hers is longer.
alert("Your password does not conform to the Password Policy. Please try again.");
Un-fucking-believable. Let alone the fact that they do their checking client-side, which at best is unnecessary (if they're not brain-dead and do checking server-side too), and at worst allows any password to be sent, even a blank one. Let alone their popup boxes that tell you nothing (browsing the code, you can see one that helpfully says "isbad " and then the password you entered). This extra bit of security, that involves your name, address, SSN, and PIN (they have to verify that you're you when you set your password, after all), cannot be longer than eight characters. And I'm pretty sure, looking at the rest of the code, that it can only contain letters and numbers.
I wish this weren't so commonplace, but the fact is, I have to have a dumbed-down password that I can use for online shit like this. I had to make it exactly eight characters, and remove the special characters from it. But to see this from a BANK? In a measure that's supposed to IMPROVE security?
So I went to the website for the Wells Fargo Verified By Visa thing and I used their little contact form to send them an email. The gist of it was "Are you INSANE? I'm glad I'm not a Wells Fargo customer, and with this I'll probably never be one, since I don't know if I can trust my data with a company that does this." They emailed me back:
I understand your concern about the Verified by Visa program. This program is run by Visa directly.No, idiot. Fuck. I know it's not Chris's fault he doesn't understand the problem. But at least he could have asked his manager about it or something.
For information about Verified by Visa, please contact them directly at 1-800-318-9617 for enrollments with check cards or 1-877-262-8636 for credit card enrollments. Bankers are available to assist you 24 hours a day, 7 days a week.
Wells Fargo Online Customer Services