Why VbV and Mastercard SecureCode are poor systems
A) Most banks don't tell you the system exists until after you've been shown it.
B) It requires that you re-enter your CC number and further details into an IFrame of obscure origin that you did not expect.
C) If you do expect the IFrame, it's relatively difficult to check that the IFrame is really from your bank/card issuer/payment verification system.
The reason for this is that you do not know WHO is supposed to be sending the IFrame (it's not necessarily your bank), and it's not even the same place each time, so if you check the certificate you don't know if it's the right one.
The form and appearance of the IFrame is the same across the vast majority of users - there are basically two different ones. It's therefore incredibly easy to spoof.
To top it off, all a black hat needs to do to learn all your security details is easy:
1) Spoof an IFrame that looks correct when the user gets to the payment verification stage where it usually appears.
2) Refuse your details, no matter what is entered.
3) Offer the standard "Re-register" options.
4) Harvest all details required to re-register.
5) Pass back to merchant site. Doesn't really matter if they can make the merchant think it's OK or not.
The black hat can now use your credit card any time they want, and you'll never realise it until you get the bill.
Step 1 is the only technically difficult part, but it's only hard if the black hat doesn't have access to the merchant's servers.
So if the black hat is the merchant, or has compromised the merchant's site in some way...
The underlying concept of VbV and Securecode isn't fundamentally bad, but as seems to happen very often it's been incredibly badly implemented.