VerifiedByVisa/SecureCode is hideously insecure anyway
The procedure for me to sign up to Verified By Visa a few years ago was:
- HSBC send me a letter on headed notepaper telling me to call them on this number or else they'll disable my ability to use my card online
- Being a suspicious person, I call HSBC telephone banking line; they tell me they no nothing about it but I should call the number on the letter (which they don't verify).
- "HSBC" person on phone asks for all my credit card details. They then give me web address to visit, and assign me a guessable username and a temporary password of "password" (no I'm not kidding).
- I go to web site. it's https://something.arcot.com - secure site, but SSL certificate owned by a company I've never heard of, no obvious links to HSBC (other than the easily copyable logos).
- I enter the username and password they just gave me.
- I confirm some details & enter my new Verified By Visa password.
You'll note that there was no way in any of the above for me to be sure I was communicating with HSBC. I might have just given my details to a phisher who sent out real snail-mail letters. (Actually I spent half an hour doing research & eventually decided that Arcot (http://www.arcot.com/) are probably a legit but incompetent provider of security services to banks.)
Now, what about entering my VBV password when I buy something? Well, it's done inside a frame on the merchants site. So it's hard for me to check that the frame I'm about to enter my password in is really HSBC's "secure" VBV web site, because I can't see the URL (unless I right-click & choose properties - which I'm not going to do every time). And even if I did, it's an arcot URL, not a HSBC one. So the merchant could use a classic man-in-the-middle attack - serve the VBV password page from their own secure web site, remember the password & pass it on to HSBC. Once the transaction goes through, the merchant has a record of my VBV password in addition to all the other credit card details, and can go spend my money at other VBV sites. I can imagine the conversation with the bank: "But they used your VBV password! It must have been you! And if not, then your PC must have a virus so tough."