Right when you thought security couldn't get any worse

This blog will be short and sweet because a few images say it all.

I've spent a lot of time trying to educate people on being careful with credentials. It really doesn't help when I try to place a purchase with a "legitimate" supplier, and, after handing over valid credit card details, I get this:

Not only is it not a troll, it's well documented in their FAQ:

The frustrating part is not that they do this. It's that they apply the charge to your card a day before giving you this prompt, leaving you begging for refunds when you refuse.

Yes, I've spoken to them. They don't see an issue. Yes, mwave thinking requesting your bank login credentials is just a normal thing.

Addenum

Despite promises to keep this short, here are a few additions I'm compelled to add:

  • Mwave have indicated a refund will be forthcoming, once this is escalated to someone with authority. Although they were fairly non-comittal about this, I don't currently have a reason to believe I won't see the money.
  • Mwave actually do accept Paypal. If I had known about this situation, I would have just used that. My Paypal usually has a low limit card attached, and this was supposed to be the low friction method of placing a larger order.
  • American Express have been shown these images. Well, the direct URLs. They were very professional about ensuring the refund is forthcoming.
  • Please, please, stop insisting that I should report this to the PCI council for immediate action. They are not an enforcement agency.