We have all, in one way or another, come to love 3D Secure. If you pay any attention to the world around you, you love to hate it. It turns out, or has always been known by people with more then half a brain, 3D Secure, isn't.

But don't take my word for it, "3D Secure online payment system not secure, researchers say."

"One of their main points is how 3DS is integrated into Web sites during a transaction. E-Commerce Web sites display 3DS in an iframe, which is a window that brings content from one Web site into another.

The e-commerce Web site connects directly to a bank, which solicits a person's password in the iframe. If the password is right, the transaction is complete. But the researchers argue that since there's no URL displayed with the iframe, it's difficult to tell whether it's genuine or not."

3D Secure online payment system not secure, researchers say - security - PC World

Now, that above tactic is why the NoScript method with Firefox works with PlayOnline. It works because what 3D Secure is doing is exactly how an embedded iFrame phishing attack works. Whether the iFrame is genuinely VbV or a lookalike can't be determined by looking at the page. The only URL you see is in the address bar, the URL of the site you meant to go to.

Hopefully enough people will complain and this whole damn thing will stop. Then again, hopefully I'll get a huge inheritance and never have to work again.