Jonathan Bryce wrote:
Some researchers at Cambridge University say that Verified by Visa and
Mastercard Secure Code have security problems.

There's nothing new here for anyone who has been following this group, but
it is still an interesting read.

And they make the common assumption that vendors/card processor using
this system actually serve the form from Cyota. Many of them don't, or
at least didn't, including major card processors, and British Gas. They
copy the form into their own page, and go man in the middle on the
outbound leg.