I've spoken to both NatWest and the company that I can execute this on and it still hasn't been fixed.
According to NatWest, it is an optional thing.. even if you start using it, it remains optional. Security, these people don't know how to implement it.
This means the exploit may only work against this one vendor (it may be their side that ignores the failed check), but seeing as they are dragging their feet in terms of fixing it, here is how I've been executing it. Do note that most of these steps may not even be required..
#1: Create an order until you are taken to the
SecureCode page.
#2: Fail the code until you are prompted to recover the password.
#3: Go to the "recover password" page
#4: Enter your name, leave the rest blank
#5: Allow the page to time out
#6: Wonder how the hell these people got employed as the order is accepted, despite you failing their "secure" check.
In case someone from NatWest comes across this, here is how you implement SecureCode properly, you blithering morons.
#1: Allow merchants to sign up to SecureCode
#2: Any transactions now
require processing through the SecureCode system
#3: A transaction against someone's card now involves a challenge/response with the SecureCode system. Failing it means the merchant never gets the authentication token to make a change against the account.
#4:
Give me your entire IT departments wages for a month because they needed to be told by some hobbyist programmer how to do their jobs properly.
