3D-Secure is a common system, in fact it's now mandatory in the EU as per PSD2.
The original implementation of it is flawed - the merchant is supposed to iframe the authorization page, which means as a user you have no way to tell whether the displayed page is legitimate. Somehow this insanity actually went ahead and is now part of the spec, so it's too late to change it.
The redeeming factor is that the authorization pages (controlled by the banks) usually only ever ask for an OTP or some relatively benign piece of information that by itself can't be used to break into the account (modern banks doesn't ask for anything at all and just polls the backend for an out-of-band response via a push notification), so as long as the user doesn't expect this page to ask for their actual online banking password it is safe as a fake page requesting such info will raise alarm bells (of course, that relies on the user being somewhat aware of the problem and the risks - not sure how much of this actually applies to the general population).
La Banque Postale here clearly didn't understand the problem, and decided to legitimize asking for their actual banking password on an untrusted website - this now opens them up for attacks where websites make a fake iframe to steal that password. The fact that it's a static secret also means it can be reused forever once captured, where as typical 3D-Secure implementations use time-limited secrets.
The original implementation of it is flawed - the merchant is supposed to iframe the authorization page, which means as a user you have no way to tell whether the displayed page is legitimate. Somehow this insanity actually went ahead and is now part of the spec, so it's too late to change it.
The redeeming factor is that the authorization pages (controlled by the banks) usually only ever ask for an OTP or some relatively benign piece of information that by itself can't be used to break into the account (modern banks doesn't ask for anything at all and just polls the backend for an out-of-band response via a push notification), so as long as the user doesn't expect this page to ask for their actual online banking password it is safe as a fake page requesting such info will raise alarm bells (of course, that relies on the user being somewhat aware of the problem and the risks - not sure how much of this actually applies to the general population).
La Banque Postale here clearly didn't understand the problem, and decided to legitimize asking for their actual banking password on an untrusted website - this now opens them up for attacks where websites make a fake iframe to steal that password. The fact that it's a static secret also means it can be reused forever once captured, where as typical 3D-Secure implementations use time-limited secrets.