Business Insider Edition

Discovery Bank closed a gaping credit card security hole on Monday – but says it suffered no fraud

 Oct 14, 2019, 09:27 PM
  • Discovery Bank on Monday fixed a flaw in its systems allowing incorrect credit card CVV numbers to be used for online payments.
  • Business Insider South Africa was tipped off about the flaw, and on Monday morning found we could make payments with a random CVV code. 
  • Discovery Bank said it was alerted about the issue last week, and suffered no fraud losses due to the issue. 
  • For more stories go to www.BusinessInsider.co.za.

Discovery Bank says it has fixed a security flaw in its systems that allowed credit card transactions without the correct CVV number.

On Monday morning Business Insider South Africa was able to make two credit card payments on two different e-commerce platforms with the incorrect CVV number, simply using a sequences such as "000".

In one instance, Discovery Bank also didn’t require further authorisation in the form of a one-time pin.

An incorrect CVV code used to make a payment throu
An incorrect CVV code used to make a payment through Discovery Bank at Netflorist on Monday morning.
The order successful at Netflorist despite the inc
The order successful at Netflorist despite the incorrect CVV and no "one-time-pin" requested .

Testing showed that the correct CVV number was required for Discovery credit card holders with accounts still administered by First National Bank.

An incorrect CVV code used to make a payment at Ex
An incorrect CVV code used to make a payment at Exclusive Books on Monday morning.
The transaction at Exclusives Books transaction ap
The transaction at Exclusives Books transaction approved despite incorrect CVV code.

By Monday evening, Business Insider tried to recreate the transaction we completed in the morning, but our efforts were rejected.

A call centre agent also soon phoned us after the transaction to alert us that an incorrect CVV number had been used. 

A CVV code, short for Card Verification Value, is the last three digits on the back of a bank card, and is considered a critical as a last-ditch security measure against certain card fraud. 

Industry standards forbid websites from storing CVV numbers, so that even if card details are saved for the sake of convenience and if databases are stolen, the information will be incomplete to make a transaction. 

Also read: Discovery Bank will soon have some of the basic functions it was missing at launch – plus extras like converting Discovery Miles to cash

In a response to questions on Monday afternoon, Discovery Bank said it had become aware of the security flaw last week, and immediately implemented steps to ensure it was resolved by Monday morning. 

It said the CVV code are just one of several safety features it has in place.

“We would like to reassure our clients that this has been resolved, and will not lead to losses for any of our clients,” Discovery Bank said.

  • Indicators
  • JSE Indexes
14.91
-0,18%
19.14
-0,14%
16.41
0,02%
$1,451.31
-0,28%
56399.10
0,4%
DAILY BUSINESS INSIDER UPDATE

Get the best of our site delivered to your inbox every day.

Sign Up