iscovery Bank credit cards were affected by a security vulnerability that allowed you to make online purchases without knowing a specific bank card’s CVV.
The card verification value (CVV) is the set of three digits printed on the back of the card which acts as a security measure when making payments online.
MyBroadband received an anonymous tip stating that you could type in any three digits for the CVV when buying something online with a Discovery Bank card and the transaction would be approved. It appeared as though Discovery was not checking the CVV to authenticate transactions at all.
“We detected the CVV issue last week and immediately started implementing a series of steps to correct the issue,” Discovery Bank told MyBroadband.
“It has been fully resolved and has not led to fraud being been experienced or our clients incurring any losses.”
CVV is not the only thing protecting you from fraud
Discovery Bank noted that the CVV is just one of the many security features that protect a card from fraud.
“Other mechanisms in place at Discovery Bank include one-time pin verification, verified by VISA, and using AI to identify transactions that don’t meet a clients’ typical spend behaviour.”
Business Insider tested the issue on Monday and reported that in one of the two tests it conducted, Discovery Bank did not require a one-time PIN or another authentication method to approve a transaction.
MyBroadband’s tests indicate that Discovery had fixed the issue by midday on Monday.
“As a world-class digital bank, we’ve put into place unrivalled systems to protect our clients,” Discovery Bank stated.
“We also work in conjunction with multiple parties, including Sabric and Visa, to continually evaluate and enhance our fraud detection and prevention systems and processes.”
Fraud detection
MyBroadband asked a Discovery Bank client to test the issue on Monday, and by the time they conducted their test transaction, at around midday, the issue had been fixed.
Not only was their purchase declined, Discovery Bank’s fraud department immediately called the person to check whether the attempted transaction was legitimate.
Discovery Bank asked the person a series of questions to confirm their identity.
The Discovery Bank client told MyBroadband the questions they were asked, but we have decided not to reproduce them here.
To read the original article:
https://mybroadband.co.za/news/security/323350-big-discovery-bank-security-flaw.html