Major South African bank has a serious security flaw

Independent tests revealed that Discovery Bank has a serious security vulnerability that could allow online purchases to go through without the correct CVV number.

Discovery Bank is South Africa’s premier new digital bank with 1.1 million clients and 2.5 million accounts, with between 1,300 and 1,400 new clients signing up each day.

However, it looks like these clients are now facing a significant security risk. Anonymous complaints submitted to Newsday pointed to weaknesses that were later confirmed through multiple tests.

These tests showed that transactions could be completed using incorrect CVV numbers, suggesting the bank may not be verifying this information during online purchases.

The card verification value (CVV) is the set of three digits printed on the back of the card which acts as a security measure when making payments online.

Entering the CVV is an important security feature as it ensures that the person making the purchase has the card.

This is not the first time this issue raised concerns about Discovery Bank’s card security related to online purchases.

Six years ago, MyBroadband reported that one could type in any three digits for the CVV when buying something online with a Discovery Bank card, and the transaction would be approved.

At the time, Discovery Bank told MyBroadband that they detected the CVV issue a week prior, “and immediately started implementing a series of steps to correct the issue”.

“It has been fully resolved and has not led to fraud being experienced or our clients incurring any losses.”

Newsday asked Discovery Bank about the issue, which has also dogged the financial institution in the past.

Discovery Bank told Newsday that when in-app authentication is presented, they do not fail a transaction due to an incorrect CVV.

This is because Discovery Bank considers the in-app authentication to be stronger security than the CVV data.

“For Card Not Present transactions where in-app authentication is not requested, we do fail the transaction if the CVV is incorrect,” Discovery Bank added.

Testing Discovery Bank card security

Newsday, with the help of an independent software engineer and security expert, put Discovery Bank’s security to test through local and international online purchases.

We used a Discovery Bank card to make a small online purchase from Checkers Sixty60, one of South Africa’s most popular online shopping platforms.

When asked for the CVV, a fake “123” code was used, which took us to the next step, in app authorisation.

After approving the transaction in the Discovery Bank app, the transaction was approved, and the money went out of the account.

This supports the claim that they “do not fail a transaction due to an incorrect CVV,” because the bank considers “the in-app authentication stronger than the CVV data.”

Next, we placed an online order on Temu, the popular Chinese online shopping platform which has gained great support in South Africa.

We placed a R217 order, which required a CVV. Again, we used the incorrect “123” number. Immediately, it said that the payment was successful on the Temu site.

No in-app authentication was requested. However, we received multiple notifications that the payment was pending.

In a matter of 5 minutes, two notifications came through that the payment went through, and then the card was declined.

However, while Discovery said that the payment was declined, our bank balance told a different story.

On the app, the Temu payment, which never required in-app authentication, was pending for several hours until it was ultimately approved.

There was another R4.34 charge, which was taken off for international payments.

This test raises questions about Discovery Bank’s claim that card not present transactions, where the CVV number is incorrect, will fail.

In this test, no in-app authentication was requested, the wrong CVV was entered, and the transaction still went through.

The screenshots below show the tests conducted by Newsday regarding the Discovery Bank security vulnerability.

---

CVV authentication

---

Multiple notifications from Discovery that the payment was declined.

---

The account balance pre and post the Temu order going through

---

The Temu app message the next morning, despite the wrong CVV and no in-app authorisation.

---

Discovery responds

Following the article being published, Discovery Bank reached out to share “some additional context” as to how their systems work and the protections in place clients.

Every transaction made using a Discovery Bank card, whether online or in-store, is subjected to a series of checks including real-time rule-based validation, analysis of multiple transaction data points, and a risk score generated by Visa’s global risk management tools.

In some cases, transactions may proceed without CVV verification but it’s important to note that authentication requirements like using 3D Secure are set at the merchant’s discretion.

While we always encourage the use of 3D Secure as the most secure method of verifying online transactions, the decision to apply it lies with the merchant. When merchants choose not to use 3D Secure, clients are fully protected as the merchant accepts full liability for any fraudulent transactions that may occur.

Where fraud is confirmed and the merchant has not applied the appropriate level of authentication, clients will be reimbursed.

Due to the sensitive nature of fraud rules, we are not able to publicly disclose details on these rules or their application to individual transactions. We do however encourage and welcome any client feedback and remain completely committed to ensuring our clients have access to the most secure and rewarding banking experience.

At Discovery Bank, the security of our clients’ information and transactions is of utmost importance – we’re constantly enhancing our systems through a risk-based approach that evolves with global fraud trends to ensure the highest standards of protection.