FNB Virtual Card safety features no substitute for vigilance

Jan

Who's the Boss?
Staff member
Joined
May 24, 2010
Messages
13,289
FNB Virtual Cards safety warning

While FNB’s virtual cards provide great safety features, like a regularly rotating CVV, they are not a silver bullet for card fraud.

Frontend engineer Herman Stander recently fell victim to a phishing attack in which cybercriminals linked his virtual card to a tap-to-pay digital wallet and cleaned out his bank account.
 
Stander’s tests showed that when linking a virtual card to a digital wallet like Google Pay, the CVV is only required when initially registering the card on the platform.
This is definitely one of the issues I've experienced myself.

The second one that FNB hasn't acknowledged is that after the first transaction, the set card limits are ignored and the transaction goes through regardless.

Don't know if it's possible for them to fix this or not, but they'd need to acknowledge it first.
 
This is definitely one of the issues I've experienced myself.

The second one that FNB hasn't acknowledged is that after the first transaction, the set card limits are ignored and the transaction goes through regardless.

Don't know if it's possible for them to fix this or not, but they'd need to acknowledge it first.
The first part about the CVV/CVC not being required after the first transaction is pretty much by design. Once he handed over the details and OTP the wallet had the card, the CVC/CVV has been validated.

The 2nd issue you talk of though would be a huge issue, I've never come across it though, could you explain it in more detail.
 
This is definitely one of the issues I've experienced myself.

The second one that FNB hasn't acknowledged is that after the first transaction, the set card limits are ignored and the transaction goes through regardless.

Don't know if it's possible for them to fix this or not, but they'd need to acknowledge it first.
wait it bypasses the cards limits?
 
This is definitely one of the issues I've experienced myself.
CVVs are simply an additional verification number used to verify the card for a specific authorisation at the time. This is usually a single payment however in this case it was to verify an authorisation of a token to add the card to Google pay and the token is what's used to authorise future charges to the card.
 
Jan, you should demand some kind of answer from FNB please.
They did answer. Via their clear security communications.

"If someone knocks on your front door and says they're the tooth fairy coming to give you money, and you let them in and show them how to open your safe. You're going to get robbed."

Please do not phone the safe company and say it should have had a warning against tooth fairies.
 
This is definitely one of the issues I've experienced myself.

The second one that FNB hasn't acknowledged is that after the first transaction, the set card limits are ignored and the transaction goes through regardless.

Don't know if it's possible for them to fix this or not, but they'd need to acknowledge it first.
Its NOT an issue. CVV is card-not-present verification. Once you entered it once to load the card on the wallet, the card is considered present and loaded on the wallet.

If you give your password to someone logging into your Gmail account AND you give them the OTP is that Google's fault?
 
CVVs are simply an additional verification number used to verify the card for a specific authorisation at the time. This is usually a single payment however in this case it was to verify an authorisation of a token to add the card to Google pay and the token is what's used to authorise future charges to the card.
This has been explained ad nauseum but some people are convinced FNB shouldn't be doing this... when in fact everyone does for stored cards.
 
FNB Virtual Cards safety warning

While FNB’s virtual cards provide great safety features, like a regularly rotating CVV, they are not a silver bullet for card fraud.

Frontend engineer Herman Stander recently fell victim to a phishing attack in which cybercriminals linked his virtual card to a tap-to-pay digital wallet and cleaned out his bank account.
Where in the world was the firewall?
 
"After it is linked to a supported digital wallet, the card’s CVV is bypassed."

Can we please fix the obviously incorrect statements.... the CVV is not bypassed. The CVV did its job - it was there to ensure card is present. The user ignored warnings and was phished into giving their CVV so the card was viewed as present and thus was tokenized into the wallet. Once the card is tokenized the CVV is not needed.

Its not bypassed. Its working by design. Not FNB's design, the global payment system's design.
 
FNB Virtual Cards safety warning

While FNB’s virtual cards provide great safety features, like a regularly rotating CVV, they are not a silver bullet for card fraud.

Frontend engineer Herman Stander recently fell victim to a phishing attack in which cybercriminals linked his virtual card to a tap-to-pay digital wallet and cleaned out his bank account.
People should deploy Quad9 on their routers. You left that out as a recommendation. Banks blacklists sites on Quad9 directly themselves, except FNB because they are special.
 
Back
Top