FNB Virtual Card safety features no substitute for vigilance

This is definitely the guys fault but these digital wallets can also improve security somewhat by only allowing manual card additions via physical card scans. That failing, cards can only be added from the banks app.
 
Does that make it 200% safer or -100% more vulnerable?
I think it makes it 100% be used what it's supposed to be used for :ROFL:
Adding your token to a scammer's wallet is not a Transaction,but it could be an expensive error :ROFL:
 
This is definitely the guys fault but these digital wallets can also improve security somewhat by only allowing manual card additions via physical card scans. That failing, cards can only be added from the banks app.
Virtual cards....
 
3DS should be used to add the card to Google wallet. It could not have been used it this case.
Why not?
If he was stupid enough to hand over the OTP he could just as well have approved the app message.
 
OTP via SMS is the fallback for authorizing online card payments when the Push Authorization isn't given within a few minutes. It's not so far fetched for him to have entered it to authorize a payment he intended to make.
He handed the OTP to the guy though, it sent him the message to enter the OTP, if he didn't have the screen to enter the OTP you never hand it to someone else.
 
It is not entirely correct to say "You will never be asked to provide a banking OTP to a merchant when making a payment." You have to enter it for all Woolworths and Takealot online purchases (amongst many others) although they route you elsewhere to do so. Most people wouldn't know whether they are on a merchant site or not.
 
therein would lie the problem then ... google wallet accepts cards with the number being entered manually, no scanning involved

my time in the industry predates digital wallets, but there's no way that is a true "card present" situation even if the networks may designate it as such

i.e. if the card was not present in order to create the token it seems silly to deem subsequent transactions using that token as card present
The problem here is lack of 3d secure. If I use a physical card, pin required, especially for tap over I think R500. If I do any digital payments, a auth is sent to my banking app.

So the issue is where merchants or providers do not respect a 3dsecure type environment and that is a lot of international, especially US.
 
The owner did not himself enter it into the 3DS site.
That's the entire point of phishing isn't it? The attacker entered the OTP which the victim gave to the attacker.

Banks should fail the transaction and not resort to SMS. Or at least allow the client to opt out of SMS.
I thought FNB did all notifications in app??..
There are so many confusing contradictions here.
In this case the timeout is being abuse and is a vulnerability which ever way you look at it.
Can I log a bounty?
I don't see the relevance. The OTP was still sent via SMS to the owner of the bank card from the bank?
 
It is not entirely correct to say "You will never be asked to provide a banking OTP to a merchant when making a payment." You have to enter it for all Woolworths and Takealot online purchases (amongst many others) although they route you elsewhere to do so. Most people wouldn't know whether they are on a merchant site or not.
No, you enter it on your app or a 3d secure window, NEVER on a merchant site.
 
At some stage adults need to take responsibility for their own actions.
Ja but life would be a whole lot easier if I could set a global limit for newly created VC's rather than manually adjust limits every single time I create a new card.
 
The problem here is lack of 3d secure. If I use a physical card, pin required, especially for tap over I think R500. If I do any digital payments, a auth is sent to my banking app.

So the issue is where merchants or providers do not respect a 3dsecure type environment and that is a lot of international, especially US.
There's so much confusion in this thread its a little silly now. If you sign up for netflix do you authorise every subscription payment? If you signup for Paypal do you authorise every credit card transaction? People are conflating authorising a card to be linked for future payments and authorising cards for a single payment.
 
Most people wouldn't know whether they are on a merchant site or not.

I agree. Where we diverge, is the fact that when I get an SMS or similar, I read it.

The problem here is lack of 3d secure. If I use a physical card, pin required, especially for tap over I think R500. If I do any digital payments, a auth is sent to my banking app.

So the issue is where merchants or providers do not respect a 3dsecure type environment and that is a lot of international, especially US.

That is not the problem. If the merchant does not do 3dsecure, it is their problem. It is an increased risk for the merhcant. But that is moot, as in the OP's case the card was linked to a wallet and tapped. No 3dsecure will ever come into play there.
 
The problem here is lack of 3d secure. If I use a physical card, pin required, especially for tap over I think R500. If I do any digital payments, a auth is sent to my banking app.

So the issue is where merchants or providers do not respect a 3dsecure type environment and that is a lot of international, especially US.
depends though, if the bank mandates 3DS and the merchant does not bother, liability shifts to the merchant for fraud, not the cardholder
 
Back
Top