DiscoveryCard are giving human beings access to your PIN when they reset it. On top of this they actually call you and read you your new PIN *over the phone*.
In an age where SIM-swap banking fraud syndicates infiltrate mobile phone operators, I don’t believe this is a very prudent or secure thing for DiscoveryCard to do.
And the convoluted process also takes anything up to 48 hours. Welcome to the modern fast-paced world of technology.
I discovered this by having the misfortune of my PIN being blocked – something I’m not willing to take responsibility for either: VISA Online Secure/Verified by VISA was down on Tuesday as I attempted to make online purchases. This transaction failed a number of attempts before I gave up and called Discovery, to which I was redirected first to FNB and then back to another call centre agent who confirmed the stupid VISA verification service, which by the way only actually protects the bank – not the consumer, was down. It came back later in the day and I completed my online transaction.
Later that evening I may have mistyped the PIN once while paying my bill, and then used the correct PIN, but suddenly it was already blocked. I proceeded to try a few more times before I saw a flood of text messages about a blocked PIN – please contact Discovery during office hours. I know I used the correct PIN because it’s a new one and I had it written down. I suspect this is linked back to the Online Secure problems.
After trying the Discovery website and FNB online banking and getting shoved from link to useless link I became aware the PIN reset functionality that was previously available online was no longer there, although there were many stale and outdated links still suggesting the feature. So I called Discovery, gave them answers to the really basic security questions they use to verify one’s identity, and then was told a PIN reset had been requested, and would occur at midnight. I figured I could survive for an evening without this credit card, but the next thing I heard blew me away:
Within 48 hours someone from Discovery Card would phone me and read my new PIN to me over the phone!
But that’s my PIN! My PIN. MY PIN! The most personal 4 digits in my financial existence. How can they let some stranger see my PIN? And read it to me. What if I don’t change it? Then that PIN exists in someone’s memory. And what if the telephone line is not secure? Wait, I know the telephone line is not secure! Run that by me again: Someone will call and read you your new PIN. Haha, Get out!
This shocked me, so I asked Discovery about the insecurity of this process on Twitter:
So @Discovery_SA Card makes a person call you and read you your new PIN to reset it. That is an outrageous transgression of PIN security.
— Shaun Dewberry (@Shaun) November 3, 2016
and received this reply:
@Shaun Hi, this a very secure department which is highly regulated and the PIN’s are immediately destroyed after reading.
— Discovery (@Discovery_SA) November 3, 2016
This is crazy. This is a human element introduced into a system that third persons do not belong in. Anybody with devious intentions could get a PIN out of that department easily. Surely these people go to lunch? Or they go home at night? They leave the building at some stage at least, and remembering a 4 digit number for a short period is trivial. Or one could steal a document. Or they could just phone the “wrong number” and give the PIN out that way. Or there are so many ways to compromise this system. And even if all the staff are 100% honest, they’re still susceptible to blackmail.
Previously one could just manage one’s PIN online. It was a simple secure transaction between you and a cool patterned printed piece of paper that cleverly concealed the PIN. Or it was between you and the computer. Nobody else’s eyes were involved or could get involved.
I can’t believe Discovery have stepped so far backwards. Honestly, it’s a joke.
But still, I guess I’ll wait for my PIN, and then change it at an FNB ATM.
What’s that? Capitec have a credit card account now? Aha.
Tags: