Severe Security concern!! HDFC Debit card.
- 924
- 28
-
- Last Comment
Just found something very concerning.
I tried to make a credit card bill payment on paytm.
On the payment page I entered HDFC VISA platinum card number and entered wrong expiry and wrong cvv number knowingly.
After clicking on submit, it took me to OTP Page, where I entered correct OTP as received in the SMS.
To my surprise the transaction went through without any issue. I did not expected it.
As far as I know if a card is not tokenized on the merchant then all expiry, cvv & OTP should be correct for a transaction to go through.
Can anyone please check if this is happening with you as well in case of paytm and other merchants. You can try with small amount.
If what I experienced is happening with everyone then this is a major security flaw in their system.
---UPDATE---
Checked this on Amazon. Same thing happened this time as well.
Entered wrong expiry and cvv still the transaction went through with just OTP.
Purchased GC worth 10.
- Sort By
Not for ICICI at least. Already tested for ICICI debit card and transaction failed.
And even if this is the case, then all banks will have to work on this and fix this loopholes.
This is visa security lapse, almost all visa cards have this same problem, and not limited to dc, cc also have same problem, if you try it with a rupay card, it will fail
@Gauravmittal49589 this might be the case because I have rupay debit card in icici
It depends on the merchant and banks etc.
Verifying CCV is not a compulsory requirement to process the transaction. In India otp is the only mandatory requirement.
What Is a CVV Number? (americanexpress.com)
Quote from above site -
'Finally, checking CVV numbers is primarily a step merchants can take to protect transactions from fraud. But retailers aren’t required to check CVV numbers, even if all their business is online – and some may never check at all.'
==============================
This is not a new thing, this has already been this way.
When I had this issue, I checked with ICICI customer care and they informed, if the card is tokenized, then the only validation done is OTP. Even though the expiry and CVV are entered incorrect it doesn't matter. So "NEVER SHARE OTP WITH ANYONE".
I had already mentioned that the card wasn't tokenized
They check 2 Factors, OTP + Expiry/CVV/Name/etc.
If OTP is correct, then it will mostly work. Check with the wrong name as well i.e. Wrong Name, Expiry, and CVV.
I have never used my correct name till today, all transaction go through.
AFTER TOKENIZATION cvv dont matter 
it will pass through:)
so once you do tokenization in a website that website dont need your CVV and some other details of your debit / credit card then on
its a feature NOT BUG as already specified by @LordGane
The transaction will revert in a couple of days when the system checks for CSC (Verification).
Many merchants do this check while performing the transaction (which I think is better and safer) while some do it after the transaction is successful.
Also some merchants may not check the CVV or may have a different fraud detection system(OTP*) in place that allows a transaction to go through with an incorrect CVV, but this is an unlikely scenario.
In any case, I think you should flag this and let your bank know.
Anyways thanks for input, will wait and see
Do they let transaction go through without even OTP?
It depends on the merchant and banks etc.
Verifying CCV is not a compulsory requirement to process the transaction. In India otp is the only mandatory requirement.
What Is a CVV Number? (americanexpress.com)
Quote from above site -
'Finally, checking CVV numbers is primarily a step merchants can take to protect transactions from fraud. But retailers aren’t required to check CVV numbers, even if all their business is online – and some may never check at all.'
==============================
This is not a new thing, this has already been this way.