A member of the Techzim community (who is a First Capital Bank customer) reached out to us saying that they were in town one day and were paying for their parking, as everyone does. When they used their card to swipe on the mobile Point of Sale (POS) machine the parking attendant was using, the transaction was processed without requiring them to enter their PIN.
This obviously raised alarm because we want to make sure that the transaction we have made has been authorised by our hand. Card cloning and fraud are a real problem but in this case, the POS Machine bypassed the PIN request. Anyone in this situation would quite rightly be concerned about the safety of their funds.
If they were to lose the card would anyone be able to walk up to any store and buy whatever they wanted?
Since the payment was already made the individual then went on to call their bank (First Capital) to ask how something like this could be possible. They were told that this has been happening and this isn’t the first time that they are hearing of it. The person they talked to said that they have had this problem with the mobile POS Machines before and that they had been advising their employees to instruct customers not to use them.
Worse still, the customer said that someone before them paid using a bank card and they were asked to enter their PIN. This means that it isn’t the POS Machine that is the issue here but seems to be something to do with the First Capital Bank cards. The shocked customer asked the parking attendant if this has happened before and they were told that it has indeed, with First Capital Bank cards.
Now, before we dive into this further we need to take a little detour. The road we are going down will be to look at the safeguards on bank cards. As well as how a payment or transaction is authorised.
What exactly happens when you ‘swipe?’
Your magnetic strip or chipped bank card is set up with Cardholder Verification Methods or CVM. These CVMs are how an ATM can verify that it is indeed you who is making a withdrawal. CVMs are also the means by which a POS operator and machine know that the person holding the card is the rightful owner or has some authority to use it.
There are three categories of Cardholder Verification Methods, Online PIN Offline PIN or Signature and also it can be set to No CVM required. These aren’t the only CVMs that are out there but they are the most common ones.
It has been many moons since many of us used an ATM machine but it’s the best example to describe what Online PIN verification is. When you get to an ATM you are first asked to punch your PIN to continue. What the ATM does is send the encrypted PIN block to the server of the bank that issued the card for PIN verification.
The issuing bank then confirms whether the PIN is correct or it isn’t. For the former, the cardholder is allowed to proceed and for the latter the machine will then ask the cardholder to attempt to enter their PIN again.
The online PIN process is the same for Point of Sale Machines.
This form of transaction authentication doesn’t happen at an ATM because the default requirement to access services with an ATM is strictly Online PIN only.
Offline PIN tends to happen at a POS Machine. The transaction happens without any initial communication with the host server. This is because your card has an encrypted version of your PIN stored on it. The PIN is verified by the communication between the POS and your card.
When the transaction goes online for authorisation, the request sent by the POS machine will not include the PIN. If you entered the correct PIN, the POS machine will tell your bank that offline PIN verification checked out. So it’s like the POS machine has already done all the verification and it will just then tell the bank that all is well. If you entered the wrong PIN, the POS will just reject the transaction.
This CVM can either be done on paper receipt or an electronic signature pad. In Zimbabwe, I haven’t yet encountered a POS machine that has an electronic signature pad but I have signed a fair few receipts.
Since we don’t have electronic signature pad enabled POS Machines we tend to go through PIN verification and then we sign on the receipt. It is then down to the merchant to check the signature on the receipt with the one on the back of the card.
In Zim the whole signing on receipts thing is more a useless nuisance really. Signing was for older systems like what was until very recently quite dominant in the US which had no PIN verification. One only had to swipe and then sign to authorise the transaction.
So the little POS printouts we sign on are not useful to anything at all. No one checks the authenticity of the signature against any record. Indeed it’s not necessary because authentication would have already been done by the act of entering one’s PIN.
No CVM required
This is common for low value transactions in some countries. The amount that is spent is low enough that the POS Machine doesn’t require a PIN to authorise the transaction. The threshold of which amounts can sail through without verification is set by the bank that issues the card.
In Zimbabwe the version of this that we really know is Tap-and -Go contactless payments like the ZUPCO Tap Card.
As most of you are probably guessing, yes there are rules that govern how all of these CVM types work.
Who sets the rules and which CVM is used on your card?
Payments operators/schemes (VISA, MasterCard etc) and your bank set the rules for the CVM that your card will use in a particular country. In Zimbabwe, the rule has always been Online PIN only because it’s the option that presents the least risk. So any payment that goes through the Zimswitch network will need to be an online PIN verification transaction.
This was also because the majority of the cards in the country were magnetic strip card. But the advancement of card technology led to the introduction of chip cards which can have a number of CVMs set in a particular order which is called a CVM list.
The CVM list is set by your bank. This means that in Zimbabwe the first CVM option is always Online PIN verification. Your bank can then set one or more of the others in whichever order (or none of them really).
The next option can be, for example, to authorise a transaction using Offline PIN verification in the event that there are network outages and the POS Machine can’t connect to the bank server to do Online PIN verification.
These rules are built into the card itself. If a card is thus set for Online PIN verification only it means that nothing can happen unless the bank’s server has verified that the PIN entered at a POS is the correct one. If Offline PIN is enabled though and the POS has the right capacity it can check the PIN a customer enters against the PIN already stored (encrypted) on the card itself. The POS will later inform the issuing bank that the transaction happened and the PIN was successfully verified.
The system as per ISO8583 is set up that no transaction can be completed without the parameters on the card having been fulfilled.
I know this is a bit dizzying but we are turning back on to the road we started on
So what could have happened with the transaction that bypassed PIN entry?
We speculated as to how this could have happened. We will first share what we considered logically plausible scenarios and then we will share First Capital Bank’s response to our questions. The scenarios we speculate on here are just so you can understand the context of our conversation with First Capital Bank.
Scenario 1 : Blame the mobile POS
The person who experienced this was told by someone at First Capital Bank that this problem was coming from low-cost mobile POS machines. Here is how this scenario would play out:
It would first mean that First Capital Bank permits offline PIN as one of the CVM options on its cards. We would then assume that somehow these problematic mobile POS devices were telling First Capital Bank that offline PIN verification has happened when it hasn’t.
If this is the case then the reason other banks would not be affected would be perhaps they only allow online PIN verification on their cards. However, Zimswitch says they do not allow any card transactions on their network that are not tagged as having a PIN being sent to issuing bank for verification. So it would mean the POS device is tagging the transaction deceitfully too or that City Park is using First Capital Bank POS devices. In that case, the ‘swiping’ of a First Capital Bank card on a First Capital Bank POS would not go through Zimswitch.
Scenario 2 : Error at First Capital
First Capital Bank could have an error in its’s system which somehow makes their server ‘ignore’ that authentication has not yet happened. This would be a very concerning error and frankly speaking quite unlikely.
The matter though, is complicated by the fact that the customer spoke to someone at the bank and they said that this isn’t the first time they have heard of this.
Scenario 3 : The mobile POS trying to be convenient
Sometimes, POS machines may be set by the acquiring bank (the bank that owns the POS) to allow low cost transactions to go through without authentication. However, as we have explained above, this would only happen if the card issuing bank has also included this option in their CVM rules on the card. So First Capital Bank would still have allowed this to happen.
What did First capital have to say about all this?
We reached out to First Capital Bank with a number of questions concerning the matter and this is what they had to say:
The regulation as far as we are aware is for card payment & transactions in Zimbabwe to have Online PIN verification only. How could it have been possible for a customer to swipe at a POS Machine and not be asked to enter their PIN?
At First Capital Bank all our cards are designed to provide security to our users via PIN request settings, CVV2 and Chip card security configurations. Within basic transactions, there can be an option where security configurations are also set by the owner of the actual POS Machines. If a customer transacts on a non-First Capital Bank machine the security settings on the same are the responsibility of the Acquiring Bank. Machine configuring of POS Machines have diverse and unique settings that govern how they operate. PIN request requirement is set by the card acquirer for certain card types eg Megstrip etc. PIN settings are also determined by configuration on the actual POS set by acquiring bank. Different POS machines also have preset limits that they use for transactions, this sets the parameters of how the card will operate. Some terminals have a facility to allow for manual and automatic transactions to be processed, those with manual options may allow transactions to be processed without pin verification, however, such settings maybe disabled through configurations.
Every card has a Cardholder Verification Method list which sets the order in which transactions can be authorised with the default being Online PIN Verification. What other CVMs does First Capital Bank set on the cards it issues to customers?
At First Capital Bank to protect our customers pertaining to their cards we have education and awareness of customers at the onset during the card issuance process in-branch. Our cards also have the Offline and online PIN Requirement settings and CVV2 rule for online transactions, CVV2 for CNP. We also have Chip Cards that have security configurations that limit cloning possibilities.
Do you have POS Machine offerings, if so what type of POS Machines do you offer and does City Parking Harare use any of your POS Machines?
Yes, we offer POS Machines to various merchants countrywide. We offer the following POS Machine models PAXS920 which is touchscreen and dual sim with wifi capabilities, PAXQ80 is an enhanced version of the standard offering POS machines then finally we have PAXD220 which is a mobile POS offering device that may be used on-the-go.
City Parking Harare is not part of the First Capital Bank merchants currently.
Does the CVM list that First Capital sets for its cards allow for a transaction to occur without a PIN when served at a POS Machine that you offer?
No this is not our current system setting configuration. A client is required to provide a PIN to transact on our machines. A transaction outside of this would be an anomaly requiring rectification.
Has an event like the one I explained, ever happened before with any of your customers?
We have not recently had any similar cases of this nature but we continue to work with our support teams and acquirers to ensure this.
Have your customers ever complained about problems with making transactions at a POS machine that is from First Capital or one from any other bank?
At the inception of our system migration, we went through a stabilization phase where we had some system downtime on our POS machines. Our technology teams worked tirelessly to assimilate the system to its optimum levels. We have now reached a point of stability where there is minimal disruption, meaning enhanced service delivery for our customers.
3 thoughts on “First Capital Bank card allowed transaction without PIN, very dangerous”
This is probably is just a bug, with big implications though, with the handshake processes that happen when acquiring a transaction. Possibly the POS is initiating a transact/deduct query, before the PIN has been supplied. A POS can be (un)intentionally programmed to act in a certain way for whatever misconstrued reasons. My money is on the POS being the errant player.
Oddly, the CVV(2) has not been classified as a card verification method on its own. Online purchases generally require this, instead of a PIN.
Just shows how totally behind the game you all are in Zimbabwe. This no contact payment method is extremely common in orderly society which Zimbabwe is not. It’s common where the city parking would be a fixed payment point accepting notes coins and Non contact payments. My point is the machines for accepting payments are usually at fixed points and you have no need to have tellers. Unfortunately these are Zimbabwe’s main jobs due to the chaos relating back to you know when. Now all a person has to do is disable the feature online. Welcome to making payments in 2010 Zimbabwe.
In South Africa we have an option to tap or insert the card in the machine.there is a limit for tapping the card that can go through without a pin required. Most of the time it is around R300 or less. I’m shocked that zim still don’t use it especially during this time of covid19 where contactless is encouraged.