I was buying something (expensive and time sensitive) online. I used the details of a card that were remembered by the browser but it asked me to enter the security code.

I entered the code for another card. I didn’t realize until after I clicked submit. But the payment went through.

The website said the payment was successful. I got a confirmation notification from the bank. I got a confirmation email from the website that all had gone through successfully.

A few minutes later I got a notification from the bank that a payment had been declined because the wrong security code was entered. I thought that the point of these codes was to prevent incorrect or unauthorized payments from going through.

I logged into my banking app to see if the money had been taken, but there were no details shown.

Over the next few hours I repeatedly checked my email expecting an email from the company and that I’d need to reorder. Nothing that night and still nothing the following morning.

But everything went through as intended. The item I purchased was provided without issue. My bank account history has no indiction of a problem with the payment and it looks like it went through without issue.

But the fact remains. I entered the wrong security code when making a payment but the money was taken without issue.

Maybe the algorithm is smart enough to recognize the code from the “other” card and based on other factors (past purchase patterns, etc.) deem this a valid payment.

Or maybe it’s not that secure. Maybe the heuristic, AI-powered algorithm incorrectly let this through. Who knows?

What I do know is that I now trust the security of online banking payments a little less. :(

What are the lessons?

  • Check that security procedures work as expected.
  • Ensure notifications are definitely correct.
  • Provide a way to find out more information or ask questions about a notification.
  • If ambiguous or contradictory messages are sent, also send one to clarify or confirm what actually happened.