On October 11, 2018 at 10:17 robert@ripe.net (Robert Kisteleki) wrote:
(this is probably OT now...)
I'm pretty sure the "entire point" of inventing CVV was to prove you physically have the card.
Except that it doesn't serve that purpose. Anyone who ever had your card in their hands (e.g. waiters) can just write that down and use it later hence defeating the purpose of "physically having the card". (Call me paranoid but I usually use a black pen to make the numbers undreadable because of this, after my card (both sides) has been photocopied a number of times...)
What you're saying is they don't work as well as you might hope, not that they don't serve that purpose. If you snatched 5M credit cards numbers and expiraton dates but, as required by contract, there were no CVVs in that db how well would that work with sites which require a CVV for a transaction? Not well at all. So there's a purpose. Also, traditionally one's signature is on the back right next to that CVV for a merchant to compare against which leaves forgery a mere exercise in, well, forgery, since the example one has to reasonably match is right there. Which doesn't mean signatures don't work, it's just not much protection against anyone who can reasonably forge a signature. But many people can't or won't try, it discourages minor criminals like your boyfriend using your card surreptitously while you were sleeping. They're also some reasonable evidence that the transaction was done in person with the card in hand. I know some merchant contracts wouldn't allow forgiveness (who eats the fraud) for charges w/o a signature where their contract claims they only do in-person purchases which gets them a lower rate. There is a concern for merchant fraud also in all this, unfortunately that's very tempting. BUT IT'S ALL WORSE THAN THAT! When I had a book of checks stolen (and reported) several turned up used in major big box stores with information like driver's license number, date of birth, etc neatly written on them tho none of that info was mine. I doubt they went to the trouble of counterfeiting a driver's license, it's possible but this was small-time fraud. My suspicion was they were in cahoots with the cashier, simplest explanation, the cashier was a friend who probably got a cut. So anything in the presumed chain of events can often be suborned.
This has always been an amusing topic. At the end of the day it's a financial risk management call from the banks -- as long as they lose less money on the current system than the cost of fraud, things wiull not change. Of course, they try to push those costs onto others as much as possible, but that doesn't change the bottom line.
I agree with this. Quite a few years ago I was interviewed by a start-up manufacturer of a big parallel "mini" to head their OS effort. Something which came out in the conversation, which went on for hours! (very pleasant tho), was that a major credit card company had pledged in writing to buy $150M of their machines on day one of ship if they could run a set of their anti-fraud algorithms quickly enough (their spec) to be able to reject transactions in real time. The company had done forensics and I think the estimate was if they could have run those algorithms they would have saved them some big number like $50K/hour in fraud. But they couldn't run them fast enough to allow for reasonable transaction times. And then ya sit around the bar thinking you know how this or that startup is funded or why...that would not have been one of my guesses! -- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*