In response to my comment about:
If I'm not supposed to not "tell anyone", why is it even printed where I can read it?
(Sorry for the extra not in there.) I got an off list suggestion of: http://www.cvvnumber.com/ It looks reasonable. But then, whois for cvvnumber.com says: Registrant: Domains By Proxy, LLC DomainsByProxy.com 15111 N. Hayden Rd., Ste 160, PMB 353 Scottsdale, Arizona 85260 United States Should I really take them seriously? -- These are my opinions. I hate spam.
On Jun 9, 2012, at 1:06 AM, Hal Murray <hmurray@megapathdsl.net> wrote:
Should I really take them seriously?
Your call. That said, the purpose of CVV is to stop *one* type of fraud - it's to stop a skimmer from being able to do mail-order/internet-order with your card number. The CVV is not on the magnetic strip, so a skimmer installed at the ATM or gas pump won't be able to capture it. There's a similar value on the magnetic strip that keeps the internet site you gave your card number and CVV to from being able to print cards and use them at the gas pump. Certainly they don't stop all fraud. They stop one type of fraud.
On 09-Jun-12 09:14, Joel Maslak wrote:
On Jun 9, 2012, at 1:06 AM, Hal Murray <hmurray@megapathdsl.net> wrote:
Should I really take them seriously? Your call.
That said, the purpose of CVV is to stop *one* type of fraud - it's to stop a skimmer from being able to do mail-order/internet-order with your card number. The CVV is not on the magnetic strip, so a skimmer installed at the ATM or gas pump won't be able to capture it.
This is CVV2; it is printed (but not embossed) on the card but not on the magstripe. This is requested by online merchants to "prove" that the card is in the customer's possession, since it won't show up on carbons, receipts, etc. and in theory will never be stored by any merchant (unlike the account number, expiration date, etc.). .
There's a similar value on the magnetic strip that keeps the internet site you gave your card number and CVV to from being able to print cards and use them at the gas pump.
This is CVV1; it is on the magstripe but not printed on the card; this is how brick-and-mortar merchants can "prove" that your card was in the merchant's possession ("card present"), i.e. swiped rather than entered by hand.
Certainly they don't stop all fraud. They stop one type of fraud.
The two codes are targeted at very different types of fraud. What they have in common is that submitting either a CVV1 or CVV2 number enables merchants to get a better discount rate on their transactions. Given the low margins in many industries, this can make the difference between making a profit and losing money on a sale, which is why many merchants refuse transactions without CVV1 or CVV2. Merchants in industries with higher margins often don't care; they'll submit CVV1 or CVV2 when convenient, but they won't let not having them block the sale. S -- Stephen Sprunk "God does not play dice." --Albert Einstein CCIE #3723 "God is an inveterate gambler, and He throws the K5SSS dice at every possible opportunity." --Stephen Hawking
On Sat, Jun 9, 2012 at 7:14 AM, Joel Maslak <jmaslak@antelope.net> wrote:
That said, the purpose of CVV is to stop *one* type of fraud - it's to stop a skimmer from being able to do mail-order/internet-order with your card number. The CVV is not on the magnetic strip, so a skimmer installed at the ATM or gas pump won't be able to capture it.
No, it's to stop more than one type of fraud - however your point is correct in that it's not designed to stop *all* fraud, it's just one of many layers of prevention. In addition to the one you've mentioned, the CVV2 also stop the card being fraudulently being used in any situation where the card number has been leaked, such as a database of card numbers being hacked, a receipt with the full number on it (rare if at all existent these days), etc. The rules on CVV2 numbers basically say that the number can never be recorded by the merchant after the transaction has been processed, which pretty much means that they can't store it at all in any form. If a database is hacked, the CVV2 number will not be there. Scott
On 6/9/2012 12:06 AM, Hal Murray wrote:
In response to my comment about:
If I'm not supposed to not "tell anyone", why is it even printed where I can read it?
(Sorry for the extra not in there.)
The CVV number is simply to prove that the card is in your possession. The percentage of the sale that goes to Amex/Visa/Mastercard/Discover (etc) is determined by whether the merchant can supply various items, and the CVV is one of them. Running the card physically (where the merchant touches your card, and presumably verifies that you are you) gets taxed the lowest. The CVV is just meant to replace that verification. Sort of. I disapprove *strongly* of any online merchant that does not request this simple item, but it's not magic.
I got an off list suggestion of: http://www.cvvnumber.com/
It looks reasonable.
But then, whois for cvvnumber.com says:
Registrant: Domains By Proxy, LLC
Should I really take them seriously?
No. No you should not. Here's the canonical Wikipedia entry, for those still playing along. http://en.wikipedia.org/wiki/Luhn_algorithm There's a few more grown-up words there. The best part is that it's a public algorithm. What's not to like? -- A picture is worth 10K words -- but only those to describe the picture. Hardly any sets of 10K words can be adequately described with pictures.
On Jun 9, 2012, at 7:14 AM, Lynda wrote:
On 6/9/2012 12:06 AM, Hal Murray wrote:
In response to my comment about:
If I'm not supposed to not "tell anyone", why is it even printed where I can read it?
(Sorry for the extra not in there.)
The CVV number is simply to prove that the card is in your possession. The percentage of the sale that goes to Amex/Visa/Mastercard/Discover (etc) is determined by whether the merchant can supply various items, and the CVV is one of them. Running the card physically (where the merchant touches your card, and presumably verifies that you are you) gets taxed the lowest. The CVV is just meant to replace that verification. Sort of. I disapprove *strongly* of any online merchant that does not request this simple item, but it's not magic.
How does having the CVV number prove the card is in my possession? I have memorized the CVV in addition to the 16 digits of the cards I commonly use and routinely enter them into online ordering without retrieving the card. What prevents a fraudster from writing the CVV down along with the other card data? Sure, the CVV (in the case of CVV2) may not be included in the computer-readable mag-stripe or in swipe transactions, but I really don't see how CVV does anything to prove physical possession of the card at the time of the transaction (or at any time, in fact).
I got an off list suggestion of: http://www.cvvnumber.com/
It looks reasonable.
But then, whois for cvvnumber.com says:
Registrant: Domains By Proxy, LLC
Should I really take them seriously?
No. No you should not. Here's the canonical Wikipedia entry, for those still playing along.
Luhn seems to apply to the check digit (last of the (usually) 16 digits) on the face of the credit card and not to the CVV value. Owen
On 2012-06-09, at 10:56, Owen DeLong <owen@delong.com> wrote:
How does having the CVV number prove the card is in my possession?
It doesn't, it merely proves you must have handled the card physically at some point since storing that value in a database is forbidden. Verified by Visa and the MasterCard equivalent actually "prove" that you are the rightful card holder. Unlike CVV numbers, they actually exempt the merchant from chargebacks (or did circa 2003). Alex
On Sat, Jun 09, 2012 at 02:18:15PM -0400, Alexandre Carmel-Veilleux wrote:
On 2012-06-09, at 10:56, Owen DeLong <owen@delong.com> wrote:
How does having the CVV number prove the card is in my possession?
It doesn't, it merely proves you must have handled the card physically at some point since storing that value in a database is forbidden.
Verified by Visa and the MasterCard equivalent actually "prove" that you are the rightful card holder. Unlike CVV numbers, they actually exempt the merchant from chargebacks (or did circa 2003).
Alex
Before the days of online transactions, how many people even knew a portion of their CC let alone the verification tag? The main weakness of CVV2 these days is "form history" in browsers. (auto complete). Now, if someone can get ont your PC, they not only get the credit card number (which there are myriad different ways to get) but the CVV as well so that mechanism is, now, all but useless. Add to that the fact online merchants don't even have to appear in the same country, let alone region, and the "location of purchase relative to the home residence of the user" doesn't mean much either so can't act as an effective secondary if the information were to be captured. Just like all other forms of security and fraud protection that we in the online community try to enable, eventually something comes along that makes the job a lot harder. Having these mechanisms is better than not having them but there will never be a perfect system. -Wayne --- Wayne Bouchard web@typo.org Network Dude http://www.typo.org/~web/
On June 9, 2012 at 12:12 web@typo.org (Wayne E Bouchard) wrote:
The main weakness of CVV2 these days is "form history" in browsers. (auto complete). Now, if someone can get ont your PC, they not only get the credit card number (which there are myriad different ways to get) but the CVV as well so that mechanism is, now, all but useless.
Oh c'mon, all but useless? Look at all the ifs/ands/buts. They need access to your form history which actually is useless if the merchant's form just uses a password-type field, etc. Yeah, a lot of these techniques are useless if your computer etc is completely pwned. But they help if you're not. Credit card fraud prevention is all about percentages, not absolutes. Even just requiring a valid credit card number and expiration date and nothing else probably prevents, I dunno, 98%+ of all potential fraud, probably 99%+. The rest is about squeezing down that last percentage point or two and generally discouraging crooks from trying. One of the PITA frauds credit card companies deal with is someone in the household, like your teenage kid, taking your card physically out of your wallet and using it w/o your permissin and then you call in when you see the bill that you never ordered $100 from iTunes or bought any cool sneakers at the mall. That's probably more common than a lot of the other frauds you imagine. A lot of these techniques at least prove that *someone* had your card physically if they suspect this was not fraud but, rather, "unauthorized use". People will also try to deny charges they simply regret, like a night at a bar with strippers particularly that one in the blue hot pants, who the h*** KNEW she got $300 for a lap dance and $50/glass for the Kristal, doesn't seem fair not fair at all...it's some backpressure. -- -Barry Shein The World | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
There is a reason part of most scanners that verify the PCI standard look for autocomplete=off on credit card number and cvv2 fields. This is specifically it. -j On Sat, Jun 9, 2012 at 12:30 PM, Barry Shein <bzs@world.std.com> wrote:
On June 9, 2012 at 12:12 web@typo.org (Wayne E Bouchard) wrote:
The main weakness of CVV2 these days is "form history" in browsers. (auto complete). Now, if someone can get ont your PC, they not only get the credit card number (which there are myriad different ways to get) but the CVV as well so that mechanism is, now, all but useless.
Oh c'mon, all but useless? Look at all the ifs/ands/buts. They need access to your form history which actually is useless if the merchant's form just uses a password-type field, etc.
Yeah, a lot of these techniques are useless if your computer etc is completely pwned. But they help if you're not.
Credit card fraud prevention is all about percentages, not absolutes.
Even just requiring a valid credit card number and expiration date and nothing else probably prevents, I dunno, 98%+ of all potential fraud, probably 99%+.
The rest is about squeezing down that last percentage point or two and generally discouraging crooks from trying.
One of the PITA frauds credit card companies deal with is someone in the household, like your teenage kid, taking your card physically out of your wallet and using it w/o your permissin and then you call in when you see the bill that you never ordered $100 from iTunes or bought any cool sneakers at the mall.
That's probably more common than a lot of the other frauds you imagine.
A lot of these techniques at least prove that *someone* had your card physically if they suspect this was not fraud but, rather, "unauthorized use".
People will also try to deny charges they simply regret, like a night at a bar with strippers particularly that one in the blue hot pants, who the h*** KNEW she got $300 for a lap dance and $50/glass for the Kristal, doesn't seem fair not fair at all...it's some backpressure.
-- -Barry Shein
The World | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
On Sat, Jun 9, 2012 at 12:12 PM, Wayne E Bouchard <web@typo.org> wrote:
The main weakness of CVV2 these days is "form history" in browsers. (auto complete).
Any website requesting a CVV2 in a form field without the form history/autocomplete being disabled is in breach of PCI compliance, and risks losing their ability to accept credit cards. That's not to say there aren't some that do it, but to call this the "main weakness" of CVV2 is simply wrong. Scott
On Sat, Jun 09, 2012 at 02:34:03PM -0700, Scott Howard wrote:
On Sat, Jun 9, 2012 at 12:12 PM, Wayne E Bouchard <web@typo.org> wrote:
The main weakness of CVV2 these days is "form history" in browsers. (auto complete).
Any website requesting a CVV2 in a form field without the form history/autocomplete being disabled is in breach of PCI compliance, and risks losing their ability to accept credit cards.
And convenience trumps pseudo-security yet again; Chrom(ium) asks me if I want to save my CC details when I put them in (to which I tell it not just "no", but "are you *nuts*?"); presumably this is on forms which include autocomplete=off, since it happens often enough. So I would assume that this PCI compliance tickbox is being ignored by browsers. Whee! - Matt -- Ruby's the only language I've ever used that feels like it was designed by a programmer, and not by a hardware engineer (Java, C, C++), an academic theorist (Lisp, Haskell, OCaml), or an editor of PC World (Python). -- William Morgan
On 2012-06-09, at 10:56, Owen DeLong <owen@delong.com> wrote:
How does having the CVV number prove the card is in my possession? It doesn't, it merely proves you must have handled the card physically at some point since storing that value in a database is forbidden. [snip] Someone must have something in a database that can easily derive the CVV2 number; otherwise there would be no way for it to be verified that the correct number has been presented, there's really no hashing scheme for 3-digit numbers
On 6/9/12, Alexandre Carmel-Veilleux <acv@miniguru.ca> wrote: that cannot be trivially brute-forced, once any salting procedure is known by an attacker. I bet there is at least one small retailer out there who takes phone orders and gathers CVV2, and at least one POS software developer out there who is unaware of, has ignored, or has intentionally/unintentionally disobeyed the rule about never storing CVV2 values in a database, and does at least one of these things: transmits it without storing but fails to encrypt it (e.g. number sent to a backend with unencrypted XMLRPC transaction), records it in a database, e-mails the data internally, puts it in a spreadsheet, and stores it as data at rest (encrypted it or not), and fails to scrub it, eg deleted but not overwritten file on a computer, file on a share, e-mail saved in a folder, writes it down, or otherwise misappropriates the CVV2 value together with the CC# and Expdate. In other words CVV2 is a "weak" physical "proof" mechanism that only works if all parties involved obey the rules perfectly without error, even parties such as merchants who are not necessarily trustworthy, but even if trustworthy may also have kept record of CVV2 CC Expdate by accident, poor process, or failure of staff to follow established procedures for the handling of the data. -- -JH
On Sat, Jun 9, 2012 at 2:25 PM, Jimmy Hess <mysidia@gmail.com> wrote:
Someone must have something in a database that can easily derive the CVV2 number;
There is no way to "derive" the CVV2 number. It is little more than a random number assigned to the card.
otherwise there would be no way for it to be verified that the correct number has
It is verified by comparing it to the known CVV2 number stored by the credit card company/bank that issued the card.
I bet there is at least one small retailer out there who takes phone orders and gathers CVV2, and at least one POS software developer out there who is unaware of, has ignored, or has intentionally/unintentionally disobeyed the rule about never storing CVV2 values in a database,
Gathering CVV2 number over the phone is completely valid. It's even valid to write them down, as long as they are destroyed as soon as the transaction has been completed. Of course there are people that disobey/ignore/don't know the rules - no level of security will ever be perfect in this regards - it's all about making the security better and reducing the rate of fraud/chargebacks.
In other words CVV2 is a "weak" physical "proof" mechanism that only works if all parties involved obey the rules perfectly without error,
Correct. It's a "weak" physical "proof" mechanism that has succeed in having a very significant reduction in fraudulent transactions/chargebacks across pretty much the entire industry. Remind me again what your point was? Scott
On 9 June 2012 22:42, Scott Howard <scott@doc.net.au> wrote:
There is no way to "derive" the CVV2 number. It is little more than a random number assigned to the card. [...] It is verified by comparing it to the known CVV2 number stored by the credit card company/bank that issued the card.
I don't think this is correct - I believe the Wikipedia entry is accurate: ---snip--- CVC1, CVV1, CVC2 and CVV2 values are generated when the card is issued. The values are calculated by encrypting the bank card number (also known as the primary account number or PAN), expiration date and service code with encryption keys (often called Card Verification Key or CVK) known only to the issuing bank, and decimalising the result ---snip--- http://en.wikipedia.org/wiki/Cvv2 I suspect the issuing banks can share their CVKs with the card scheme operators (Visa, MC, Amex) if they want them to validate transactions on their behalf. Aled
On June 9, 2012 at 16:25 mysidia@gmail.com (Jimmy Hess) wrote:
I bet there is at least one small retailer out there who takes phone orders and gathers CVV2, and at least one POS software developer out there who is unaware of, has ignored, or has...
Yes, but there are also penalties, including loss of merchant account and, I believe, fines, in the contract.
In other words CVV2 is a "weak" physical "proof" mechanism that only works if all parties involved obey the rules perfectly without error,
Not at all, even if someone does store CVV2s in violation of their contract they would ALSO have to be revealed to an evildoer to cause any harm. And even then the evildoer has to leap any other security barriers. Probabilities, all about probabilities, and percentages. You're making the best the enemy of the good. We aren't dealing with military secrets here where one leak can undo all tactical advantage. We're dealing with fraudulent credit card charges where some amount of loss is considered acceptable and one just tries to minimize those losses. The goal is cost/benefit analysis, minimize losses while allowing the overall system to function as friction-free as possible, and doing that within a reasonable cost framework of around 1%-3% per transaction. No different than router bugs etc, if one packet in a billion (whatever) is dropped purely due to a software bug that may be acceptable for a $10K router if the other alternative is to hand-verify every line of code making the router cost $100K. I think this all may be more operationally relevant than some might protest, some here seem to have funny ideas about cost-benefits and security which maybe can at least be shaken loose a bit. -- -Barry Shein The World | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
Something else rarely considered in these discussions is that the cost of handling cash is upwards of 4%, particularly for larger operations like supermarkets. Someone has to be paid to count it, wrap it (or the bank will charge you to do that), often you have a security service pick it up to bring it to the bank which costs money, and of course there's theft of all sorts possible, cash is cash, counterfeit bills, etc. I guess it's a sunk cost so hard to factor into any single transaction, but it does add up or did back when most sales were cash. Until the early 90s (or thereabouts) it was illegal by state law to take credit cards at supermarkets in Massachusetts for example tho checks w/ id were ok, pain the neck, I remember it well. -- -Barry Shein The World | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
----- Original Message -----
From: "Owen DeLong" <owen@delong.com>
How does having the CVV number prove the card is in my possession?
I have memorized the CVV in addition to the 16 digits of the cards I commonly use and routinely enter them into online ordering without retrieving the card.
What prevents a fraudster from writing the CVV down along with the other card data?
Nothing, but lots of fraud scenarios don't involve a bad actor taking physical posession of your card: magstripe skimmers and charge-slip carbons being only 2 off-hand examples. Clearly, the percentage of fraud it blocks is more than the amount it costs. Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
On Jun 9, 2012, at 1:36 PM, Jay Ashworth wrote:
----- Original Message -----
From: "Owen DeLong" <owen@delong.com>
How does having the CVV number prove the card is in my possession?
I have memorized the CVV in addition to the 16 digits of the cards I commonly use and routinely enter them into online ordering without retrieving the card.
What prevents a fraudster from writing the CVV down along with the other card data?
Nothing, but lots of fraud scenarios don't involve a bad actor taking physical posession of your card: magstripe skimmers and charge-slip carbons being only 2 off-hand examples. Clearly, the percentage of fraud it blocks is more than the amount it costs.
The skimmers can use CVV1 and bypass the CVV2 protection in most cases (though that requires them to gen up a fake or fraudulent card and do card present transactions which does add risk for them). I haven't seen a charge slip carbon in so long that I find it hard to believe these would remain a significant factor today. It costs almost nothing, so a few fraudulent transactions blocked is probably enough. That doesn't change the fact that I believe there have to be more effective methods that wouldn't cost much more. Owen
On Sun, Jun 10, 2012 at 8:02 AM, Owen DeLong <owen@delong.com> wrote: ....
The skimmers can use CVV1 and bypass the CVV2 protection in most cases (though that requires them to gen up a fake or fraudulent card and do card present transactions which does add risk for them).
Not so much for them, but the sacrificial mules that go to the (physical) stores (and the mules, at best, know the location to meet their handler, who is not even the person/group responsible for the acquisition of the numbers, but just another middle person).
It costs almost nothing, so a few fraudulent transactions blocked is probably enough. That doesn't change the fact that I believe there have to be more effective methods that wouldn't cost much more.
One of the CC industry "think tanks" (the think tank part of first data; to be honest, I am not sure that part still exists) has proposed various alternatives over the years (including a true non-traceable cash type of CC alternative that was sort of appealing), but the priority of the banks continues to be to insure convenience (with minimal losses for the banks), and almost all the of the alternative involved some sort of additional inconvenience to the customer. If you can come up with a good alternative, there are many many millions to be made. I am not smart enough to be able to come up with a clearly better alternative (other than a personal optimization to remember all the CC numbers, including the CVV2, as you stated you do). Gary
participants (15)
-
Aled Morris -
Alexandre Carmel-Veilleux -
Barry Shein -
Gary Buhrmaster -
Hal Murray -
Jay Ashworth -
Jimmy Hess -
Joel Maslak -
John Adams -
Lynda -
Matthew Palmer -
Owen DeLong -
Scott Howard -
Stephen Sprunk -
Wayne E Bouchard