In response to my comment about:
If I'm not supposed to not "tell anyone", why is it even printed where I can
read it?
(Sorry for the extra not in there.)
I got an off list suggestion of:
http://www.cvvnumber.com/
It looks reasonable.
But then, whois for cvvnumber.com says:
Registrant:
Domains By Proxy, LLC
DomainsByProxy.com
15111 N. Hayden Rd., Ste 160, PMB 353
Scottsdale, Arizona 85260
United States
Should I really take them seriously?
Your call.
That said, the purpose of CVV is to stop *one* type of fraud - it's to stop a skimmer from being able to do mail-order/internet-order with your card number. The CVV is not on the magnetic strip, so a skimmer installed at the ATM or gas pump won't be able to capture it.
There's a similar value on the magnetic strip that keeps the internet site you gave your card number and CVV to from being able to print cards and use them at the gas pump.
Certainly they don't stop all fraud. They stop one type of fraud.
In response to my comment about:
If I'm not supposed to not "tell anyone", why is it even printed where I can
read it?(Sorry for the extra not in there.)
The CVV number is simply to prove that the card is in your possession. The percentage of the sale that goes to Amex/Visa/Mastercard/Discover (etc) is determined by whether the merchant can supply various items, and the CVV is one of them. Running the card physically (where the merchant touches your card, and presumably verifies that you are you) gets taxed the lowest. The CVV is just meant to replace that verification. Sort of. I disapprove *strongly* of any online merchant that does not request this simple item, but it's not magic.
I got an off list suggestion of:
http://www.cvvnumber.com/It looks reasonable.
But then, whois for cvvnumber.com says:
Registrant:
Domains By Proxy, LLC
Should I really take them seriously?
No. No you should not. Here's the canonical Wikipedia entry, for those still playing along.
There's a few more grown-up words there. The best part is that it's a public algorithm. What's not to like?
In response to my comment about:
If I'm not supposed to not "tell anyone", why is it even printed where I can
read it?(Sorry for the extra not in there.)
The CVV number is simply to prove that the card is in your possession. The percentage of the sale that goes to Amex/Visa/Mastercard/Discover (etc) is determined by whether the merchant can supply various items, and the CVV is one of them. Running the card physically (where the merchant touches your card, and presumably verifies that you are you) gets taxed the lowest. The CVV is just meant to replace that verification. Sort of. I disapprove *strongly* of any online merchant that does not request this simple item, but it's not magic.
How does having the CVV number prove the card is in my possession?
I have memorized the CVV in addition to the 16 digits of the cards I commonly use and routinely enter them into online ordering without retrieving the card.
What prevents a fraudster from writing the CVV down along with the other card data?
Sure, the CVV (in the case of CVV2) may not be included in the computer-readable mag-stripe or in swipe transactions, but I really don't see how CVV does anything to prove physical possession of the card at the time of the transaction (or at any time, in fact).
I got an off list suggestion of:
http://www.cvvnumber.com/It looks reasonable.
But then, whois for cvvnumber.com says:
Registrant:
Domains By Proxy, LLCShould I really take them seriously?
No. No you should not. Here's the canonical Wikipedia entry, for those still playing along.
Luhn seems to apply to the check digit (last of the (usually) 16 digits) on the face of the credit card
and not to the CVV value.
Owen
It doesn't, it merely proves you must have handled the card physically at some point since storing that value in a database is forbidden.
Verified by Visa and the MasterCard equivalent actually "prove" that you are the rightful card holder. Unlike CVV numbers, they actually exempt the merchant from chargebacks (or did circa 2003).
Alex
Should I really take them seriously?
Your call.
That said, the purpose of CVV is to stop *one* type of fraud - it's to stop a skimmer from being able to do mail-order/internet-order with your card number. The CVV is not on the magnetic strip, so a skimmer installed at the ATM or gas pump won't be able to capture it.
This is CVV2; it is printed (but not embossed) on the card but not on
the magstripe. This is requested by online merchants to "prove" that
the card is in the customer's possession, since it won't show up on
carbons, receipts, etc. and in theory will never be stored by any
merchant (unlike the account number, expiration date, etc.). .
There's a similar value on the magnetic strip that keeps the internet site you gave your card number and CVV to from being able to print cards and use them at the gas pump.
This is CVV1; it is on the magstripe but not printed on the card; this
is how brick-and-mortar merchants can "prove" that your card was in the
merchant's possession ("card present"), i.e. swiped rather than entered
by hand.
Certainly they don't stop all fraud. They stop one type of fraud.
The two codes are targeted at very different types of fraud. What they
have in common is that submitting either a CVV1 or CVV2 number enables
merchants to get a better discount rate on their transactions. Given
the low margins in many industries, this can make the difference between
making a profit and losing money on a sale, which is why many merchants
refuse transactions without CVV1 or CVV2. Merchants in industries with
higher margins often don't care; they'll submit CVV1 or CVV2 when
convenient, but they won't let not having them block the sale.
S
Before the days of online transactions, how many people even knew a
portion of their CC let alone the verification tag?
The main weakness of CVV2 these days is "form history" in browsers.
(auto complete). Now, if someone can get ont your PC, they not only
get the credit card number (which there are myriad different ways to
get) but the CVV as well so that mechanism is, now, all but useless.
Add to that the fact online merchants don't even have to appear in the
same country, let alone region, and the "location of purchase relative
to the home residence of the user" doesn't mean much either so can't
act as an effective secondary if the information were to be captured.
Just like all other forms of security and fraud protection that we in
the online community try to enable, eventually something comes along
that makes the job a lot harder. Having these mechanisms is better
than not having them but there will never be a perfect system.
-Wayne
Oh c'mon, all but useless? Look at all the ifs/ands/buts. They need
access to your form history which actually is useless if the
merchant's form just uses a password-type field, etc.
Yeah, a lot of these techniques are useless if your computer etc is
completely pwned. But they help if you're not.
Credit card fraud prevention is all about percentages, not absolutes.
Even just requiring a valid credit card number and expiration date and
nothing else probably prevents, I dunno, 98%+ of all potential fraud,
probably 99%+.
The rest is about squeezing down that last percentage point or two and
generally discouraging crooks from trying.
One of the PITA frauds credit card companies deal with is someone in
the household, like your teenage kid, taking your card physically out
of your wallet and using it w/o your permissin and then you call in
when you see the bill that you never ordered $100 from iTunes or
bought any cool sneakers at the mall.
That's probably more common than a lot of the other frauds you imagine.
A lot of these techniques at least prove that *someone* had your card
physically if they suspect this was not fraud but, rather,
"unauthorized use".
People will also try to deny charges they simply regret, like a night
at a bar with strippers particularly that one in the blue hot pants,
who the h*** KNEW she got $300 for a lap dance and $50/glass for the
Kristal, doesn't seem fair not fair at all...it's some backpressure.
There is a reason part of most scanners that verify the PCI standard look
for autocomplete=off on credit card number and cvv2 fields. This is
specifically it.
-j
Nothing, but lots of fraud scenarios don't involve a bad actor taking
physical posession of your card: magstripe skimmers and charge-slip
carbons being only 2 off-hand examples. Clearly, the percentage of fraud
it blocks is more than the amount it costs.
Cheers,
-- jra
[snip]
Someone must have something in a database that can easily derive the
CVV2 number;
otherwise there would be no way for it to be verified that the correct
number has
been presented, there's really no hashing scheme for 3-digit numbers
that cannot be trivially brute-forced, once any salting procedure is
known by an attacker.
I bet there is at least one small retailer out there who takes phone
orders and gathers CVV2, and at least one POS software developer out
there who is unaware of, has ignored, or has
intentionally/unintentionally disobeyed the rule about never storing
CVV2 values in a database, and does at least one of these things:
transmits it without storing but fails to encrypt it (e.g. number sent
to a backend with unencrypted XMLRPC transaction), records it in a
database, e-mails the data internally, puts it in a spreadsheet, and
stores it as data at rest (encrypted it or not), and fails to scrub
it, eg deleted but not overwritten file on a computer, file on a
share, e-mail saved in a folder, writes it down, or otherwise
misappropriates the CVV2 value together with the CC# and Expdate.
In other words CVV2 is a "weak" physical "proof" mechanism that only
works if all parties involved obey the rules perfectly without error,
even parties such as merchants who are not necessarily trustworthy,
but even if trustworthy may also have kept record of CVV2 CC Expdate
by accident, poor process, or failure of staff to follow
established procedures for the handling
of the data.
No, it's to stop more than one type of fraud - however your point is
correct in that it's not designed to stop *all* fraud, it's just one of
many layers of prevention.
In addition to the one you've mentioned, the CVV2 also stop the card being
fraudulently being used in any situation where the card number has been
leaked, such as a database of card numbers being hacked, a receipt with the
full number on it (rare if at all existent these days), etc. The rules on
CVV2 numbers basically say that the number can never be recorded by the
merchant after the transaction has been processed, which pretty much means
that they can't store it at all in any form. If a database is hacked, the
CVV2 number will not be there.
Scott
Any website requesting a CVV2 in a form field without the form
history/autocomplete being disabled is in breach of PCI compliance, and
risks losing their ability to accept credit cards.
That's not to say there aren't some that do it, but to call this the "main
weakness" of CVV2 is simply wrong.
Scott
Someone must have something in a database that can easily derive the
CVV2 number;
There is no way to "derive" the CVV2 number. It is little more than a
random number assigned to the card.
otherwise there would be no way for it to be verified that the correct
number has
It is verified by comparing it to the known CVV2 number stored by the
credit card company/bank that issued the card.
I bet there is at least one small retailer out there who takes phone
orders and gathers CVV2, and at least one POS software developer out
there who is unaware of, has ignored, or has
intentionally/unintentionally disobeyed the rule about never storing
CVV2 values in a database,
Gathering CVV2 number over the phone is completely valid. It's even valid
to write them down, as long as they are destroyed as soon as the
transaction has been completed. Of course there are people that
disobey/ignore/don't know the rules - no level of security will ever be
perfect in this regards - it's all about making the security better and
reducing the rate of fraud/chargebacks.
In other words CVV2 is a "weak" physical "proof" mechanism that only
works if all parties involved obey the rules perfectly without error,
Correct. It's a "weak" physical "proof" mechanism that has succeed in
having a very significant reduction in fraudulent transactions/chargebacks
across pretty much the entire industry. Remind me again what your point
was?
Scott
I don't think this is correct - I believe the Wikipedia entry is accurate:
---snip---
CVC1, CVV1, CVC2 and CVV2 values are generated when the card is issued. The
values are calculated by encrypting the bank card number (also known as the
primary account number or PAN), expiration date and service code with
encryption keys (often called Card Verification Key or CVK) known only to
the issuing bank, and decimalising the result
---snip---
http://en.wikipedia.org/wiki/Cvv2
I suspect the issuing banks can share their CVKs with the card scheme
operators (Visa, MC, Amex) if they want them to validate transactions on
their behalf.
Aled
And convenience trumps pseudo-security yet again; Chrom(ium) asks me if I want
to save my CC details when I put them in (to which I tell it not just "no",
but "are you *nuts*?"); presumably this is on forms which include
autocomplete=off, since it happens often enough. So I would assume that
this PCI compliance tickbox is being ignored by browsers. Whee!
- Matt
The skimmers can use CVV1 and bypass the CVV2 protection in most
cases (though that requires them to gen up a fake or fraudulent card and
do card present transactions which does add risk for them).
I haven't seen a charge slip carbon in so long that I find it hard to believe
these would remain a significant factor today.
It costs almost nothing, so a few fraudulent transactions blocked is probably
enough. That doesn't change the fact that I believe there have to be more
effective methods that wouldn't cost much more.
Owen
I bet there is at least one small retailer out there who takes phone
> orders and gathers CVV2, and at least one POS software developer out
> there who is unaware of, has ignored, or has...
Yes, but there are also penalties, including loss of merchant account
and, I believe, fines, in the contract.
>
> In other words CVV2 is a "weak" physical "proof" mechanism that only
> works if all parties involved obey the rules perfectly without error,
Not at all, even if someone does store CVV2s in violation of their
contract they would ALSO have to be revealed to an evildoer to cause
any harm. And even then the evildoer has to leap any other security
barriers.
Probabilities, all about probabilities, and percentages.
You're making the best the enemy of the good.
We aren't dealing with military secrets here where one leak can undo
all tactical advantage.
We're dealing with fraudulent credit card charges where some amount of
loss is considered acceptable and one just tries to minimize those
losses.
The goal is cost/benefit analysis, minimize losses while allowing the
overall system to function as friction-free as possible, and doing
that within a reasonable cost framework of around 1%-3% per
transaction.
No different than router bugs etc, if one packet in a billion
(whatever) is dropped purely due to a software bug that may be
acceptable for a $10K router if the other alternative is to
hand-verify every line of code making the router cost $100K.
I think this all may be more operationally relevant than some might
protest, some here seem to have funny ideas about cost-benefits and
security which maybe can at least be shaken loose a bit.
Something else rarely considered in these discussions is that the cost
of handling cash is upwards of 4%, particularly for larger operations
like supermarkets. Someone has to be paid to count it, wrap it (or the
bank will charge you to do that), often you have a security service
pick it up to bring it to the bank which costs money, and of course
there's theft of all sorts possible, cash is cash, counterfeit bills,
etc.
I guess it's a sunk cost so hard to factor into any single
transaction, but it does add up or did back when most sales were
cash. Until the early 90s (or thereabouts) it was illegal by state law
to take credit cards at supermarkets in Massachusetts for example tho
checks w/ id were ok, pain the neck, I remember it well.
....
The skimmers can use CVV1 and bypass the CVV2 protection in most
cases (though that requires them to gen up a fake or fraudulent card and
do card present transactions which does add risk for them).
Not so much for them, but the sacrificial mules that go to the (physical)
stores (and the mules, at best, know the location to meet their handler,
who is not even the person/group responsible for the acquisition of the
numbers, but just another middle person).
It costs almost nothing, so a few fraudulent transactions blocked is probably
enough. That doesn't change the fact that I believe there have to be more
effective methods that wouldn't cost much more.
One of the CC industry "think tanks" (the think tank part of first data; to
be honest, I am not sure that part still exists) has proposed various
alternatives over the years (including a true non-traceable cash type of
CC alternative that was sort of appealing), but the priority of the banks
continues to be to insure convenience (with minimal losses for the banks),
and almost all the of the alternative involved some sort of additional
inconvenience to the customer. If you can come up with a good alternative,
there are many many millions to be made. I am not smart enough to
be able to come up with a clearly better alternative (other than a
personal optimization to remember all the CC numbers, including the
CVV2, as you stated you do).
Gary