Re: CVV (was: Re: bloomberg on supermicro: sky is falling)
On 9/Nov/18 20:26, Bill Woodcock wrote: > That was true a few years ago, but it’s been at least a year since I’ve seen > a swipe anywhere. The change happened quite quickly. It’s all been chip, or > chip-and-pin, for at least a year. In the last 2 years, I've seen the rise of PIN-based transactions in the U.S., and this is great. But between San Diego, San Jose, San Francisco, Chicago, Hawaii and Seattle for my 2017/2018 U.S. visits, there are just about as many merchants supporting PIN's as there are that don't. Mark. signature.asc Description: OpenPGP digital signature
Re: CVV (was: Re: bloomberg on supermicro: sky is falling)
> On Nov 8, 2018, at 1:11 AM, Mark Tinka wrote: > It has always been curious to me how/why the U.S., with one of the > largest economies in the world, still do most card-based transactions as > a swipe in lieu of a PIN-based approach. That was true a few years ago, but it’s been at least a year since I’ve seen a swipe anywhere. The change happened quite quickly. It’s all been chip, or chip-and-pin, for at least a year. -Bill signature.asc Description: Message signed with OpenPGP
Re: CVV (was: Re: bloomberg on supermicro: sky is falling)
Once upon a time, Stephen Satchell said: > On 11/08/2018 07:50 PM, Chris Adams wrote: > > Signatures are no longer required for chip card transactions in the US, > > except I think for transactions where the auth is done on the amount > > before an added tip (restaurants). > > Signatures are required for chip card transactions above a certain > dollar amount, with that dollar amount varying from merchant to > merchant. I ran into this at the Sprint store when I used a chip card > to pay $800+ for my company's overdue wireless bill, and I had to apply > pen to paper by hand. And I didn't do my usual response to "sign here": > draw a triangle and put "yield" in it. That's just because Sprint wanted it, not the credit card company. For example with VISA, the signature is "optional" for chip transactions, no matter the amount, but the retailer can still require it if they want (because they want to annoy customers I guess?). https://www.theverge.com/2018/1/12/16884814/visa-chip-emv-signatures-north-america-credit-card-april-2018 -- Chris Adams
Re: CVV (was: Re: bloomberg on supermicro: sky is falling)
On 11/08/2018 07:50 PM, Chris Adams wrote: > Signatures are no longer required for chip card transactions in the US, > except I think for transactions where the auth is done on the amount > before an added tip (restaurants). Signatures are required for chip card transactions above a certain dollar amount, with that dollar amount varying from merchant to merchant. I ran into this at the Sprint store when I used a chip card to pay $800+ for my company's overdue wireless bill, and I had to apply pen to paper by hand. And I didn't do my usual response to "sign here": draw a triangle and put "yield" in it.
Re: CVV
Well, Older Pump station installation (and maybe new ones) use RS-232/442 to communicate in clear text with their controller into the building. Easy to tap to skim Track 1/Track2 of the CHD which is good to dups cards. Now to get the physical CVV you need a physical skimmer installed on top the pump which is where your Bluetooth come in action. With those you can dups and make "Card No Present" transaction (aka Internet). It is a risk/reward thing. PS: Lazyness is pretty much the greatest threat. EU/CAN/etc are all CHIP while some other economy still refuse to spend that extra $1 per card :( - Alain Hebertaheb...@pubnix.net PubNIX Inc. 50 boul. St-Charles P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 Tel: 514-990-5911 http://www.pubnix.netFax: 514-990-9443 On 11/08/18 22:50, Chris Adams wrote: Once upon a time, Scott Christopher said: Swipe-and-sign (and now just swipe for small amounts) is for Visa, Mastercard, Discover transactions (called credit) Signatures are no longer required for chip card transactions in the US, except I think for transactions where the auth is done on the amount before an added tip (restaurants). Skimming and card fraud is actually uncommon in the U.S. these days, and the police are very effective at combating it. It's just cheaper for the industry to eat fraud losses than to "upgrade" systems. The transition to chip-based cards was a debacle. Skimming is still highly active at gas pumps, where chip support was pushed off (current requirement I believe is late 2020, but may be delayed again). The skimmers get more creative all the time; they're getting inside pumps (possibly with help of low-paid station attendants, but also because of poor physical security) and installing the skimmer hardware out of sight. The hardware has Bluetooth, so the bad guys just pull up and get gas and someone in the car can retrieve the data (from multiple pumps even).
Re: CVV (was: Re: bloomberg on supermicro: sky is falling)
On 9/Nov/18 02:22, Todd Underwood wrote: > > i generally find it amusing when people from other countries mock the > US for not having PINs. this is just another way of saying "my > country has high fraud rates and yours appears not to." :-) . you can > see this in the comment below "If we were swipe-based here, we'd all be > broke :-).". the payments systems are architected to minimize cost > and maximize adoption and they are usually at (or moving towards) some > locally optimal point. the US is no exception in that. That was me - and "low" (fraud rates) is not "zero" (fraud rates). Personally, I don't want to add to the statistic. The inconvenience isn't worth the bragging right :-)... Mark.
Re: CVV
Todd Underwood writes: > [interesting and plausible reasoning about why no chip in US] > anyway, let's talk about networks, no? This topic is obviously "a little" off-topic, but I find some contributions (like yours) relevant for understanding adoption dynamics (or not) of proposed security mechanisms on the Internet (RPKI, route filtering in general, DNSSEC etc.). In general the regulatory environment in the Internet is quite different from that of the financial sector. But I guess credit-card security trade-offs are still made mostly by private actors. (Maybe they sometimes discuss BGP security on their mailing lists :-) -- Simon.
Re: CVV (was: Re: bloomberg on supermicro: sky is falling)
Once upon a time, Scott Christopher said: > Swipe-and-sign (and now just swipe for small amounts) is for Visa, > Mastercard, Discover transactions (called credit) Signatures are no longer required for chip card transactions in the US, except I think for transactions where the auth is done on the amount before an added tip (restaurants). > Skimming and card fraud is actually uncommon in the U.S. these days, and the > police are very effective at combating it. It's just cheaper for the industry > to eat fraud losses than to "upgrade" systems. The transition to chip-based > cards was a debacle. Skimming is still highly active at gas pumps, where chip support was pushed off (current requirement I believe is late 2020, but may be delayed again). The skimmers get more creative all the time; they're getting inside pumps (possibly with help of low-paid station attendants, but also because of poor physical security) and installing the skimmer hardware out of sight. The hardware has Bluetooth, so the bad guys just pull up and get gas and someone in the car can retrieve the data (from multiple pumps even). -- Chris Adams
Re: CVV (was: Re: bloomberg on supermicro: sky is falling)
This is a confusing and off-topic discussion with respect to network engineering. But for completeness: Payments systems are architected by fraud rates, not by isolated security requirements or engineering mandates, as i think most network engineers can understand. The fraud rates in the US for credit card transactions were historically very, very low and being a large jurisdiction with a single national law enforcement branch (the FBI) enforcement was effective. Compare this to Europe in the 1980s when credit cards were accepted very few places. This was for two reasons: 1) the fraud rates were much, much higher, which created chargebacks for merchants that they preferred not to eat; 2) trans-national enforcement was virtually nonexistent. interpol had ~zero time to deal with credit card fraud. so the best european fraud rings always operated from a different country than where they perpetrated the fraud. when chip-and-pin was introduced, the point was actually twofold: A) security B) shifting liability to the consumer somewhat famously, even after chip-and-pin was proven compromised, UK banks continued to make consumers liable for all fraudulent transactions that were 'pin used'. this was very, very good for the adoption of credit cards in europe but it was very, very bad for a few people. banks, as usual, didn't are and made some decent money. So why did the US get pin-and-signature? Target. International fraud rings finally got wise to the ripe opportunity that was the soft underbelly of the US economy and figured out ways to perpetrate massive, trans-national fraud in the US. and as soon as that happened, the US got chips. the signature-vs-pin part is mostly about the fact that there are *still* low rates of fraud here as tracked by chargeback rates and as a result there's no real need to pay the cost of support to set everyone up with a pin. and that's what security is always all about: cost tradeoffs. people in countries where everyone has a pin have eaten that cost already and had to because the fraud rates were high enough to justify it. people in the US do not have PINs that they know and setting those up costs money and maintaining people's access to them costs money. so if that's not worth it, it doesn't get done. nor should it. i generally find it amusing when people from other countries mock the US for not having PINs. this is just another way of saying "my country has high fraud rates and yours appears not to." :-) . you can see this in the comment below "If we were swipe-based here, we'd all be broke :-).". the payments systems are architected to minimize cost and maximize adoption and they are usually at (or moving towards) some locally optimal point. the US is no exception in that. now, the checking/chequing system is a whole other, embarrassing beast and mocking that one is just the correct thing to do. :-) anyway, let's talk about networks, no? cheers, t On Thu, Nov 8, 2018, 19:07 Frank Bulk I have a low-cost/high interest rate account at one of the Canadian bank > and each "assisted" transaction is $5. > > Frank > > -Original Message- > From: NANOG On Behalf Of Mark Tinka > Sent: Thursday, November 08, 2018 3:35 AM > To: George Michaelson > Cc: North American Network Operators' Group > Subject: Re: CVV (was: Re: bloomberg on supermicro: sky is falling) > > > Speaking of "cost" as a motivator, in South Africa, most of the banks > are now using extra fees as a way to force users to do their banking > online (phone, laptop, app, e.t.c.). If you want to walk into a bank to > deposit money, withdraw money, make a transfer, e.t.c., you pay for that > service over and above, while the process costs you zero (0) when done > online. This has led to banks now renovating banking halls into where > there was once 23 tellers, you now have 1 service usher, 1 teller, 2 > support agents and 20 self-service computers. > > I hope the U.S. does catch-up. If we were swipe-based here, we'd all be > broke :-). I know a number of major merchants in the U.S. now use PIN's, > and I always stick to those when I travel there. > > Mark. > > > >
RE: CVV (was: Re: bloomberg on supermicro: sky is falling)
I have a low-cost/high interest rate account at one of the Canadian bank and each "assisted" transaction is $5. Frank -Original Message- From: NANOG On Behalf Of Mark Tinka Sent: Thursday, November 08, 2018 3:35 AM To: George Michaelson Cc: North American Network Operators' Group Subject: Re: CVV (was: Re: bloomberg on supermicro: sky is falling)
Re: CVV (was: Re: bloomberg on supermicro: sky is falling)
Mark Tinka wrote: > I hope the U.S. does catch-up. If we were swipe-based here, we'd all be > broke :-). I know a number of major merchants in the U.S. now use PIN's, > and I always stick to those when I travel there. In the U.S., pin codes are required for EFTPOS transactions (called debit) over interbank networks like Pulse, STAR, etc Swipe-and-sign (and now just swipe for small amounts) is for Visa, Mastercard, Discover transactions (called credit) Skimming and card fraud is actually uncommon in the U.S. these days, and the police are very effective at combating it. It's just cheaper for the industry to eat fraud losses than to "upgrade" systems. The transition to chip-based cards was a debacle. -- S.C.
Re: CVV (was: Re: bloomberg on supermicro: sky is falling)
On 8/Nov/18 11:16, George Michaelson wrote: > There are two parts of the problem. The first is the assumption of > risk: the current model of operation in the US (like in other western > economies) puts the onus of risk of misuse of the card on specific > actors. When you change the basis from signature (fraud) to chip+pin > (leak of knowledge) you have to change the legal basis. Remember, this > is an economy where WRITING CHEQUES is still normal. Clearly, the > legal basis of money transactions in the US is hugely complicated by > savings and loan, credit unions, banks, state and federal law, taxes. > We all have some of this worldwide, they have a LOT. > > Secondly, the cost basis. Who pays? In most of the world the regulator > forced cost onto specific players because they could, and forced > people to tool up because they could. But, the costs did have to get > met. Some people paid more than others. In the US, for reasons not > entirely unlike the first set, *making* people do things with cost > incursion is remarkably difficult. Making the Walmart brothers re-fit > every terminal, when they can go down to DC and buy votes to stop it > happening, Making Bank of America spend money re-working its core > finance models to suit online chip+pin when it can go down to Walmart > and lean on the owners to go down to DC and buy votes... > > Seriously: Its not lack of clue. Its lack of intestinal political > fortitude, and a very strange regulatory and federal/state model. Shame, but I can see how this makes sense as to why things are the way they are. Speaking of "cost" as a motivator, in South Africa, most of the banks are now using extra fees as a way to force users to do their banking online (phone, laptop, app, e.t.c.). If you want to walk into a bank to deposit money, withdraw money, make a transfer, e.t.c., you pay for that service over and above, while the process costs you zero (0) when done online. This has led to banks now renovating banking halls into where there was once 23 tellers, you now have 1 service usher, 1 teller, 2 support agents and 20 self-service computers. I hope the U.S. does catch-up. If we were swipe-based here, we'd all be broke :-). I know a number of major merchants in the U.S. now use PIN's, and I always stick to those when I travel there. Mark.
Re: CVV (was: Re: bloomberg on supermicro: sky is falling)
There are two parts of the problem. The first is the assumption of risk: the current model of operation in the US (like in other western economies) puts the onus of risk of misuse of the card on specific actors. When you change the basis from signature (fraud) to chip+pin (leak of knowledge) you have to change the legal basis. Remember, this is an economy where WRITING CHEQUES is still normal. Clearly, the legal basis of money transactions in the US is hugely complicated by savings and loan, credit unions, banks, state and federal law, taxes. We all have some of this worldwide, they have a LOT. Secondly, the cost basis. Who pays? In most of the world the regulator forced cost onto specific players because they could, and forced people to tool up because they could. But, the costs did have to get met. Some people paid more than others. In the US, for reasons not entirely unlike the first set, *making* people do things with cost incursion is remarkably difficult. Making the Walmart brothers re-fit every terminal, when they can go down to DC and buy votes to stop it happening, Making Bank of America spend money re-working its core finance models to suit online chip+pin when it can go down to Walmart and lean on the owners to go down to DC and buy votes... Seriously: Its not lack of clue. Its lack of intestinal political fortitude, and a very strange regulatory and federal/state model. On Thu, Nov 8, 2018 at 4:11 PM Mark Tinka wrote: > > > > On 11/Oct/18 21:31, Chris Adams wrote: > > > Requiring an ID is also a violation of the merchant agreements, at least > > for VISA and MasterCard (not sure about American Express), unless ID is > > otherwise required by law (like for age-limited products). I've walked > > out of stores that required an ID. > > It has always been curious to me how/why the U.S., with one of the > largest economies in the world, still do most card-based transactions as > a swipe in lieu of a PIN-based approach. > > In South Africa (and most of southern Africa), all banks make the use of > PIN's mandatory, for all types of cards. With the rest of Africa using > credit cards more recently, I imagine they are also PIN-based. > > Europe also use PIN's, as far as I have experienced. > > Asia-Pac was swipe-based for a long time when I lived there, but I know > places like Malaysia and Singapore have started a major PIN-based > transaction drive in the past 3 years. > > 3D Secure for the online version of the transaction also means your card > number and CVV number are less susceptible to fraud via restaurants and > the like. Of course, this is not fool-proof, as both the merchant and > bank need to support and mandate this, which is not well-done at a > global level. > > Mark. > >
Re: CVV (was: Re: bloomberg on supermicro: sky is falling)
On 11/Oct/18 21:31, Chris Adams wrote: > Requiring an ID is also a violation of the merchant agreements, at least > for VISA and MasterCard (not sure about American Express), unless ID is > otherwise required by law (like for age-limited products). I've walked > out of stores that required an ID. It has always been curious to me how/why the U.S., with one of the largest economies in the world, still do most card-based transactions as a swipe in lieu of a PIN-based approach. In South Africa (and most of southern Africa), all banks make the use of PIN's mandatory, for all types of cards. With the rest of Africa using credit cards more recently, I imagine they are also PIN-based. Europe also use PIN's, as far as I have experienced. Asia-Pac was swipe-based for a long time when I lived there, but I know places like Malaysia and Singapore have started a major PIN-based transaction drive in the past 3 years. 3D Secure for the online version of the transaction also means your card number and CVV number are less susceptible to fraud via restaurants and the like. Of course, this is not fool-proof, as both the merchant and bank need to support and mandate this, which is not well-done at a global level. Mark.
Re: CVV (was: Re: bloomberg on supermicro: sky is falling)
Once upon a time, b...@theworld.com said: > But asking for photo id is a good thing for legitimate card holders, > could reduce fraudulent in-person use of stolen cards. Requiring an ID is also a violation of the merchant agreements, at least for VISA and MasterCard (not sure about American Express), unless ID is otherwise required by law (like for age-limited products). I've walked out of stores that required an ID. -- Chris Adams
Re: CVV (was: Re: bloomberg on supermicro: sky is falling)
On October 11, 2018 at 13:41 s...@ottie.org (Scott Christopher) wrote: > Robert Kisteleki wrote: > > > (this is probably OT now...) > > > > > I'm pretty sure the "entire point" of inventing CVV was to prove you > > > physically have the card. > > > > Except that it doesn't serve that purpose. Anyone who ever had your card > > in their hands (e.g. waiters) can just write that down and use it later > > hence defeating the purpose of "physically having the card". > > But waiters don't know your ZIP code which is the other thing needed for > online verification (in the U.S.) So be wary if they ask you for photo id which likely has your zip code! But asking for photo id is a good thing for legitimate card holders, could reduce fraudulent in-person use of stolen cards. What a mess. > 3D Secure is good enough. It will probably be mandatory for payment > processors sometime in the future. In the meantime, it just costs the > industry less to cover fraud losses. > > -- > S.C. -- -Barry Shein Software Tool & Die| b...@theworld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
CVV (was: Re: bloomberg on supermicro: sky is falling)
On October 11, 2018 at 10:17 rob...@ripe.net (Robert Kisteleki) wrote: > (this is probably OT now...) > > > I'm pretty sure the "entire point" of inventing CVV was to prove you > > physically have the card. > > Except that it doesn't serve that purpose. Anyone who ever had your card > in their hands (e.g. waiters) can just write that down and use it later > hence defeating the purpose of "physically having the card". (Call me > paranoid but I usually use a black pen to make the numbers undreadable > because of this, after my card (both sides) has been photocopied a > number of times...) What you're saying is they don't work as well as you might hope, not that they don't serve that purpose. If you snatched 5M credit cards numbers and expiraton dates but, as required by contract, there were no CVVs in that db how well would that work with sites which require a CVV for a transaction? Not well at all. So there's a purpose. Also, traditionally one's signature is on the back right next to that CVV for a merchant to compare against which leaves forgery a mere exercise in, well, forgery, since the example one has to reasonably match is right there. Which doesn't mean signatures don't work, it's just not much protection against anyone who can reasonably forge a signature. But many people can't or won't try, it discourages minor criminals like your boyfriend using your card surreptitously while you were sleeping. They're also some reasonable evidence that the transaction was done in person with the card in hand. I know some merchant contracts wouldn't allow forgiveness (who eats the fraud) for charges w/o a signature where their contract claims they only do in-person purchases which gets them a lower rate. There is a concern for merchant fraud also in all this, unfortunately that's very tempting. BUT IT'S ALL WORSE THAN THAT! When I had a book of checks stolen (and reported) several turned up used in major big box stores with information like driver's license number, date of birth, etc neatly written on them tho none of that info was mine. I doubt they went to the trouble of counterfeiting a driver's license, it's possible but this was small-time fraud. My suspicion was they were in cahoots with the cashier, simplest explanation, the cashier was a friend who probably got a cut. So anything in the presumed chain of events can often be suborned. > This has always been an amusing topic. At the end of the day it's a > financial risk management call from the banks -- as long as they lose > less money on the current system than the cost of fraud, things wiull > not change. Of course, they try to push those costs onto others as much > as possible, but that doesn't change the bottom line. I agree with this. Quite a few years ago I was interviewed by a start-up manufacturer of a big parallel "mini" to head their OS effort. Something which came out in the conversation, which went on for hours! (very pleasant tho), was that a major credit card company had pledged in writing to buy $150M of their machines on day one of ship if they could run a set of their anti-fraud algorithms quickly enough (their spec) to be able to reject transactions in real time. The company had done forensics and I think the estimate was if they could have run those algorithms they would have saved them some big number like $50K/hour in fraud. But they couldn't run them fast enough to allow for reasonable transaction times. And then ya sit around the bar thinking you know how this or that startup is funded or why...that would not have been one of my guesses! -- -Barry Shein Software Tool & Die| b...@theworld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
Re: CVV (was: Re: bloomberg on supermicro: sky is falling)
Robert Kisteleki wrote: > (this is probably OT now...) > > > I'm pretty sure the "entire point" of inventing CVV was to prove you > > physically have the card. > > Except that it doesn't serve that purpose. Anyone who ever had your card > in their hands (e.g. waiters) can just write that down and use it later > hence defeating the purpose of "physically having the card". But waiters don't know your ZIP code which is the other thing needed for online verification (in the U.S.) 3D Secure is good enough. It will probably be mandatory for payment processors sometime in the future. In the meantime, it just costs the industry less to cover fraud losses. -- S.C.
CVV (was: Re: bloomberg on supermicro: sky is falling)
(this is probably OT now...) > I'm pretty sure the "entire point" of inventing CVV was to prove you > physically have the card. Except that it doesn't serve that purpose. Anyone who ever had your card in their hands (e.g. waiters) can just write that down and use it later hence defeating the purpose of "physically having the card". (Call me paranoid but I usually use a black pen to make the numbers undreadable because of this, after my card (both sides) has been photocopied a number of times...) This has always been an amusing topic. At the end of the day it's a financial risk management call from the banks -- as long as they lose less money on the current system than the cost of fraud, things wiull not change. Of course, they try to push those costs onto others as much as possible, but that doesn't change the bottom line. Robert
Re: CVV numbers
On Jun 9, 2012, at 1:36 PM, Jay Ashworth wrote: - Original Message - From: Owen DeLong o...@delong.com How does having the CVV number prove the card is in my possession? I have memorized the CVV in addition to the 16 digits of the cards I commonly use and routinely enter them into online ordering without retrieving the card. What prevents a fraudster from writing the CVV down along with the other card data? Nothing, but lots of fraud scenarios don't involve a bad actor taking physical posession of your card: magstripe skimmers and charge-slip carbons being only 2 off-hand examples. Clearly, the percentage of fraud it blocks is more than the amount it costs. The skimmers can use CVV1 and bypass the CVV2 protection in most cases (though that requires them to gen up a fake or fraudulent card and do card present transactions which does add risk for them). I haven't seen a charge slip carbon in so long that I find it hard to believe these would remain a significant factor today. It costs almost nothing, so a few fraudulent transactions blocked is probably enough. That doesn't change the fact that I believe there have to be more effective methods that wouldn't cost much more. Owen
Re: CVV numbers
On June 9, 2012 at 16:25 mysi...@gmail.com (Jimmy Hess) wrote: I bet there is at least one small retailer out there who takes phone orders and gathers CVV2, and at least one POS software developer out there who is unaware of, has ignored, or has... Yes, but there are also penalties, including loss of merchant account and, I believe, fines, in the contract. In other words CVV2 is a weak physical proof mechanism that only works if all parties involved obey the rules perfectly without error, Not at all, even if someone does store CVV2s in violation of their contract they would ALSO have to be revealed to an evildoer to cause any harm. And even then the evildoer has to leap any other security barriers. Probabilities, all about probabilities, and percentages. You're making the best the enemy of the good. We aren't dealing with military secrets here where one leak can undo all tactical advantage. We're dealing with fraudulent credit card charges where some amount of loss is considered acceptable and one just tries to minimize those losses. The goal is cost/benefit analysis, minimize losses while allowing the overall system to function as friction-free as possible, and doing that within a reasonable cost framework of around 1%-3% per transaction. No different than router bugs etc, if one packet in a billion (whatever) is dropped purely due to a software bug that may be acceptable for a $10K router if the other alternative is to hand-verify every line of code making the router cost $100K. I think this all may be more operationally relevant than some might protest, some here seem to have funny ideas about cost-benefits and security which maybe can at least be shaken loose a bit. -- -Barry Shein The World | b...@theworld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD| Dial-Up: US, PR, Canada Software Tool Die| Public Access Internet | SINCE 1989 *oo*
Re: CVV numbers
Something else rarely considered in these discussions is that the cost of handling cash is upwards of 4%, particularly for larger operations like supermarkets. Someone has to be paid to count it, wrap it (or the bank will charge you to do that), often you have a security service pick it up to bring it to the bank which costs money, and of course there's theft of all sorts possible, cash is cash, counterfeit bills, etc. I guess it's a sunk cost so hard to factor into any single transaction, but it does add up or did back when most sales were cash. Until the early 90s (or thereabouts) it was illegal by state law to take credit cards at supermarkets in Massachusetts for example tho checks w/ id were ok, pain the neck, I remember it well. -- -Barry Shein The World | b...@theworld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD| Dial-Up: US, PR, Canada Software Tool Die| Public Access Internet | SINCE 1989 *oo*
Re: CVV numbers
On Sun, Jun 10, 2012 at 8:02 AM, Owen DeLong o...@delong.com wrote: The skimmers can use CVV1 and bypass the CVV2 protection in most cases (though that requires them to gen up a fake or fraudulent card and do card present transactions which does add risk for them). Not so much for them, but the sacrificial mules that go to the (physical) stores (and the mules, at best, know the location to meet their handler, who is not even the person/group responsible for the acquisition of the numbers, but just another middle person). It costs almost nothing, so a few fraudulent transactions blocked is probably enough. That doesn't change the fact that I believe there have to be more effective methods that wouldn't cost much more. One of the CC industry think tanks (the think tank part of first data; to be honest, I am not sure that part still exists) has proposed various alternatives over the years (including a true non-traceable cash type of CC alternative that was sort of appealing), but the priority of the banks continues to be to insure convenience (with minimal losses for the banks), and almost all the of the alternative involved some sort of additional inconvenience to the customer. If you can come up with a good alternative, there are many many millions to be made. I am not smart enough to be able to come up with a clearly better alternative (other than a personal optimization to remember all the CC numbers, including the CVV2, as you stated you do). Gary
CVV numbers
In response to my comment about: If I'm not supposed to not tell anyone, why is it even printed where I can read it? (Sorry for the extra not in there.) I got an off list suggestion of: http://www.cvvnumber.com/ It looks reasonable. But then, whois for cvvnumber.com says: Registrant: Domains By Proxy, LLC DomainsByProxy.com 15111 N. Hayden Rd., Ste 160, PMB 353 Scottsdale, Arizona 85260 United States Should I really take them seriously? -- These are my opinions. I hate spam.
Re: CVV numbers
On Jun 9, 2012, at 1:06 AM, Hal Murray hmur...@megapathdsl.net wrote: Should I really take them seriously? Your call. That said, the purpose of CVV is to stop *one* type of fraud - it's to stop a skimmer from being able to do mail-order/internet-order with your card number. The CVV is not on the magnetic strip, so a skimmer installed at the ATM or gas pump won't be able to capture it. There's a similar value on the magnetic strip that keeps the internet site you gave your card number and CVV to from being able to print cards and use them at the gas pump. Certainly they don't stop all fraud. They stop one type of fraud.
Re: CVV numbers
On 6/9/2012 12:06 AM, Hal Murray wrote: In response to my comment about: If I'm not supposed to not tell anyone, why is it even printed where I can read it? (Sorry for the extra not in there.) The CVV number is simply to prove that the card is in your possession. The percentage of the sale that goes to Amex/Visa/Mastercard/Discover (etc) is determined by whether the merchant can supply various items, and the CVV is one of them. Running the card physically (where the merchant touches your card, and presumably verifies that you are you) gets taxed the lowest. The CVV is just meant to replace that verification. Sort of. I disapprove *strongly* of any online merchant that does not request this simple item, but it's not magic. I got an off list suggestion of: http://www.cvvnumber.com/ It looks reasonable. But then, whois for cvvnumber.com says: Registrant: Domains By Proxy, LLC Should I really take them seriously? No. No you should not. Here's the canonical Wikipedia entry, for those still playing along. http://en.wikipedia.org/wiki/Luhn_algorithm There's a few more grown-up words there. The best part is that it's a public algorithm. What's not to like? -- A picture is worth 10K words -- but only those to describe the picture. Hardly any sets of 10K words can be adequately described with pictures.
Re: CVV numbers
On Jun 9, 2012, at 7:14 AM, Lynda wrote: On 6/9/2012 12:06 AM, Hal Murray wrote: In response to my comment about: If I'm not supposed to not tell anyone, why is it even printed where I can read it? (Sorry for the extra not in there.) The CVV number is simply to prove that the card is in your possession. The percentage of the sale that goes to Amex/Visa/Mastercard/Discover (etc) is determined by whether the merchant can supply various items, and the CVV is one of them. Running the card physically (where the merchant touches your card, and presumably verifies that you are you) gets taxed the lowest. The CVV is just meant to replace that verification. Sort of. I disapprove *strongly* of any online merchant that does not request this simple item, but it's not magic. How does having the CVV number prove the card is in my possession? I have memorized the CVV in addition to the 16 digits of the cards I commonly use and routinely enter them into online ordering without retrieving the card. What prevents a fraudster from writing the CVV down along with the other card data? Sure, the CVV (in the case of CVV2) may not be included in the computer-readable mag-stripe or in swipe transactions, but I really don't see how CVV does anything to prove physical possession of the card at the time of the transaction (or at any time, in fact). I got an off list suggestion of: http://www.cvvnumber.com/ It looks reasonable. But then, whois for cvvnumber.com says: Registrant: Domains By Proxy, LLC Should I really take them seriously? No. No you should not. Here's the canonical Wikipedia entry, for those still playing along. http://en.wikipedia.org/wiki/Luhn_algorithm Luhn seems to apply to the check digit (last of the (usually) 16 digits) on the face of the credit card and not to the CVV value. Owen
Re: CVV numbers
On 2012-06-09, at 10:56, Owen DeLong o...@delong.com wrote: How does having the CVV number prove the card is in my possession? It doesn't, it merely proves you must have handled the card physically at some point since storing that value in a database is forbidden. Verified by Visa and the MasterCard equivalent actually prove that you are the rightful card holder. Unlike CVV numbers, they actually exempt the merchant from chargebacks (or did circa 2003). Alex
Re: CVV numbers
On 09-Jun-12 09:14, Joel Maslak wrote: On Jun 9, 2012, at 1:06 AM, Hal Murray hmur...@megapathdsl.net wrote: Should I really take them seriously? Your call. That said, the purpose of CVV is to stop *one* type of fraud - it's to stop a skimmer from being able to do mail-order/internet-order with your card number. The CVV is not on the magnetic strip, so a skimmer installed at the ATM or gas pump won't be able to capture it. This is CVV2; it is printed (but not embossed) on the card but not on the magstripe. This is requested by online merchants to prove that the card is in the customer's possession, since it won't show up on carbons, receipts, etc. and in theory will never be stored by any merchant (unlike the account number, expiration date, etc.). . There's a similar value on the magnetic strip that keeps the internet site you gave your card number and CVV to from being able to print cards and use them at the gas pump. This is CVV1; it is on the magstripe but not printed on the card; this is how brick-and-mortar merchants can prove that your card was in the merchant's possession (card present), i.e. swiped rather than entered by hand. Certainly they don't stop all fraud. They stop one type of fraud. The two codes are targeted at very different types of fraud. What they have in common is that submitting either a CVV1 or CVV2 number enables merchants to get a better discount rate on their transactions. Given the low margins in many industries, this can make the difference between making a profit and losing money on a sale, which is why many merchants refuse transactions without CVV1 or CVV2. Merchants in industries with higher margins often don't care; they'll submit CVV1 or CVV2 when convenient, but they won't let not having them block the sale. S -- Stephen Sprunk God does not play dice. --Albert Einstein CCIE #3723 God is an inveterate gambler, and He throws the K5SSSdice at every possible opportunity. --Stephen Hawking smime.p7s Description: S/MIME Cryptographic Signature
Re: CVV numbers
On Sat, Jun 09, 2012 at 02:18:15PM -0400, Alexandre Carmel-Veilleux wrote: On 2012-06-09, at 10:56, Owen DeLong o...@delong.com wrote: How does having the CVV number prove the card is in my possession? It doesn't, it merely proves you must have handled the card physically at some point since storing that value in a database is forbidden. Verified by Visa and the MasterCard equivalent actually prove that you are the rightful card holder. Unlike CVV numbers, they actually exempt the merchant from chargebacks (or did circa 2003). Alex Before the days of online transactions, how many people even knew a portion of their CC let alone the verification tag? The main weakness of CVV2 these days is form history in browsers. (auto complete). Now, if someone can get ont your PC, they not only get the credit card number (which there are myriad different ways to get) but the CVV as well so that mechanism is, now, all but useless. Add to that the fact online merchants don't even have to appear in the same country, let alone region, and the location of purchase relative to the home residence of the user doesn't mean much either so can't act as an effective secondary if the information were to be captured. Just like all other forms of security and fraud protection that we in the online community try to enable, eventually something comes along that makes the job a lot harder. Having these mechanisms is better than not having them but there will never be a perfect system. -Wayne --- Wayne Bouchard w...@typo.org Network Dude http://www.typo.org/~web/
Re: CVV numbers
On June 9, 2012 at 12:12 w...@typo.org (Wayne E Bouchard) wrote: The main weakness of CVV2 these days is form history in browsers. (auto complete). Now, if someone can get ont your PC, they not only get the credit card number (which there are myriad different ways to get) but the CVV as well so that mechanism is, now, all but useless. Oh c'mon, all but useless? Look at all the ifs/ands/buts. They need access to your form history which actually is useless if the merchant's form just uses a password-type field, etc. Yeah, a lot of these techniques are useless if your computer etc is completely pwned. But they help if you're not. Credit card fraud prevention is all about percentages, not absolutes. Even just requiring a valid credit card number and expiration date and nothing else probably prevents, I dunno, 98%+ of all potential fraud, probably 99%+. The rest is about squeezing down that last percentage point or two and generally discouraging crooks from trying. One of the PITA frauds credit card companies deal with is someone in the household, like your teenage kid, taking your card physically out of your wallet and using it w/o your permissin and then you call in when you see the bill that you never ordered $100 from iTunes or bought any cool sneakers at the mall. That's probably more common than a lot of the other frauds you imagine. A lot of these techniques at least prove that *someone* had your card physically if they suspect this was not fraud but, rather, unauthorized use. People will also try to deny charges they simply regret, like a night at a bar with strippers particularly that one in the blue hot pants, who the h*** KNEW she got $300 for a lap dance and $50/glass for the Kristal, doesn't seem fair not fair at all...it's some backpressure. -- -Barry Shein The World | b...@theworld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD| Dial-Up: US, PR, Canada Software Tool Die| Public Access Internet | SINCE 1989 *oo*
Re: CVV numbers
- Original Message - From: Owen DeLong o...@delong.com How does having the CVV number prove the card is in my possession? I have memorized the CVV in addition to the 16 digits of the cards I commonly use and routinely enter them into online ordering without retrieving the card. What prevents a fraudster from writing the CVV down along with the other card data? Nothing, but lots of fraud scenarios don't involve a bad actor taking physical posession of your card: magstripe skimmers and charge-slip carbons being only 2 off-hand examples. Clearly, the percentage of fraud it blocks is more than the amount it costs. Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
Re: CVV numbers
On 6/9/12, Alexandre Carmel-Veilleux a...@miniguru.ca wrote: On 2012-06-09, at 10:56, Owen DeLong o...@delong.com wrote: How does having the CVV number prove the card is in my possession? It doesn't, it merely proves you must have handled the card physically at some point since storing that value in a database is forbidden. [snip] Someone must have something in a database that can easily derive the CVV2 number; otherwise there would be no way for it to be verified that the correct number has been presented, there's really no hashing scheme for 3-digit numbers that cannot be trivially brute-forced, once any salting procedure is known by an attacker. I bet there is at least one small retailer out there who takes phone orders and gathers CVV2, and at least one POS software developer out there who is unaware of, has ignored, or has intentionally/unintentionally disobeyed the rule about never storing CVV2 values in a database,and does at least one of these things: transmits it without storing but fails to encrypt it (e.g. number sent to a backend with unencrypted XMLRPC transaction), records it in a database, e-mails the data internally, puts it in a spreadsheet, and stores it as data at rest (encrypted it or not), and fails to scrub it, eg deleted but not overwritten file on a computer, file on a share, e-mail saved in a folder, writes it down, or otherwise misappropriates the CVV2 value together with the CC# and Expdate. In other words CVV2 is a weak physical proof mechanism that only works if all parties involved obey the rules perfectly without error, even parties such as merchants who are not necessarily trustworthy, but even if trustworthy may also have kept record of CVV2 CC Expdate by accident, poor process, or failure of staff to follow established procedures for the handling of the data. -- -JH
Re: CVV numbers
On Sat, Jun 9, 2012 at 7:14 AM, Joel Maslak jmas...@antelope.net wrote: That said, the purpose of CVV is to stop *one* type of fraud - it's to stop a skimmer from being able to do mail-order/internet-order with your card number. The CVV is not on the magnetic strip, so a skimmer installed at the ATM or gas pump won't be able to capture it. No, it's to stop more than one type of fraud - however your point is correct in that it's not designed to stop *all* fraud, it's just one of many layers of prevention. In addition to the one you've mentioned, the CVV2 also stop the card being fraudulently being used in any situation where the card number has been leaked, such as a database of card numbers being hacked, a receipt with the full number on it (rare if at all existent these days), etc. The rules on CVV2 numbers basically say that the number can never be recorded by the merchant after the transaction has been processed, which pretty much means that they can't store it at all in any form. If a database is hacked, the CVV2 number will not be there. Scott
Re: CVV numbers
On Sat, Jun 9, 2012 at 12:12 PM, Wayne E Bouchard w...@typo.org wrote: The main weakness of CVV2 these days is form history in browsers. (auto complete). Any website requesting a CVV2 in a form field without the form history/autocomplete being disabled is in breach of PCI compliance, and risks losing their ability to accept credit cards. That's not to say there aren't some that do it, but to call this the main weakness of CVV2 is simply wrong. Scott
Re: CVV numbers
On Sat, Jun 9, 2012 at 2:25 PM, Jimmy Hess mysi...@gmail.com wrote: Someone must have something in a database that can easily derive the CVV2 number; There is no way to derive the CVV2 number. It is little more than a random number assigned to the card. otherwise there would be no way for it to be verified that the correct number has It is verified by comparing it to the known CVV2 number stored by the credit card company/bank that issued the card. I bet there is at least one small retailer out there who takes phone orders and gathers CVV2, and at least one POS software developer out there who is unaware of, has ignored, or has intentionally/unintentionally disobeyed the rule about never storing CVV2 values in a database, Gathering CVV2 number over the phone is completely valid. It's even valid to write them down, as long as they are destroyed as soon as the transaction has been completed. Of course there are people that disobey/ignore/don't know the rules - no level of security will ever be perfect in this regards - it's all about making the security better and reducing the rate of fraud/chargebacks. In other words CVV2 is a weak physical proof mechanism that only works if all parties involved obey the rules perfectly without error, Correct. It's a weak physical proof mechanism that has succeed in having a very significant reduction in fraudulent transactions/chargebacks across pretty much the entire industry. Remind me again what your point was? Scott
Re: CVV numbers
On 9 June 2012 22:42, Scott Howard sc...@doc.net.au wrote: There is no way to derive the CVV2 number. It is little more than a random number assigned to the card. [...] It is verified by comparing it to the known CVV2 number stored by the credit card company/bank that issued the card. I don't think this is correct - I believe the Wikipedia entry is accurate: ---snip--- CVC1, CVV1, CVC2 and CVV2 values are generated when the card is issued. The values are calculated by encrypting the bank card number (also known as the primary account number or PAN), expiration date and service code with encryption keys (often called Card Verification Key or CVK) known only to the issuing bank, and decimalising the result ---snip--- http://en.wikipedia.org/wiki/Cvv2 I suspect the issuing banks can share their CVKs with the card scheme operators (Visa, MC, Amex) if they want them to validate transactions on their behalf. Aled
Re: CVV numbers
On Sat, Jun 09, 2012 at 02:34:03PM -0700, Scott Howard wrote: On Sat, Jun 9, 2012 at 12:12 PM, Wayne E Bouchard w...@typo.org wrote: The main weakness of CVV2 these days is form history in browsers. (auto complete). Any website requesting a CVV2 in a form field without the form history/autocomplete being disabled is in breach of PCI compliance, and risks losing their ability to accept credit cards. And convenience trumps pseudo-security yet again; Chrom(ium) asks me if I want to save my CC details when I put them in (to which I tell it not just no, but are you *nuts*?); presumably this is on forms which include autocomplete=off, since it happens often enough. So I would assume that this PCI compliance tickbox is being ignored by browsers. Whee! - Matt -- Ruby's the only language I've ever used that feels like it was designed by a programmer, and not by a hardware engineer (Java, C, C++), an academic theorist (Lisp, Haskell, OCaml), or an editor of PC World (Python). -- William Morgan