[153634] in North American Network Operators' Group
Re: CVV numbers
daemon@ATHENA.MIT.EDU (Owen DeLong)
Sat Jun 9 11:00:30 2012
From: Owen DeLong <owen@delong.com>
In-Reply-To: <4FD35A52.3030608@deaddrop.org>
Date: Sat, 9 Jun 2012 07:56:52 -0700
To: Lynda <shrdlu@deaddrop.org>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jun 9, 2012, at 7:14 AM, Lynda wrote:
> On 6/9/2012 12:06 AM, Hal Murray wrote:
>>=20
>> In response to my comment about:
>>=20
>>> If I'm not supposed to not "tell anyone", why is it even printed =
where I can
>>> read it?
>>=20
>> (Sorry for the extra not in there.)
>=20
> The CVV number is simply to prove that the card is in your possession. =
The percentage of the sale that goes to Amex/Visa/Mastercard/Discover =
(etc) is determined by whether the merchant can supply various items, =
and the CVV is one of them. Running the card physically (where the =
merchant touches your card, and presumably verifies that you are you) =
gets taxed the lowest. The CVV is just meant to replace that =
verification. Sort of. I disapprove *strongly* of any online merchant =
that does not request this simple item, but it's not magic.
>=20
How does having the CVV number prove the card is in my possession?
I have memorized the CVV in addition to the 16 digits of the cards I =
commonly use and routinely enter them into online ordering without =
retrieving the card.
What prevents a fraudster from writing the CVV down along with the other =
card data?
Sure, the CVV (in the case of CVV2) may not be included in the =
computer-readable mag-stripe or in swipe transactions, but I really =
don't see how CVV does anything to prove physical possession of the card =
at the time of the transaction (or at any time, in fact).
>> I got an off list suggestion of:
>> http://www.cvvnumber.com/
>>=20
>> It looks reasonable.
>>=20
>> But then, whois for cvvnumber.com says:
>=20
>> Registrant:
>> Domains By Proxy, LLC
>=20
>> Should I really take them seriously?
>=20
> No. No you should not. Here's the canonical Wikipedia entry, for those =
still playing along.
>=20
> http://en.wikipedia.org/wiki/Luhn_algorithm
Luhn seems to apply to the check digit (last of the (usually) 16 digits) =
on the face of the credit card
and not to the CVV value.
Owen
