[153661] in North American Network Operators' Group
Re: CVV numbers
daemon@ATHENA.MIT.EDU (Owen DeLong)
Sun Jun 10 04:05:26 2012
From: Owen DeLong <owen@delong.com>
In-Reply-To: <11561027.8602.1339274171831.JavaMail.root@benjamin.baylink.com>
Date: Sun, 10 Jun 2012 01:02:23 -0700
To: Jay Ashworth <jra@baylink.com>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jun 9, 2012, at 1:36 PM, Jay Ashworth wrote:
> ----- Original Message -----
>> From: "Owen DeLong" <owen@delong.com>
>
>> How does having the CVV number prove the card is in my possession?
>>
>> I have memorized the CVV in addition to the 16 digits of the cards I
>> commonly use and routinely enter them into online ordering without
>> retrieving the card.
>>
>> What prevents a fraudster from writing the CVV down along with the
>> other card data?
>
> Nothing, but lots of fraud scenarios don't involve a bad actor taking
> physical posession of your card: magstripe skimmers and charge-slip
> carbons being only 2 off-hand examples. Clearly, the percentage of fraud
> it blocks is more than the amount it costs.
The skimmers can use CVV1 and bypass the CVV2 protection in most
cases (though that requires them to gen up a fake or fraudulent card and
do card present transactions which does add risk for them).
I haven't seen a charge slip carbon in so long that I find it hard to believe
these would remain a significant factor today.
It costs almost nothing, so a few fraudulent transactions blocked is probably
enough. That doesn't change the fact that I believe there have to be more
effective methods that wouldn't cost much more.
Owen
