CVV numbers

John Adams jna at retina.net
Sat Jun 9 20:08:16 UTC 2012


There is a reason part of most scanners that verify the PCI standard look
for autocomplete=off on credit card number and cvv2 fields. This is
specifically it.

-j


On Sat, Jun 9, 2012 at 12:30 PM, Barry Shein <bzs at world.std.com> wrote:

>
> On June 9, 2012 at 12:12 web at typo.org (Wayne E Bouchard) wrote:
>  >
>  > The main weakness of CVV2 these days is "form history" in browsers.
>  > (auto complete). Now, if someone can get ont your PC, they not only
>  > get the credit card number (which there are myriad different ways to
>  > get) but the CVV as well so that mechanism is, now, all but useless.
>
> Oh c'mon, all but useless? Look at all the ifs/ands/buts. They need
> access to your form history which actually is useless if the
> merchant's form just uses a password-type field, etc.
>
> Yeah, a lot of these techniques are useless if your computer etc is
> completely pwned. But they help if you're not.
>
> Credit card fraud prevention is all about percentages, not absolutes.
>
> Even just requiring a valid credit card number and expiration date and
> nothing else probably prevents, I dunno, 98%+ of all potential fraud,
> probably 99%+.
>
> The rest is about squeezing down that last percentage point or two and
> generally discouraging crooks from trying.
>
> One of the PITA frauds credit card companies deal with is someone in
> the household, like your teenage kid, taking your card physically out
> of your wallet and using it w/o your permissin and then you call in
> when you see the bill that you never ordered $100 from iTunes or
> bought any cool sneakers at the mall.
>
> That's probably more common than a lot of the other frauds you imagine.
>
> A lot of these techniques at least prove that *someone* had your card
> physically if they suspect this was not fraud but, rather,
> "unauthorized use".
>
> People will also try to deny charges they simply regret, like a night
> at a bar with strippers particularly that one in the blue hot pants,
> who the h*** KNEW she got $300 for a lap dance and $50/glass for the
> Kristal, doesn't seem fair not fair at all...it's some backpressure.
>
>
> --
>        -Barry Shein
>
> The World              | bzs at TheWorld.com           |
> http://www.TheWorld.com
> Purveyors to the Trade | Voice: 800-THE-WRLD        | Dial-Up: US, PR,
> Canada
> Software Tool & Die    | Public Access Internet     | SINCE 1989     *oo*
>
>



More information about the NANOG mailing list