CVV (was: Re: bloomberg on supermicro: sky is falling)

Todd Underwood toddunder at
Fri Nov 9 00:22:55 UTC 2018

This is a confusing and off-topic discussion with respect to network

But for completeness:

Payments systems are architected by fraud rates, not by isolated security
requirements or engineering mandates, as i think most network engineers can

The fraud rates in the US for credit card transactions were historically
very, very low and being a large jurisdiction with a single national law
enforcement branch (the FBI) enforcement was effective.

Compare this to Europe in the 1980s when credit cards were accepted very
few places.  This was for two reasons:

1) the fraud rates were much, much higher, which created chargebacks for
merchants that they preferred not to eat;
2) trans-national enforcement was virtually nonexistent. interpol had ~zero
time to deal with credit card fraud.

so the best european fraud rings always operated from a different country
than where they perpetrated the fraud.

when chip-and-pin was introduced, the point was actually twofold:
A) security
B) shifting liability to the consumer

somewhat famously, even after chip-and-pin was proven compromised, UK banks
continued to make consumers liable for all fraudulent transactions that
were 'pin used'.  this was very, very good for the adoption of credit cards
in europe but it was very, very bad for a few people.  banks, as usual,
didn't are and made some decent money.

So why did the US get pin-and-signature?  Target.

International fraud rings finally got wise to the ripe opportunity that was
the soft underbelly of the US economy and figured out ways to perpetrate
massive, trans-national fraud in the US.  and as soon as that happened, the
US got chips.  the signature-vs-pin part is mostly about the fact that
there are *still* low rates of fraud here as tracked by chargeback rates
and as a result there's no real need to pay the cost of support to set
everyone up with a pin.

and that's what security is always all about:  cost tradeoffs.  people in
countries where everyone has a pin have eaten that cost already and had to
because the fraud rates were high enough to justify it.  people in the US
do not have PINs that they know and setting those up costs money and
maintaining people's access to them costs money.  so if that's not worth
it, it doesn't get done. nor should it.

i generally find it amusing when people from other countries mock the US
for not having PINs.  this is just another way of saying "my country has
high fraud rates and yours appears not to."  :-) . you can see this in the
comment below "If we were swipe-based here, we'd all be
broke :-).".  the payments systems are architected to minimize cost and
maximize adoption and they are usually at (or moving towards) some locally
optimal point.  the US is no exception in that.

now, the checking/chequing system is a whole other, embarrassing beast and
mocking that one is just the correct thing to do. :-)

anyway, let's talk about networks, no?



On Thu, Nov 8, 2018, 19:07 Frank Bulk <frnkblk at wrote:

> I have a low-cost/high interest rate account at one of the Canadian bank
> and each "assisted" transaction is $5.
> Frank
> -----Original Message-----
> From: NANOG <nanog-bounces at> On Behalf Of Mark Tinka
> Sent: Thursday, November 08, 2018 3:35 AM
> To: George Michaelson <ggm at>
> Cc: North American Network Operators' Group <nanog at>
> Subject: Re: CVV (was: Re: bloomberg on supermicro: sky is falling)
> <snip.
> Speaking of "cost" as a motivator, in South Africa, most of the banks
> are now using extra fees as a way to force users to do their banking
> online (phone, laptop, app, e.t.c.). If you want to walk into a bank to
> deposit money, withdraw money, make a transfer, e.t.c., you pay for that
> service over and above, while the process costs you zero (0) when done
> online. This has led to banks now renovating banking halls into where
> there was once 23 tellers, you now have 1 service usher, 1 teller, 2
> support agents and 20 self-service computers.
> I hope the U.S. does catch-up. If we were swipe-based here, we'd all be
> broke :-). I know a number of major merchants in the U.S. now use PIN's,
> and I always stick to those when I travel there.
> Mark.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the NANOG mailing list