CVV (was: Re: bloomberg on supermicro: sky is falling)

bzs at theworld.com bzs at theworld.com
Thu Oct 11 19:02:30 UTC 2018


On October 11, 2018 at 10:17 robert at ripe.net (Robert Kisteleki) wrote:
 > (this is probably OT now...)
 > 
 > > I'm pretty sure the "entire point" of inventing CVV was to prove you
 > > physically have the card.
 > 
 > Except that it doesn't serve that purpose. Anyone who ever had your card
 > in their hands (e.g. waiters) can just write that down and use it later
 > hence defeating the purpose of "physically having the card". (Call me
 > paranoid but I usually use a black pen to make the numbers undreadable
 > because of this, after my card (both sides) has been photocopied a
 > number of times...)

What you're saying is they don't work as well as you might hope, not
that they don't serve that purpose.

If you snatched 5M credit cards numbers and expiraton dates but, as
required by contract, there were no CVVs in that db how well would
that work with sites which require a CVV for a transaction? Not well
at all. So there's a purpose.

Also, traditionally one's signature is on the back right next to that
CVV for a merchant to compare against which leaves forgery a mere
exercise in, well, forgery, since the example one has to reasonably
match is right there.

Which doesn't mean signatures don't work, it's just not much
protection against anyone who can reasonably forge a signature. But
many people can't or won't try, it discourages minor criminals like
your boyfriend using your card surreptitously while you were sleeping.

They're also some reasonable evidence that the transaction was done in
person with the card in hand. I know some merchant contracts wouldn't
allow forgiveness (who eats the fraud) for charges w/o a signature
where their contract claims they only do in-person purchases which
gets them a lower rate.

There is a concern for merchant fraud also in all this, unfortunately
that's very tempting.

BUT IT'S ALL WORSE THAN THAT!

When I had a book of checks stolen (and reported) several turned up
used in major big box stores with information like driver's license
number, date of birth, etc neatly written on them tho none of that
info was mine.

I doubt they went to the trouble of counterfeiting a driver's license,
it's possible but this was small-time fraud.

My suspicion was they were in cahoots with the cashier, simplest
explanation, the cashier was a friend who probably got a cut.

So anything in the presumed chain of events can often be suborned.

 > This has always been an amusing topic. At the end of the day it's a
 > financial risk management call from the banks -- as long as they lose
 > less money on the current system than the cost of fraud, things wiull
 > not change. Of course, they try to push those costs onto others as much
 > as possible, but that doesn't change the bottom line.

I agree with this.

Quite a few years ago I was interviewed by a start-up manufacturer of
a big parallel "mini" to head their OS effort.

Something which came out in the conversation, which went on for hours!
(very pleasant tho), was that a major credit card company had pledged
in writing to buy $150M of their machines on day one of ship if they
could run a set of their anti-fraud algorithms quickly enough (their
spec) to be able to reject transactions in real time.

The company had done forensics and I think the estimate was if they
could have run those algorithms they would have saved them some big
number like $50K/hour in fraud. But they couldn't run them fast enough
to allow for reasonable transaction times.

And then ya sit around the bar thinking you know how this or that
startup is funded or why...that would not have been one of my guesses!

-- 
        -Barry Shein

Software Tool & Die    | bzs at TheWorld.com             | http://www.TheWorld.com
Purveyors to the Trade | Voice: +1 617-STD-WRLD       | 800-THE-WRLD
The World: Since 1989  | A Public Information Utility | *oo*



More information about the NANOG mailing list