Log in

No account? Create an account
brad's life [entries|archive|friends|userinfo]
Brad Fitzpatrick

[ website | bradfitz.com ]
[ userinfo | livejournal userinfo ]
[ archive | journal archive ]

CVV2 Questions [Nov. 25th, 2003|11:30 am]
Brad Fitzpatrick
The Internet is useless. I want to know why CVV2 codes on credit cards are supposed to be more secure and help consumers. Every website just tells me, "It protects you". But why?


1) it's not embossed, so employee crooks at stores swiping cards with carbon paper don't get the CVV2 number.

2) it's not part of the hashing function within the card's primary 16 numbers, so even if you use a credit card generator program (trivial to write), you can't get correct CVV2 numbers, since only the card issuer has it.

3) merchants aren't supposed to store CVV2 numbers? So if their databases are hacked, nobody gets those? No... because I know Amazon and many others do.

I don't really think (1) and (2) happen much anymore compared to databases being hacked (3), and since everybody just puts CVV2 numbers in their databases, how does CVV2 really help?

Enlighten me!

[User Picture]From: waning_estrogen
2003-11-25 12:10 pm (UTC)
my son, you must climb to the mountaintop
and there the ancient one will grant you
the wisdom you seek
(Reply) (Thread)
[User Picture]From: meganpenworthy
2003-11-25 12:40 pm (UTC)
Hey Brad
I worked at a credit card company so here's my scoop on the CVV #.

We used it for address and name changes(female last name only; others had to provide more documentation) and also for activation purposes. *theory* says that if the person has all the info(name, ssn, address,dob, mmn etc etc AND the CVV which is supposed to only be listed on the back of the card that more than likely-they are the account holder and it is not fraud). Us bank wouldnt let me change my address w/o my cvv code last time I moved even though I know the exact date and branch I opened my checking at like 7 years ago(yea that long ago). Also, for a credit card/bank to find the CVV # in the system, at least for the DOS system we were using, took like a succession of 3 screens or it was on the basic screen #3(that popped in my mind) which for our system was screen bs3(enter) and it was sorta hidden and not well marked.

so, I hope that helps. They, the credit card companies/banks etc, try to make it not easily accessible. I've been asked for it online and it wearies me but I keep good eye on my credit cards so if fraud starts, i know how to crack down and get it fixed.

Melissa aka Megan
ps-when do you think permenant accounts might be available again? lots of people want them.
(Reply) (Thread)
[User Picture]From: mge
2003-11-25 01:36 pm (UTC)

Regarding #2

American Express has something similar to the CVV2 (if not the same thing) and I recall one of their programers telling me that a long time ago there was a deterministic alogorithm that would take a CC # and give you the coresponding CVV2. Then they realized that was a bad idea. Now the numbers are not tied to the card at all.
(Reply) (Thread)
[User Picture]From: mz
2003-11-25 01:38 pm (UTC)
because when you get a lit of CC warez they are not included.
(Reply) (Thread)
From: compwiz
2003-11-25 01:58 pm (UTC)
They've been around for a while; they used to be used when the physical card wasn't available (like online or over the phone) because of 1 & 2. They're obviously not as useful anymore with the advent of things like Verified by Visa passwords (which I don't believe can be saved at the merchant level, but i could be wrong)
(Reply) (Thread)
[User Picture]From: toast0
2003-11-25 03:43 pm (UTC)
do you know anything about how that works? i noticed my bank recently added that, but i haven't shopped anywhere that uses it... the only way i can see that it would really be useful as a security thing is if you submit the password to mastercard/yourbank/whatever rather than the merchant*. which ends up being like paypal, in that the merchant can't control the user experience and customers tend not to like the non-integrated feel.

*if i'm submitting the password to the merchant, then they can store it and submit it to other verified by visa sites; and using the verified by visa password means i'm not entitled to claim i wasn't the one buying the stuff.

(Reply) (Parent) (Thread)
[User Picture]From: d4b
2003-11-25 02:02 pm (UTC)
It's primarily a "feel good" speedbump to give everyone more of a sense of security, much like the new spam laws.
(Reply) (Thread)
[User Picture]From: ghewgill
2003-11-25 02:48 pm (UTC)
The Internet is great for finding questions. Answers are harder to find.
(Reply) (Thread)
[User Picture]From: supersat
2003-11-25 08:04 pm (UTC)
The CVV2 value is also not stored on the magnetic stripe at all (and thus, is never printed on any receipts), so it's impossible for a retail store or employee to steal your CVV2 with just swiping your card. It'd be awfully suspicious if an employee wrote down the CVV2 value from the back of your card.

CVV2 values also change unpredictably when a card is reissued. Usually, when your card expires, you just get a new one with the same account number and an expiration date a couple of years from your original expiration date. This cuts down the window of potential abuse if someone stole your card number and CVV2 value.
(Reply) (Thread)