Re: CVV numbers

[Wayne E Bouchard <web () typo org>]

On Sat, Jun 09, 2012 at 02:18:15PM -0400, Alexandre Carmel-Veilleux wrote:
> On 2012-06-09, at 10:56, Owen DeLong <owen () delong com> wrote:
> > How does having the CVV number prove the card is in my possession?
>
> It doesn't, it merely proves you must have handled the card physically at some point since storing that value in a 
> database is forbidden.
>
> Verified by Visa and the MasterCard equivalent actually "prove" that you are the rightful card holder. Unlike CVV 
> numbers, they actually exempt the merchant from chargebacks (or did circa 2003).
>
> Alex

Before the days of online transactions, how many people even knew a
portion of their CC let alone the verification tag?

The main weakness of CVV2 these days is "form history" in browsers.
(auto complete). Now, if someone can get ont your PC, they not only
get the credit card number (which there are myriad different ways to
get) but the CVV as well so that mechanism is, now, all but useless.
Add to that the fact online merchants don't even have to appear in the
same country, let alone region, and the "location of purchase relative
to the home residence of the user" doesn't mean much either so can't
act as an effective secondary if the information were to be captured.

Just like all other forms of security and fraud protection that we in
the online community try to enable, eventually something comes along
that makes the job a lot harder. Having these mechanisms is better
than not having them but there will never be a perfect system.

-Wayne

---
Wayne Bouchard
web () typo org
Network Dude
http://www.typo.org/~web/