nanog mailing list archives

Previous By Date Next
Previous By Thread Next

RE: bloomberg on supermicro: sky is falling

From: "Naslund, Steve" <SNaslund () medline com>
Date: Wed, 10 Oct 2018 15:55:27 +0000
The entire point of the CVV has become useless.  Recently my wife was talking to an airline ticket agent on the phone 
(American Airlines) and one of the things they ask for on the phone is the CVV.  If you are going to read that all out 
over the phone with all the other data you are completely vulnerable to fraud.  It would be trivial to implement a 
system where you make a charge over the phone like that and get a text asking you to authorize it instead of asking for 
a CVV.

After all this time it is stupid to have the same data being used over and over.  We have had SecurID and other 
token/pin systems in the IT world forever.  I have a token on my iPhone right now that I use for certain logins to 
systems.  The hardware tokens cost very little (especially compared to the credit card companies revenue).  The soft 
tokens are virtually free.  A token should be useful for one and only one transaction.  You would be vulnerable from 
the time you read your token to someone (or something) until the charge hit your account.  You would also not have to 
worry about a call center agent or waiter stealing that data because it could only be used once (and if it is not their 
employer it would become apparent really quickly).   Recurring transactions should be unique tokens for a set amount 
range from a particular entity (i.e. 12 transactions, one per month, not more than $500 each, Comcast only).  For 
example, my reusable token given to my cable company should not be usable by anyone else.  Why hasn’t this been done 
yet…..simple there is no advantage to the retailers and processors.    There has been some one-time use numbers for 
stuff like that but it is inconvenient for the user so it won’t be that popular.  The entire system is archaic and 
dates back to the time of imprinting on paper.

Tokenized transactions exist today between some entities and the processors but it is time to extend that all the way 
from card holder to processor.

Steven Naslund
Chicago IL


  Well,



  Once you get the Expiry Date (which is the most prevalent data that is not encoded with the CHD)



  CVV is only 3 digits, we saw ppl using parallelizing tactics to find the correct sequence using acquirers around 
the world.



  With the delays in the reporting pipeline, they have the time to completely abuse that CHD/Date/CVV before getting 
caught.
Previous By Date Next
Previous By Thread Next

Current thread: