[ale] OT: Security code on Credit/Debit cards

Scott Castaline skotchman at gmail.com
Fri Feb 19 22:07:53 EST 2010


On 02/19/2010 08:49 PM, Mike Kachline wrote:
>>>> 1. The number on the back of the card usually a 3 digit number, is that
>>>> on the magnetic strip?
>>> No.  That would defeat the purpose.  It's for physical verification of
>>> the presence and control of the card.  That's not necessary for swipe
>>> terminals and wouldn't be verified.
>
> This actually depends on the bank who issued the card. Each credit card
> usually contains two "tracks" of data, and, inside of "Track 2" is a
> section called "discretionary data" which the bank can put whatever they
> want into. Some banks could put the CVV/CID code there.
>
> Of course, your CVV could have been compromised if you ever used it
> online. In such a case, the website itself, or even a keystroke logger
> on your PC could be suspect.
> In your forensics activities, some other clues would be whether the
> false purchasers also knew your zipcode and address (two other pieces of
> information used to verify cardholder data.) Finally, a little known
> piece of information, "address verification" of credit cards
> differentiates between whether you have given a five digit zip, or
> entire nine digit zip. If, for instance, you never give your full nine
> digit zip, and you find that the false purchasers used a nine digit zip,
> then, your Address verification (avs) information was probably taken
> from places other than a recent credit card transaction that you have made.
>
>
>     - Mike
>
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
It's my understanding that ING does not put the CVV on the magnetic 
strip. I do have to confess that I have used it online but restrict to 
places like amazon.com, microcenter.com and wallyworld.com (wal-mart) 
and PayPal.com As far as I know I do not have any keystroke loggers on 
my system, and that is the only system that I have done online 
transactions, I won't use my wifey's laptop,(Micro$haft XP) and I don't 
allow her to either on it.


More information about the Ale mailing list