[ale] OT: Security code on Credit/Debit cards

Michael H. Warfield mhw at WittsEnd.com
Sat Feb 20 00:05:57 EST 2010


On Fri, 2010-02-19 at 19:49 -0600, Mike Kachline wrote: 
> >>> 1. The number on the back of the card usually a 3 digit number, is that 
> >>> on the magnetic strip?
> >> No.  That would defeat the purpose.  It's for physical verification of
> >> the presence and control of the card.  That's not necessary for swipe
> >> terminals and wouldn't be verified.

> This actually depends on the bank who issued the card. Each credit card
> usually contains two "tracks" of data, and, inside of "Track 2" is a
> section called "discretionary data" which the bank can put whatever they
> want into. Some banks could put the CVV/CID code there.

I will have to go back and confirm this but I would be very VERY much
surprised if PCI compliance allowed this sort of thing any more.  The
modern CVV is actually CVV2.  What I've read was that CVV or CVK was
permitted, by the format standard, in the discretionary fields of tracks
one or two (there are three tracks but track 3 is rarely used and track
two is only 1/3 the density of track 1 and can not hold nearly as much
data, which isn't much to begin with) but no mention of the CVV2 which
is mathematically generated from the card data (number, expiration, etc)
plus a secret key known only to the provider.  PCI compliance trumps
what the standards allow.  The clearing houses (Visa, MasterCard,
Discover, Amex) impose even stricter standards.  Even if the format
allows it and even if PCI allows it, if the clearing house says "no"
then thou shalt not.  Web sites in the US are no longer legally allowed
to even retain or store the CVV code, if they collect it on-line.

> Of course, your CVV could have been compromised if you ever used it
> online. In such a case, the website itself, or even a keystroke logger
> on your PC could be suspect.

These tend to result in multiple hits though.  NOBODY sells your card
number ONCE.  The guys that skim it that way are NOT going to use it
their going to SELL it to others.  That's the way it works in the
underground now days.  It's all business.  If you only make $3 off
selling a single card (and that's optimistic even for a number with the
CVV) you have to sell a lot of card numbers and sell them to multiple
buys to make anything.  And these clowns are making a lot.  If it had
gone that way, he should have been carpet bombed from all over the
place, not just a single chump.  It doesn't fit the paradigm.

> In your forensics activities, some other clues would be whether the
> false purchasers also knew your zipcode and address (two other pieces of
> information used to verify cardholder data.) Finally, a little known
> piece of information, "address verification" of credit cards
> differentiates between whether you have given a five digit zip, or
> entire nine digit zip. If, for instance, you never give your full nine
> digit zip, and you find that the false purchasers used a nine digit zip,
> then, your Address verification (avs) information was probably taken
> from places other than a recent credit card transaction that you have made.

> - Mike

Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20100220/336448a5/attachment.bin 


More information about the Ale mailing list