[ale] OT: Security code on Credit/Debit cards

Avery Ceo avery.ceo at gmail.com
Sat Feb 20 07:21:36 EST 2010 

Having just been through this, a couple of points:

1)  Federal law DOES cover debit cards as well.  As others noted, though,
you have to get the money back from the bank rather than the other way
around.  That can leave you flat broke until your next paycheck comes in.

2) You won't get local police to investigate.  If you have something solid,
however, there is someone who will.  Believe it or not, primary
investigative jurisdiction on "access device fraud - including credit and
debit cards falls, to the Secret Service.  We called them directly, and they
were very happy for the info we were able to give them.  The faster you move
to call them, the better chance they have - cameras, etc.

3) Even though they won't help you, file a police report anyway.  Your bank
will require it to write off the fraud, and the Secret Service isn't
officially a reporting agency, so it doesn't provide them.

Just my 3 cents,

Avery

On Sat, Feb 20, 2010 at 12:05 AM, Michael H. Warfield <mhw at wittsend.com>wrote:

> On Fri, 2010-02-19 at 19:49 -0600, Mike Kachline wrote:
> > >>> 1. The number on the back of the card usually a 3 digit number, is
> that
> > >>> on the magnetic strip?
> > >> No.  That would defeat the purpose.  It's for physical verification of
> > >> the presence and control of the card.  That's not necessary for swipe
> > >> terminals and wouldn't be verified.
>
> > This actually depends on the bank who issued the card. Each credit card
> > usually contains two "tracks" of data, and, inside of "Track 2" is a
> > section called "discretionary data" which the bank can put whatever they
> > want into. Some banks could put the CVV/CID code there.
>
> I will have to go back and confirm this but I would be very VERY much
> surprised if PCI compliance allowed this sort of thing any more.  The
> modern CVV is actually CVV2.  What I've read was that CVV or CVK was
> permitted, by the format standard, in the discretionary fields of tracks
> one or two (there are three tracks but track 3 is rarely used and track
> two is only 1/3 the density of track 1 and can not hold nearly as much
> data, which isn't much to begin with) but no mention of the CVV2 which
> is mathematically generated from the card data (number, expiration, etc)
> plus a secret key known only to the provider.  PCI compliance trumps
> what the standards allow.  The clearing houses (Visa, MasterCard,
> Discover, Amex) impose even stricter standards.  Even if the format
> allows it and even if PCI allows it, if the clearing house says "no"
> then thou shalt not.  Web sites in the US are no longer legally allowed
> to even retain or store the CVV code, if they collect it on-line.
>
> > Of course, your CVV could have been compromised if you ever used it
> > online. In such a case, the website itself, or even a keystroke logger
> > on your PC could be suspect.
>
> These tend to result in multiple hits though.  NOBODY sells your card
> number ONCE.  The guys that skim it that way are NOT going to use it
> their going to SELL it to others.  That's the way it works in the
> underground now days.  It's all business.  If you only make $3 off
> selling a single card (and that's optimistic even for a number with the
> CVV) you have to sell a lot of card numbers and sell them to multiple
> buys to make anything.  And these clowns are making a lot.  If it had
> gone that way, he should have been carpet bombed from all over the
> place, not just a single chump.  It doesn't fit the paradigm.
>
> > In your forensics activities, some other clues would be whether the
> > false purchasers also knew your zipcode and address (two other pieces of
> > information used to verify cardholder data.) Finally, a little known
> > piece of information, "address verification" of credit cards
> > differentiates between whether you have given a five digit zip, or
> > entire nine digit zip. If, for instance, you never give your full nine
> > digit zip, and you find that the false purchasers used a nine digit zip,
> > then, your Address verification (avs) information was probably taken
> > from places other than a recent credit card transaction that you have
> made.
>
> > - Mike
>
> Mike
> --
> Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
>   /\/\|=mhw=|\/\/          | (678) 463-0932 |
> http://www.wittsend.com/mhw/
>   NIC whois: MHW9          | An optimist believes we live in the best of
> all
>  PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20100220/919c2be9/attachment-0001.html

More information about the Ale mailing list