Wikipedia

Talk:Card security code

This is an old revision of this page, as edited by StephenFalken (talk | contribs) at 00:05, 2 May 2006 (Security model). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

Latest comment: 19 years ago by StephenFalken in topic Security model
Learn more about this page

Q. Is the CVV2 number related to the actual credit card number? Is it a random number? Or is there some other way that the card issuer selects the CVV2 number to put on a card?

A. I don't think MC or Visa require a particular algorithm, so it can be a random number stored in a secure lookup table, or it can be a derived number based on card data using a secret issuer key.

Security model

Latest comment: 19 years ago2 comments2 people in discussion

I do not quite understand the security model underlying the CVV2. Isn't it the case that credit card numbers are typically obtained by making the user enter them on forged websites or by sniffing network traffic? Now what additional security do I gain if all such transactions will soon require to give the CVV2 as well? The same online methods used for stealing the credit card number can also be used to steal the CVV2.

I am just dealing with a transaction that requires me to send my credit card number and CVV2 via fax. The fax machine on the other side may stand in a crowded office and even the cleaning staff may be able to reprint the received faxes in the evening. How can the CVV2 verify that someone holds the card physically if its eventually printed out on some random paper sheets in offices all over the world? --Markus Krötzsch 07:54, 11 August 2005 (UTC)Reply

I agree. When I call up my telco to pay my bill, and they ask me "and now sir, can I have the last three digits from the back of the card", how do I know they won't use it in conjunction with the credit card number I just provided them to buy lots of stuff? I suppose it might help for things like dumpster-diving receipts etc, where the CVC is not printed... but I think it's less useful than people give it credit for (no pun intended :-) StephenFalken 00:05, 2 May 2006 (UTC)Reply

Is it really sure?

Latest comment: 20 years ago1 comment1 person in discussion

The value of this system of security may be disputed. Anybody who can look at the card or recive payment orders with this validation code can know its value. For this reason it can not be anymore consider that the only person who know the code is the legittate owner of the card after the card is used the first time (or even before that, if anybody can look at the card). Morover the value is also known by the credit card society. AnyFile 14:21, 19 August 2005 (UTC)Reply

Imprints

There are some cases where a possible attacker has access to the credit card number, but not the CVV2. For instance, an employee at a store that takes credit cards may be able to make copies of large numbers of receipts, and the credit card number. In this case a person could make a large number of relatively small purchases on-line in a short period of time. Without the physical credit card or the CVV2, it is difficult to do this.

Of course, an employee would be able to record the CVV2 for any card that they physically handled, but in this case sales records would be able to identify the employee.

This is a guess, but it seems reasonable.

Retrieved from "https://en.wikipedia.org/w/index.php?title=Talk:Card_security_code&oldid=51128786"