November 09, 2006


CVV on Credit Cards

I sincerely belive the online security can be enhanced only by user education. It may not be a magic bullet, but prevents large number of simple cases. Here is a report on online credit card fraud. (Hat-tip: Ramand)

To make a payment online, you need 16-digit credit card number and 3-digit card verification value (CVV). CVV is printed on the back of card along with the credit card number. With this information, online transaction be done. Now, ideally, both of these numbers should be secret. But, as you must have seen, the credit card slip which you get after making a payment at stores has your credit card number printed nicely. The merchant also keeps a copy of that slip, so your credit card number is not a secret. Here is the reporter's take on CVV.

"Banks say the CVV number is needed to ensure the customer actually possesses the card while making the purchase. But in reality anyone can quickly note the digits on a card and make it his own."
So, how do you keep CVV secret? Simple. Memorize and then Erase. Yes, the credit card owner is supposed to erase that information. When you are presenting the card physically, anyway, they don't ask for CVV number. They ask for your signature, which should match with the one at the back of the card. (In some parts of world, they don't really care about matching-the-signature thingie.)

The banks do insist that the first thing you should do after receiving the card is to sign at the back with non-erasable ink. But, they don't really talk about importance of CVV number and need to erase it. I can speculate why. The CVV number is unique with card. If you erase and forget, it cannot be re-generated. I guess, you need to get a new card (and pay for it!). For people, it is just like password for net-banking which they ask for re-generation when they lose the piece of paper on which it was written.

Here is a suggestion by Head of CS Department, IIT Bombay on that.
“The second factor identification should ask for information which is known only to the consumer”
In most of the cases I've seen, this is date of birth. That is not such a sensitive information that people can't part with it when confronted with Social Engineering. Net net, not many people are aware of it and bank gives a damn to it.

The article also blames the bank for not having proper checks at their end.
"To make it worse, no one at his bank found this unusual."
Well, in an ideal scenario the bank would like to have entire process automated with zero manual intervention. They already maintain database about all your transactions. Bank would prefer if you receive your statement by e-mail and pay the bill from using net-banking facility. Bank would like send you SMS/e-mail reminders about the due date of payment, rather than have somebody from call center talk to you about in. In all probability, nobody checks your credit card transactions and statement.

Some re-action based solution can be implemented such as a mechanism to send SMS/E-mail if expenses are above certain amount may prove useful, but surely not prevent it completely. Proactive filtering like blocking card if expenses above certain threshold may end up annoying people.

Again, to pick a line from my earlier post on online security, isn't technology supposed to make life simpler?

Comments: Post a Comment

<< Home

This page is powered by Blogger. Isn't yours?