[Message Prev][Message Next][Thread Prev][Thread Next][Message Index][Thread Index]

Re: RFID Flap Silences Security Researchers

Subject: Re: RFID Flap Silences Security Researchers
From: "Robert L Bass" <no-sales-spam@bassburglaralarms>
Date: Fri, 30 Mar 2007 17:18:21 -0400
Newsgroups: comp.home.automation
References: <O4WdnaEHTIQ-6GTYnZ2dnUVZ_tijnZ2d@xxxxxxx> <460d362c$0$30089$3406c2d1@xxxxxxxxxxxxx> <1338596@xxxxxxxxxxxxxxxxxxx>

> | I was under the impression that CVV2 was never supposed to be stored.
> | Does anyone know if that's a law, a regulation of the credit card
> | companies, or what?
>
> I don't know about law or regulation, but any online order site that
> requires the CVV2 and that does not validate the transaction in real
> time must store it at least for a while.  I have used such sites, though
> I always use a one-time number that gives me a one-time CVV2 as well.
>
> Something that bothers me about the CVV2 is that the credit card
> companies and their proponents make a big point that the owner of
> the credit card is the only person who can possibly know the number.
> I often explain that anyone to whom I've handed my card, along with
> anyone who explicitly requests the CVV2 for a transaction may know it
> as well.  I get the feeling that the CVV2--as with many "security"
> measures--may be more about non-reputability than authentication, i.e.,
> it is intended to work against the customer in the event of a dispute.

The real purpose of CVV2 is to make "flimsies"
(carbon copies of old style in-person transactions
useless.  Thieves used to dumpster dive behind
stores to get the credit card slips.

It's obviously not 100% but it's one more brick
in the wall.  Card companies and merchants
who accept credit cards need to do everything
they can to prevent fraudulent purchases.

Since the merchant is the one who takes the
loss it is in our interest to insist on the CVV2.
I do.  Without it, no sale.  One regular CHAer
who buys from us occasionally used to decline
to give out his CVV2 number.  At first we
had an option to check "Number not readable"
but I've since taken that option down.

Customers often worry about using cards online
but the reality is that the risk is borne almost
entirely by the merchant.  We lose on average
~$20,000 a year to online fraud and we are but
one small online vendor.  Imagine what companies
like Amazon are paying out in chargebacks.

> Given that the CVV2 is not (as yet) used
> for card-present transactions, has anyone
> considered obscuring or obliterating it on
> the physical card?

If you swipe the card enough times it will wear
off.  That's Visa & MC.  AmEx prints it on the
front of the card.

However, more and more online merchants
are beginning to insist on it so if you like to
shop online you might want to reconsider.
The reality is that giving it to the merchant
does you no harm as long as you check your
statements when they come in.

--

Regards,
Robert L Bass

=============================>
Bass Home Electronics
941-925-8650
4883 Fallcrest Circle
Sarasota · Florida · 34233
http://www.bassburglaralarms.com
=============================>

Follow-Ups:
- Re: RFID Flap Silences Security Researchers
  - From: Dan Lanciani
- Re: RFID Flap Silences Security Researchers
  - From: B Fuhrmann

References:
- RFID Flap Silences Security Researchers
  - From: Robert Green
- Re: RFID Flap Silences Security Researchers
  - From: Larry
- Re: RFID Flap Silences Security Researchers
  - From: Dan Lanciani

Prev by Message: Re: RFID Flap Silences Security Researchers
Next by Message: heat imprint cable marker
Previous by thread: Re: RFID Flap Silences Security Researchers
Next by thread: Re: RFID Flap Silences Security Researchers
Index(es):
- Message
- Thread

comp.home.automation Main Index | comp.home.automation Thread Index | comp.home.automation Home | Archives Home