For the record, the parcel was waiting for me on this morning's trip to the Post Office.
Cheers, Chris
Ignore: the credit card security code or card verification field (online shopping)
-
- PlutoniumLounger
- Posts: 16273
- Joined: 24 Jan 2010, 23:23
- Location: brings.slot.perky
Re: Ignore: the credit card security code or card verification field (online shopping)
If it isn't one thing it's another, and very often both. E.F.Benson
-
- PlutoniumLounger
- Posts: 16273
- Joined: 24 Jan 2010, 23:23
- Location: brings.slot.perky
Re: Ignore: the credit card security code or card verification field (online shopping)
This morning's news from the ABC news web site "Customers of The Iconic at risk of being defrauded due to lack of payment verification measures"ChrisGreaves wrote: ↑30 Nov 2023, 15:17But then I thought:
(2) If I did decide to try not entering the code, that suggests that, excepting for experimental purposes, I possibly has misgivings about the online store.
However the online retailer also confirmed that a transaction "may be made" as it does not require a customer to verify their CVC numbers (the three digits on the back of debit and credit cards) when placing an order if they have saved their payment details to their account
This was the case that prompted this thread; I was concerned that the online store did NOT demand my CVC number.
The red flag for me is that when I make an online sale that does NOT requite a CVC, I know that the STORE is vulnerable to “stuffing”.
Every bit of friction in the way, every bit of red tape protects you, but also slows you down.
This we know; it is why we have that blinking blue light in the car, and the streering wheel lock. It lowers the probability that a car thief will steal your car and will, instead, move on to steal my car.
[The] best practice there is [having] a dynamic CVC that changes every day or every couple of hours, even if it's been stolen, they only have a short window where it can be used, and you don't have to wait until your card expires to get a new one.
I had not heard of this. The WestPAC bank site did not help me to understand how it works, but the Bitso site suggests to me that I need to be online to the store (to enter my purchase order) AND online to my own bank site to grab the 2-minute CVC.
VISA’s How Does It Work? Paragraph is confusing. “… can be validated by Visa ... , the Issuer, or the Issuer's processor." I think that the issuer is the store, for example, I might carry a “Canadian Tyre VISA” card.
I moved to Bonavista five years ago, and in that time ten businesses have closed (brick-and-mortar businesses, not "throwing clay mugs for the tourist season").
Online shopping, with its perceived risks, is forcing me to be distrustful of retail practices.
Cheers, Chris
If it isn't one thing it's another, and very often both. E.F.Benson
-
- PlatinumLounger
- Posts: 5508
- Joined: 24 Jan 2010, 08:33
- Location: A cathedral city in England
Re: Ignore: the credit card security code or card verification field (online shopping)
In the UK a number of years ago there was a credit card which generated a new virtual credit card number for each transaction. I've not heard anything about this recently.ChrisGreaves wrote: ↑11 Jan 2024, 12:26[The] best practice there is [having] a dynamic CVC that changes every day or every couple of hours, even if it's been stolen, they only have a short window where it can be used, and you don't have to wait until your card expires to get a new one.
However a quick search shows that some are available. See this Forbes article, for example. It also seems that Apple Pay uses this mechanism.
Since you know what you want, I'll kindly leave you to investigate!
John Gray
"Tigers are the ones who look like an orange barcode with teeth." - Philomena Cunk
"Tigers are the ones who look like an orange barcode with teeth." - Philomena Cunk
-
- PlutoniumLounger
- Posts: 16273
- Joined: 24 Jan 2010, 23:23
- Location: brings.slot.perky
Re: Ignore: the credit card security code or card verification field (online shopping)
Thank you John. I shall pursue my inquiries.John Gray wrote: ↑11 Jan 2024, 16:52However a quick search shows that some are available. See this Forbes article, for example.
At first glance I can use my 16-digit credit-card (and perhaps debit-card) number "7055475168968945" to generate a one-time number "3971637930022917" that my credit-card issuer will recognize for a one-time purchase.
Of course in generating those TWO strings of random digits for purposes of this post, i may have inadvertently created to valid credit-card numbers, so I assume that there is a time-sensitive password issued at the same time as the transient number is generated.
In the end I could generate a credit-card number and a CCV number at random and just luck-out on a valid combination, a brute-force by-chance way to avoid paying $6.78 for a bicycle pump ...
Cheers, Chris
If it isn't one thing it's another, and very often both. E.F.Benson
-
- UraniumLounger
- Posts: 9567
- Joined: 13 Feb 2010, 01:27
- Location: Deep in the Heart of Texas
Re: Ignore: the credit card security code or card verification field (online shopping)
MasterCard, Visa, and American Express numbers have a check-digit at the end based on the Luhn formula. All who accept cards in payment probably validate using that formula before proceeding. Consider that if you are generating numbers - presumably legally - for their use. I'm not giving away trade secrets, just sharing knowledge gained in a past life.
Bob's yer Uncle
Dell Intel Core i5 Laptop, 3570K,1.60 GHz, 8 GB RAM, Windows 11 64-bit, LibreOffice,and other bits and bobs
(1/2)(1+√5) |
-
- PlutoniumLounger
- Posts: 16273
- Joined: 24 Jan 2010, 23:23
- Location: brings.slot.perky
Re: Ignore: the credit card security code or card verification field (online shopping)
Quite so. Without considering check-0digits, I was theorizing that one could, just by chance, create a valid nineteen digit sequence that worked (16+3 digits).
Bob! You have indeed a checkered past... just sharing knowledge gained in a past life.
Cheers, Chris
If it isn't one thing it's another, and very often both. E.F.Benson
-
- UraniumLounger
- Posts: 9567
- Joined: 13 Feb 2010, 01:27
- Location: Deep in the Heart of Texas
Re: Ignore: the credit card security code or card verification field (online shopping)
Chris, at one time the industry did consider a 19-digit account number scheme with a 2 number check-digit based on using 97 - the greatest odd number - in the algorithm.
Alas, my checkered past has filled me with a lot of information, very little knowledge and even less wisdom.
Alas, my checkered past has filled me with a lot of information, very little knowledge and even less wisdom.
Bob's yer Uncle
Dell Intel Core i5 Laptop, 3570K,1.60 GHz, 8 GB RAM, Windows 11 64-bit, LibreOffice,and other bits and bobs
(1/2)(1+√5) |
-
- PlutoniumLounger
- Posts: 16273
- Joined: 24 Jan 2010, 23:23
- Location: brings.slot.perky
Re: Ignore: the credit card security code or card verification field (online shopping)
[nostalge]The first coding I read that was NOT ny own, was a pseudo-random number generator on a DEC PDP-6.
It had a name that will come to me once I power-off tonight, but it was based on the largest prime number available in a 36-bit word.
(Well, it was a PDP-6 !)
[/nostalge]
If it isn't one thing it's another, and very often both. E.F.Benson
-
- UraniumLounger
- Posts: 9567
- Joined: 13 Feb 2010, 01:27
- Location: Deep in the Heart of Texas
Re: Ignore: the credit card security code or card verification field (online shopping)
I should have qualified my statement: 97 was the largest 2-digit prime and when used in the proposed algorithm would have produced a 2-digit result hence the increased length and 2 place check digit(s). Maybe the correct term is 'correct sum'; however, the algorithm relied on other operations than sums.
Bob's yer Uncle
Dell Intel Core i5 Laptop, 3570K,1.60 GHz, 8 GB RAM, Windows 11 64-bit, LibreOffice,and other bits and bobs
(1/2)(1+√5) |
-
- PlatinumLounger
- Posts: 5508
- Joined: 24 Jan 2010, 08:33
- Location: A cathedral city in England
Re: Ignore: the credit card security code or card verification field (online shopping)
We used to use the "97" check digit method in account numbers in Cobol programs on various IBM mainframes a good 40 years ago!
Nostalgia isn't what it used to be...
And the old Cobol joke:
DIVIDE 8 INTO CAKE GIVING SLICES
Nostalgia isn't what it used to be...
And the old Cobol joke:
DIVIDE 8 INTO CAKE GIVING SLICES
John Gray
"Tigers are the ones who look like an orange barcode with teeth." - Philomena Cunk
"Tigers are the ones who look like an orange barcode with teeth." - Philomena Cunk
-
- UraniumLounger
- Posts: 9567
- Joined: 13 Feb 2010, 01:27
- Location: Deep in the Heart of Texas
Re: Ignore: the credit card security code or card verification field (online shopping)
Yes, John. I'm talking about 40-50 years ago. In a bank we had 4 or 5 different check digit routines depending on the type of account a number was used for.
Bob's yer Uncle
Dell Intel Core i5 Laptop, 3570K,1.60 GHz, 8 GB RAM, Windows 11 64-bit, LibreOffice,and other bits and bobs
(1/2)(1+√5) |
-
- PlutoniumLounger
- Posts: 16273
- Joined: 24 Jan 2010, 23:23
- Location: brings.slot.perky
Re: Ignore: the credit card security code or card verification field (online shopping)
Another news item, from the ABC Here's how to protect your bank account when shopping online
" ... what's happened to some customer accounts is known as "credential stuffing". Hackers know that people tend to use the same email address and password combination as our logins for multiple accounts online, so when one of those websites experiences a data breach, they can get that information and use it to access other accounts."
and
""It's The Iconic and their payment provider that has set the system up like that, but we cannot forget the banks, because the banks are prepared to accept this very low level of authentication," he says. "I would rather be with a bank that, when a merchant came to the bank and said, 'Richard said we can have a lot of his money', the bank says, 'Can you tell me a little bit more about that?' rather than going 'rightio, here it is'."
Cheers, Chris
" ... what's happened to some customer accounts is known as "credential stuffing". Hackers know that people tend to use the same email address and password combination as our logins for multiple accounts online, so when one of those websites experiences a data breach, they can get that information and use it to access other accounts."
and
""It's The Iconic and their payment provider that has set the system up like that, but we cannot forget the banks, because the banks are prepared to accept this very low level of authentication," he says. "I would rather be with a bank that, when a merchant came to the bank and said, 'Richard said we can have a lot of his money', the bank says, 'Can you tell me a little bit more about that?' rather than going 'rightio, here it is'."
Cheers, Chris
If it isn't one thing it's another, and very often both. E.F.Benson