Ignore: the credit card security code or card verification field (online shopping)

[ChrisGreaves]

For the record, the parcel was waiting for me on this morning's trip to the Post Office.
Cheers, Chris

[ChrisGreaves]

But then I thought:
(2) If I did decide to try not entering the code, that suggests that, excepting for experimental purposes, I possibly has misgivings about the online store.

This morning's news from the ABC news web site "Customers of The Iconic at risk of being defrauded due to lack of payment verification measures"
However the online retailer also confirmed that a transaction "may be made" as it does not require a customer to verify their CVC numbers (the three digits on the back of debit and credit cards) when placing an order if they have saved their payment details to their account

This was the case that prompted this thread; I was concerned that the online store did NOT demand my CVC number.
The red flag for me is that when I make an online sale that does NOT requite a CVC, I know that the STORE is vulnerable to “stuffing”.

Every bit of friction in the way, every bit of red tape protects you, but also slows you down.
This we know; it is why we have that blinking blue light in the car, and the streering wheel lock. It lowers the probability that a car thief will steal your car and will, instead, move on to steal my car.

[The] best practice there is [having] a dynamic CVC that changes every day or every couple of hours, even if it's been stolen, they only have a short window where it can be used, and you don't have to wait until your card expires to get a new one.

I had not heard of this. The WestPAC bank site did not help me to understand how it works, but the Bitso site suggests to me that I need to be online to the store (to enter my purchase order) AND online to my own bank site to grab the 2-minute CVC.

VISA’s How Does It Work? Paragraph is confusing. “… can be validated by Visa ... , the Issuer, or the Issuer's processor." I think that the issuer is the store, for example, I might carry a “Canadian Tyre VISA” card.

I moved to Bonavista five years ago, and in that time ten businesses have closed (brick-and-mortar businesses, not "throwing clay mugs for the tourist season").

Online shopping, with its perceived risks, is forcing me to be distrustful of retail practices.
Cheers, Chris

[John Gray]

[The] best practice there is [having] a dynamic CVC that changes every day or every couple of hours, even if it's been stolen, they only have a short window where it can be used, and you don't have to wait until your card expires to get a new one.

In the UK a number of years ago there was a credit card which generated a new virtual credit card number for each transaction. I've not heard anything about this recently.

However a quick search shows that some are available. See this Forbes article, for example. It also seems that Apple Pay uses this mechanism.
Since you know what you want, I'll kindly leave you to investigate!

[ChrisGreaves]

However a quick search shows that some are available. See this Forbes article, for example.

Thank you John. I shall pursue my inquiries.
At first glance I can use my 16-digit credit-card (and perhaps debit-card) number "7055475168968945" to generate a one-time number "3971637930022917" that my credit-card issuer will recognize for a one-time purchase.
Of course in generating those TWO strings of random digits for purposes of this post, i may have inadvertently created to valid credit-card numbers, so I assume that there is a time-sensitive password issued at the same time as the transient number is generated.

In the end I could generate a credit-card number and a CCV number at random and just luck-out on a valid combination, a brute-force by-chance way to avoid paying $6.78 for a bicycle pump ...
Cheers, Chris

[BobH]

MasterCard, Visa, and American Express numbers have a check-digit at the end based on the Luhn formula. All who accept cards in payment probably validate using that formula before proceeding. Consider that if you are generating numbers - presumably legally - for their use. I'm not giving away trade secrets, just sharing knowledge gained in a past life.

[ChrisGreaves]

MasterCard, Visa, and American Express numbers have a check-digit...

Quite so. Without considering check-0digits, I was theorizing that one could, just by chance, create a valid nineteen digit sequence that worked (16+3 digits).

... just sharing knowledge gained in a past life.

Bob! You have indeed a checkered past
Cheers, Chris

[BobH]

Chris, at one time the industry did consider a 19-digit account number scheme with a 2 number check-digit based on using 97 - the greatest odd number - in the algorithm.

Alas, my checkered past has filled me with a lot of information, very little knowledge and even less wisdom.

[ChrisGreaves]

Chris, at one time the industry did consider a 19-digit account number scheme with a 2 number check-digit based on using 97 - the greatest odd number - in the algorithm.

[nostalge]The first coding I read that was NOT ny own, was a pseudo-random number generator on a DEC PDP-6.
It had a name that will come to me once I power-off tonight, but it was based on the largest prime number available in a 36-bit word.
(Well, it was a PDP-6 !)
[/nostalge]

[BobH]

I should have qualified my statement: 97 was the largest 2-digit prime and when used in the proposed algorithm would have produced a 2-digit result hence the increased length and 2 place check digit(s). Maybe the correct term is 'correct sum'; however, the algorithm relied on other operations than sums.

[John Gray]

We used to use the "97" check digit method in account numbers in Cobol programs on various IBM mainframes a good 40 years ago!
Nostalgia isn't what it used to be...
And the old Cobol joke:
DIVIDE 8 INTO CAKE GIVING SLICES

[BobH]

Yes, John. I'm talking about 40-50 years ago. In a bank we had 4 or 5 different check digit routines depending on the type of account a number was used for.

[ChrisGreaves]

Another news item, from the ABC Here's how to protect your bank account when shopping online

" ... what's happened to some customer accounts is known as "credential stuffing". Hackers know that people tend to use the same email address and password combination as our logins for multiple accounts online, so when one of those websites experiences a data breach, they can get that information and use it to access other accounts."

and

""It's The Iconic and their payment provider that has set the system up like that, but we cannot forget the banks, because the banks are prepared to accept this very low level of authentication," he says. "I would rather be with a bank that, when a merchant came to the bank and said, 'Richard said we can have a lot of his money', the bank says, 'Can you tell me a little bit more about that?' rather than going 'rightio, here it is'."

Cheers, Chris