This is an unfortunate revelation. A security services provider discovered that the CVN numbers on the back of credit cards (or front for AMEX) offer basically no protection.
From Heise:
The three digit security code (Credit Card Validation Number, CVN) on credit cards clearly offers insufficient protection from abuse, according to a report on german television channel ZDF’s WISO business magazine program yesterday (Monday). The security code is intended to ensure that the card can only be used by its owner. According to the report, however, possession of a credit card’s card number and expiry date is all a fraudster needs to be able to make purchases online. In tests, security services provider Syss found that at 80 percent of online shops it was in fact possible to simply try out every possible security number online, using, for example, an automated brute force attack.
That is certainly a less than stellar result.
Read on.
[tags]Credit Card Security, CVN, Credit Card Fraud[/tags]
If the German press just picked up on this revelation, they’ve had their head in the sand for quite a while. If the CVN offered any great security, the on-line fraud rate wouldn’t be at 1.4% of on-line revenue amounting to USD 3 Billion.
E-Commerce has been fighting this one for years. It’s not only the brute force attacks, it’s the fact that there’s a lot of merchants out there that are storing it and getting hacked, it’s the card skimmer that only needs to jot down the number.
Tom Mahoney, Director
Over 3600 Merchants united to protect themselves
http://www.merchant911.org
http://www.preventchargebacks.com
http://preventchargebacks.blogspot.com