There is a reason part of most scanners that verify the PCI standard look for autocomplete=off on credit card number and cvv2 fields. This is specifically it.
-j On Sat, Jun 9, 2012 at 12:30 PM, Barry Shein <b...@world.std.com> wrote: > > On June 9, 2012 at 12:12 w...@typo.org (Wayne E Bouchard) wrote: > > > > The main weakness of CVV2 these days is "form history" in browsers. > > (auto complete). Now, if someone can get ont your PC, they not only > > get the credit card number (which there are myriad different ways to > > get) but the CVV as well so that mechanism is, now, all but useless. > > Oh c'mon, all but useless? Look at all the ifs/ands/buts. They need > access to your form history which actually is useless if the > merchant's form just uses a password-type field, etc. > > Yeah, a lot of these techniques are useless if your computer etc is > completely pwned. But they help if you're not. > > Credit card fraud prevention is all about percentages, not absolutes. > > Even just requiring a valid credit card number and expiration date and > nothing else probably prevents, I dunno, 98%+ of all potential fraud, > probably 99%+. > > The rest is about squeezing down that last percentage point or two and > generally discouraging crooks from trying. > > One of the PITA frauds credit card companies deal with is someone in > the household, like your teenage kid, taking your card physically out > of your wallet and using it w/o your permissin and then you call in > when you see the bill that you never ordered $100 from iTunes or > bought any cool sneakers at the mall. > > That's probably more common than a lot of the other frauds you imagine. > > A lot of these techniques at least prove that *someone* had your card > physically if they suspect this was not fraud but, rather, > "unauthorized use". > > People will also try to deny charges they simply regret, like a night > at a bar with strippers particularly that one in the blue hot pants, > who the h*** KNEW she got $300 for a lap dance and $50/glass for the > Kristal, doesn't seem fair not fair at all...it's some backpressure. > > > -- > -Barry Shein > > The World | b...@theworld.com | > http://www.TheWorld.com > Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, > Canada > Software Tool & Die | Public Access Internet | SINCE 1989 *oo* > >
