On 9/Nov/18 20:26, Bill Woodcock wrote:
> That was true a few years ago, but it’s been at least a year since I’ve seen
> a swipe anywhere. The change happened quite quickly. It’s all been chip, or
> chip-and-pin, for at least a year.
In the last 2 years, I've seen the rise of PIN-based tran
> On Nov 8, 2018, at 1:11 AM, Mark Tinka wrote:
> It has always been curious to me how/why the U.S., with one of the
> largest economies in the world, still do most card-based transactions as
> a swipe in lieu of a PIN-based approach.
That was true a few years ago, but it’s been at least a year
Once upon a time, Stephen Satchell said:
> On 11/08/2018 07:50 PM, Chris Adams wrote:
> > Signatures are no longer required for chip card transactions in the US,
> > except I think for transactions where the auth is done on the amount
> > before an added tip (restaurants).
>
> Signatures are requ
On 11/08/2018 07:50 PM, Chris Adams wrote:
> Signatures are no longer required for chip card transactions in the US,
> except I think for transactions where the auth is done on the amount
> before an added tip (restaurants).
Signatures are required for chip card transactions above a certain
dollar
Well,
Older Pump station installation (and maybe new ones) use RS-232/442
to communicate in clear text with their controller into the building.
Easy to tap to skim Track 1/Track2 of the CHD which is good to dups
cards.
Now to get the physical CVV you need a physical skimme
On 9/Nov/18 02:22, Todd Underwood wrote:
>
> i generally find it amusing when people from other countries mock the
> US for not having PINs. this is just another way of saying "my
> country has high fraud rates and yours appears not to." :-) . you can
> see this in the comment below "If we wer
Todd Underwood writes:
> [interesting and plausible reasoning about why no chip&PIN in US]
> anyway, let's talk about networks, no?
This topic is obviously "a little" off-topic, but I find some
contributions (like yours) relevant for understanding adoption dynamics
(or not) of proposed security me
Once upon a time, Scott Christopher said:
> Swipe-and-sign (and now just swipe for small amounts) is for Visa,
> Mastercard, Discover transactions (called credit)
Signatures are no longer required for chip card transactions in the US,
except I think for transactions where the auth is done on the
: Thursday, November 08, 2018 3:35 AM
> To: George Michaelson
> Cc: North American Network Operators' Group
> Subject: Re: CVV (was: Re: bloomberg on supermicro: sky is falling)
>
>
> Speaking of "cost" as a motivator, in South Africa, most of the banks
> are n
ors' Group
Subject: Re: CVV (was: Re: bloomberg on supermicro: sky is falling)
Mark Tinka wrote:
> I hope the U.S. does catch-up. If we were swipe-based here, we'd all be
> broke :-). I know a number of major merchants in the U.S. now use PIN's,
> and I always stick to those when I travel there.
In the U.S., pin codes are required for EFTPOS transactions (called debit) ove
On 8/Nov/18 11:16, George Michaelson wrote:
> There are two parts of the problem. The first is the assumption of
> risk: the current model of operation in the US (like in other western
> economies) puts the onus of risk of misuse of the card on specific
> actors. When you change the basis from
There are two parts of the problem. The first is the assumption of
risk: the current model of operation in the US (like in other western
economies) puts the onus of risk of misuse of the card on specific
actors. When you change the basis from signature (fraud) to chip+pin
(leak of knowledge) you ha
On 11/Oct/18 21:31, Chris Adams wrote:
> Requiring an ID is also a violation of the merchant agreements, at least
> for VISA and MasterCard (not sure about American Express), unless ID is
> otherwise required by law (like for age-limited products). I've walked
> out of stores that required an
Once upon a time, b...@theworld.com said:
> But asking for photo id is a good thing for legitimate card holders,
> could reduce fraudulent in-person use of stolen cards.
Requiring an ID is also a violation of the merchant agreements, at least
for VISA and MasterCard (not sure about American Expre
On October 11, 2018 at 13:41 s...@ottie.org (Scott Christopher) wrote:
> Robert Kisteleki wrote:
>
> > (this is probably OT now...)
> >
> > > I'm pretty sure the "entire point" of inventing CVV was to prove you
> > > physically have the card.
> >
> > Except that it doesn't serve that
Robert Kisteleki wrote:
> (this is probably OT now...)
>
> > I'm pretty sure the "entire point" of inventing CVV was to prove you
> > physically have the card.
>
> Except that it doesn't serve that purpose. Anyone who ever had your card
> in their hands (e.g. waiters) can just write that down a
On Sun, Jun 10, 2012 at 8:02 AM, Owen DeLong wrote:
> The skimmers can use CVV1 and bypass the CVV2 protection in most
> cases (though that requires them to gen up a fake or fraudulent card and
> do card present transactions which does add risk for them).
Not so much for them, but the sacrif
Something else rarely considered in these discussions is that the cost
of handling cash is upwards of 4%, particularly for larger operations
like supermarkets. Someone has to be paid to count it, wrap it (or the
bank will charge you to do that), often you have a security service
pick it up to brin
On June 9, 2012 at 16:25 mysi...@gmail.com (Jimmy Hess) wrote:
> I bet there is at least one small retailer out there who takes phone
> orders and gathers CVV2, and at least one POS software developer out
> there who is unaware of, has ignored, or has...
Yes, but there are also penalties, inc
On Jun 9, 2012, at 1:36 PM, Jay Ashworth wrote:
> - Original Message -
>> From: "Owen DeLong"
>
>> How does having the CVV number prove the card is in my possession?
>>
>> I have memorized the CVV in addition to the 16 digits of the cards I
>> commonly use and routinely enter them into
On Sat, Jun 09, 2012 at 02:34:03PM -0700, Scott Howard wrote:
> On Sat, Jun 9, 2012 at 12:12 PM, Wayne E Bouchard wrote:
> > The main weakness of CVV2 these days is "form history" in browsers.
> > (auto complete).
>
> Any website requesting a CVV2 in a form field without the form
> history/autoco
On 9 June 2012 22:42, Scott Howard wrote:
> There is no way to "derive" the CVV2 number. It is little more than a
> random number assigned to the card.
> [...]
> It is verified by comparing it to the known CVV2 number stored by the
> credit card company/bank that issued the card.
>
>
I don't thi
On Sat, Jun 9, 2012 at 2:25 PM, Jimmy Hess wrote:
> Someone must have something in a database that can easily derive the
> CVV2 number;
>
There is no way to "derive" the CVV2 number. It is little more than a
random number assigned to the card.
> otherwise there would be no way for it to be v
On Sat, Jun 9, 2012 at 12:12 PM, Wayne E Bouchard wrote:
> The main weakness of CVV2 these days is "form history" in browsers.
> (auto complete).
Any website requesting a CVV2 in a form field without the form
history/autocomplete being disabled is in breach of PCI compliance, and
risks losing t
On Sat, Jun 9, 2012 at 7:14 AM, Joel Maslak wrote:
> That said, the purpose of CVV is to stop *one* type of fraud - it's to
> stop a skimmer from being able to do mail-order/internet-order with your
> card number. The CVV is not on the magnetic strip, so a skimmer installed
> at the ATM or gas p
On 6/9/12, Alexandre Carmel-Veilleux wrote:
> On 2012-06-09, at 10:56, Owen DeLong wrote:
>> How does having the CVV number prove the card is in my possession?
> It doesn't, it merely proves you must have handled the card physically at
> some point since storing that value in a database is forbid
- Original Message -
> From: "Owen DeLong"
> How does having the CVV number prove the card is in my possession?
>
> I have memorized the CVV in addition to the 16 digits of the cards I
> commonly use and routinely enter them into online ordering without
> retrieving the card.
>
> What p
There is a reason part of most scanners that verify the PCI standard look
for autocomplete=off on credit card number and cvv2 fields. This is
specifically it.
-j
On Sat, Jun 9, 2012 at 12:30 PM, Barry Shein wrote:
>
> On June 9, 2012 at 12:12 w...@typo.org (Wayne E Bouchard) wrote:
> >
> > T
On June 9, 2012 at 12:12 w...@typo.org (Wayne E Bouchard) wrote:
>
> The main weakness of CVV2 these days is "form history" in browsers.
> (auto complete). Now, if someone can get ont your PC, they not only
> get the credit card number (which there are myriad different ways to
> get) but the
On Sat, Jun 09, 2012 at 02:18:15PM -0400, Alexandre Carmel-Veilleux wrote:
> On 2012-06-09, at 10:56, Owen DeLong wrote:
> >
> > How does having the CVV number prove the card is in my possession?
>
> It doesn't, it merely proves you must have handled the card physically at
> some point since st
On 09-Jun-12 09:14, Joel Maslak wrote:
> On Jun 9, 2012, at 1:06 AM, Hal Murray wrote:
>> Should I really take them seriously?
> Your call.
>
> That said, the purpose of CVV is to stop *one* type of fraud - it's to stop a
> skimmer from being able to do mail-order/internet-order with your card
>
On 2012-06-09, at 10:56, Owen DeLong wrote:
>
> How does having the CVV number prove the card is in my possession?
It doesn't, it merely proves you must have handled the card physically at some
point since storing that value in a database is forbidden.
Verified by Visa and the MasterCard equiv
On Jun 9, 2012, at 7:14 AM, Lynda wrote:
> On 6/9/2012 12:06 AM, Hal Murray wrote:
>>
>> In response to my comment about:
>>
>>> If I'm not supposed to not "tell anyone", why is it even printed where I can
>>> read it?
>>
>> (Sorry for the extra not in there.)
>
> The CVV number is simply to
On 6/9/2012 12:06 AM, Hal Murray wrote:
In response to my comment about:
If I'm not supposed to not "tell anyone", why is it even printed where I can
read it?
(Sorry for the extra not in there.)
The CVV number is simply to prove that the card is in your possession.
The percentage of the s
On Jun 9, 2012, at 1:06 AM, Hal Murray wrote:
> Should I really take them seriously?
Your call.
That said, the purpose of CVV is to stop *one* type of fraud - it's to stop a
skimmer from being able to do mail-order/internet-order with your card number.
The CVV is not on the magnetic strip, s
36 matches
Mail list logo
