Ignore: the credit card security code or card verification field (online shopping)

[ChrisGreaves]

Untitled.png

I have not met this before.
I entered my security code (from the back of the card) and placed the order for a book ($cdn25).
I trust the store.

But then I thought:
(1) If I decided NOT to enter the code, I might then have to re-enter the order just to provide a security code. That might cost me a day or two (wait for the order not to go through, mull over it, re-enter the order)
(2) If I did decide to try not entering the code, that suggests that, excepting for experimental purposes, I possibly has misgivings about the online store.
(3) An online store that ignores the security code is possibly ignoring other aspects of security with my data.

Has anyone else met this type of message? And if so, what were your reactions?
Thanks, Chris

[HansV]

I have never seen that suggestion, and I'd be wary to use a vendor if I saw it.

[ChrisGreaves]

I have never seen that suggestion, and I'd be wary to use a vendor if I saw it.

I agree. I did stop to think a bit. The store was recommended by a prominent Canadian National Institution that I met when I arrived in Canada 1982, so in one sense we go back 40 years. I asked the Canadian National Institution to recommend a store, they did; then I asked the store to recommend a book, which they did, so I at least have an email address.

I think that if I decide to order another $25 book from that store, I'll see what happens if I "forget" to key in the CSN.
Cheers, Chris

[stuck]

Wot Hans said!

I can't imagine a genuine business suggesting such a thing.

Ken

[John Gray]

I cannot imagine why any store would agree to a person not supply the 'security code' / CSV / CVV / CVC! If the card ends up being fake, then Mastercard / Visa / Amex would certainly not pay the store...

Logically, if your contention was correct, there would be no reason for the card issuer to bother printing the CSV on the card!

[ChrisGreaves]

Logically, if your contention was correct, there would be no reason for the card issuer to bother printing the CSV on the card!

Hi John, and thanks for the comment.

Significantly the test reads " ... most transactions will go through ..." as if, by and large, credit card companies were not too fussy about CSNs.

I know that 25 years ago at least one credit card company was slack. On one of my ten-day drive around the USA trips. Bought gas at a convenience store gas pump. Three weeks later found two cash withdrawals (1998 $US 50) on the card, phoned the credit card company. They asked me about the third $50. My printed statement didn't go that far. They had no problem in reversing all three $50 cash withdrawals. But when I asked what would happen to the store, they said "Oh, we'll just reverse it out of their account".

It struck me as odd that the store owner would never know that one of his cashiers was quietly stealing cash from his out-of-town customers!

Cheers, Chris

[RonH]

Like others say, I also have never seen this message about CVC. I guess you know that the web page was the genuine site.

[ChrisGreaves]

Like others say, I also have never seen this message about CVC. I guess you know that the web page was the genuine site.

Hi Ron.
No, I don't know that the web page was genuine. I know the business that referred me and have great faith in them.

Worst case (that I can dredge up) is that I have fallen for one of those phishing website scams, and my Credit Card is now in danger. I have a second CC I can use if I decide to cancel the first.

Being on a small pension I keep a frequent track of my balances, so if something untoward happens I expect to be able to deny it quickly, either this month or any month.
Cheers Chris.

[ChrisGreaves]

Untitled.png

I thought to add to the thread with a personal admission of failure and a warning.
First off, in this morning's email is an issue "Your order has been shipped". Whoop-de-doo! Could take up to 15 days. Well, yes, the stage-coach is so slow nowadays.

A tracking identifier is applied AND a link directly to the tracking site with the tracking number embedded in the URL. So of course I clicked n the link (then a quick Ctrl+L, Ctrl+C will let me paste the link into my diary.doc) and as I clicked I found myself thinking "You Idiot!" This is my admission of failure. I have done what most articles about scam/malware tell us NOT to do - blindly click on a link.
I would have been better served to Search for "United States of America Postal Service Tracking" and pasted (Ctrl+C, Ctrl+V) that tracking number in a box, or better still, typed the tracking number through the keyboard "gvkkk70554751" ...
How easy it is to fall victim to a bad link in our eagerness to find out - what? At 8:15 a.m. today (hah hah!) my book still won't have been emptied from the mailbag here in Bonavista.

As for the warning: There doesn't seem to be much point; we all already know about the danger of clicking on bad links. Especially from an unknown source.

FWIW I have bookmarked my financial institutions so I need never click on a link to my bank except through my toolbar. Knowing that much, I still managed to click on a link, so what would yet-another-warning do for anyone?

Bottom Line: I am still confident that all is above board. That no-one here has seen or heard of this "don't worry about the CSV code" makes me think more and more that that particular web page was designed, devised, and delivered by an amateur with a sense of humour more evil than mine.

Cheers, Chris

[RonH]

[John Gray]

That no-one here has seen or heard of this "don't worry about the CSV code" makes me think more and more that that particular web page was designed, devised, and delivered by an amateur with a sense of humour more evil than mine.

An achievement indeed!

[ChrisGreaves]

An achievement indeed!

[BobH]

I spent (or was it mis-spent) 20+ years working in the credit card business. The CVV was devised to protect mail order and telephone order merchants and nowadays protects online sellers. Providing the code is a proof that the person buying either has possession of the card or has been quite successful at duping information from the magnetic stripe or chip. Before the CVV was implemented, merchants and the MC/Visa fraud systems were at greater risk of fraud. Card numbers could be obtained wholesale from the carbon inserts used on sales slips for many years.

Now, OMG reports that his purchase was a book. If my surmise that books are the primary product sold by the retailer is correct, then I suggest that the merchant has experienced very little - if, indeed, any - attempted fraud. Thieves generally seek bigger returns than the value of most books. So, my analysis tells me that the merchant has had more problems (ie, lost sales, customer calls, . . . ) with getting the CVV than they have losses due to not having it and decided to simply take the risk. The fraud systems of the international card issuers will not protect the merchant without the CVV on a 'card-not-present' transaction as they would with the CVV.

Of course, it has been more than 30 years since I left that industry. Things have, no doubt, changed; but I suspect that only the advent of online selling has affected this attempt at stopping fraud transaction. Online shoppers are, by and large, much more aware of and more likely to provide a CVV, I would think.

[ChrisGreaves]

Avuncular Bob. Sincere thanks to you for this insight into credit-card transactions.

I spent (or was it mis-spent) 20+ years working in the credit card business. The CVV was devised to protect mail order and telephone order merchants and nowadays protects online sellers. Providing the code is a proof that the person buying either has possession of the card or has been quite successful at duping information from the magnetic stripe or chip. Before the CVV was implemented, merchants and the MC/Visa fraud systems were at greater risk of fraud. Card numbers could be obtained wholesale from the carbon inserts used on sales slips for many years.

Your time was well-spent, as your post shows. I remember well the days of ‘phone and mail orders, when Real People worked in Real Shops.
My doubts about CVV started at that time; I thought then that once I had spoken my card number and CVV code over the phone, the merchant clerk had all the data that they needed to take advantage of me. This proved to be the case at that convenience store gas bar back in the late 1990s.
That situation has not changed today, although for online sales, if the data collection and storage takes place within pocked programs, your average 18-year-old clerk has less opportunity to make use if the data.
Today, Card numbers can be obtained wholesale from the jerks who hack into protected data sets, so nothing has changed there, excepting that your average 18-year-old clerk has insufficient cash to pay the hackers.

Now, OMG reports that his purchase was a book. If my surmise that books are the primary product sold by the retailer is correct, then I suggest that the merchant has experienced very little - if, indeed, any - attempted fraud. Thieves generally seek bigger returns than the value of most books. So, my analysis tells me that the merchant has had more problems (i.e., lost sales, customer calls, . . . ) with getting the CVV than they have losses due to not having it and decided to simply take the risk. The fraud systems of the international card issuers will not protect the merchant without the CVV on a 'card-not-present' transaction as they would with the CVV.

This too makes sense. Your surmise is on target, closer than you might have thought. The bookseller provides books in a niche market, to wit, for people who can’t read books! Who is going to buy a book that they can’t read?!!???
Chances are, as you suggest, that the cost of implementing the anti-fraud CSV technique outweighs the penalty of occasional fraud, although that still suggests that the CVV is truly optional (my point in this thread) and that merchants should include the CVV IF they want to reserve the right to challenge a sale.
If a merchant does NOT supply the CVV then that merchant has lost a right of challenge The sale will still go through but Buyer Beware now applies to the merchant.

Of course, it has been more than 30 years since I left that industry. Things have, no doubt, changed; but I suspect that only the advent of online selling has affected this attempt at stopping fraud transaction. Online shoppers are, by and large, much more aware of and more likely to provide a CVV, I would think.

Proving once again that long-time experience (OK, to be perfectly honest, Older Professionals) are still of real value for their stored experience.
Online shoppers are more likely to provide a CVV because most online web sites have forms/pages that will not operate unless a CVV IS entered into the little box. That is, the merchant, not the Credit Card Company, is the entity that insists on the CVV,
In our case, the niche seller has made the decision (taken the risk) to make the CVV optional, because they have no intention of challenging fraudulent behaviour, and the web page designer has raised the issue with the business owner (probably the same human entity) and opted out.

Hence our mission for the next twelve months: document any online sales page that does NOT insist on a CVV!
Cheers and thanks
Your loving nephew Chris.
P.S. I am gradually moving all the jade seedlings and the map frames out of the guest room, so you will as always be able to rest there during our two weeks of summer. C

[jonwallace]

I can remember discovering in the 70's, that to subscribe to the New Scientist, one only had to fill in your details including your credit card details into the boxes provided on a postcard and stick it in the post (no envelope or postage required).

Those were simpler times...

[StuartR]

[ChrisGreaves]

Those were simpler times...

Quite so Jon. I am following the debate in Australia over "cashless", and the impossibility of maintaining a cashless economy here in Bonavista⁽¹⁾ when the only bank closes in less than a year's time.
Increasing reliance on complex schemes seems to bring on increasingly complex disasters when those schemes fail.
To counter that reliance we institute multi-level security barriers, and so distance ourselves from the time when society based its transactions on coin-of-the-realm and just got the job done.

If my current online seller is absorbing the costs of fraud, then, in part, I am paying for that fraud.

⁽¹⁾ Paying contractors by banknote finds rich soil in a place where you need work at the crab plant only four months in order to collect eight months of unemployment insurance.

Cheers, Chris

[ChrisGreaves]

Card numbers easier to guess than consumers think, expert says
"It's what the banking industry calls a BIN attack, and involves fraudsters taking the first six digits of a card (called the Bank Identification Number or BIN) and using trial and error, or brute-force, methods to guess valid combinations of card numbers, expiration dates and card security codes."
Cheers, Chris

[RonH]

Daily it gets more difficult to 'electronically exist' ...
What with cc security and numerous incoming phone scams, perhaps it's time to revert to 'old fashioned lifestyles'. But then I read comments about making a charge when someone uses cash to pay

[ChrisGreaves]

Daily it gets more difficult to 'electronically exist' ...

Daily it gets more difficult to 'exist' ... for people who consider themselves to be individuals.
I see no harm in conforming to a standard that says I must be fully clothed before I leave my house. Especially on days like today. I could graze a lot of skin if I slipped on the ice in my driveway.

In terms of the device that we use to maintain a common society, which used to be metal coins, then augmented by banknotes, then augmented by personal notes ("chequebooks"), credit/debit cards, tap etc, our world seems to have reached an unstable state.

By and large Canada (and other parts of the world) have moved to an almost-cashless society. A critical point is near, where the seriously large players (banks) can dictate the abolition of tangible currency. Say goodbye to banknotes and two-dollar metal coins.

This, of course, will not satisfy those who live away from electricity, communes, hermits and, for what its worth, tourists who for strange reasons like to see and feel the cost of a cup of coffee.

And, of course, it panders to the criminal element (already) and renders us hungry when the power "goes out".

Engineered systems use redundancy. It seems as if the Social Engineers have not grasped this principle.

Cheers, Chris