We Need To Dump Our Love of Plastic
We Need To Dump Our Love of Plastic
The CVV2 Number Provides a Fragile Base For Our Finance Infrastructure
And so we see with the BA Hack how easy it can be for someone to grab your credit card details. In fact, every time you give away your CVV number, your card is at risk, and you don’t actually know who may have your card details. The only way that this model still sustains, is that your credit card company will give you the money back if you have not been negligent. But what happens if you stupidly gave a cybercriminal your CVV number by mistake? Are you still covered?
An old world
Our credit cards are a legacy of our past. With the magnetic stripe, we had a hidden magnetic code on the stripe, and a criminal could only gain it by skimming the card. They thus need physical access to the card, but once they had it, it could be used multiple times. And so we scaled our online payments worlds and decided that we would have a “card-not-present” method, and where we didn’t actually need to present the card for payment.
The advancement was the CVV2 number, and which was printed on the card. Unfortunately, now if someone discovered it, it was revealed for all time. It is this method that is one of our greatest threats to our payments infrastructure, and an intruder either tricks the user into revealing it, or where a vendor has stored it for future use.
Every time you make a “card-not-present” you SHOULD ALWAYS give your CVV2 number. If you don’t, it means that your vendor stores your CVV2 number, and a hack on their system could reveal your credit card details. Can you remember the last time that Amazon asked you for it? Well, companies like Amazon like to make the payment process convenient, so they must store it (possibly in an encrypted form). Whenever you are not asked for it, you should know that your vendor has your number on their database.
CVV1 and CVV2
When we make a payment, the system passes the card number, the expiry date, the billing address, and the CVV2 number. With a tap-and-pay method, there are other bits of information passed. For a swipe transaction, there is a Card Validation Code (CVC) — CVC1 — and which is a cryptographic integrity check. The CVC2 number (or CVV2) allows for a “card-not-present” system, and where the CVV2 number is printed on the back of the card (the last three or four digits of the number on the back of the card). For good practice, the CVV2 number should NEVER be stored by a merchant, but for criminals, it is the main attack vector for fraud.
The major problem with CVV1 and CVV2 is that they are static, and once discovered can lead to the cards being cloned. An improved method is CVV3 (dynamic CVV). The only way to overcome a hack is that the CVV2 number is never stored anywhere. Some credit card vendors are looking at LCD screens on credit cards, and which change the code over time, but these do not have widespread adoption.
CVC3
The move is towards the tokenisation of card details, and one of the standards which are most widely adopted is EMV (EuroPay, MasterCard and Visa), and which integrates strong cryptography. With this, we have an advanced version of a card which is able to perform complex cryptography related to the payment. Within the magnetic strip authorization, we now get an ever-changing CVV value for each transaction and using the encryption keys stored on the chip.
The Risks
And so the basic risks of our financial infrastructure is the CVC2 number and is discovered, it can be used to authorize a transaction. So, the only way to move forward is to implement EMV on mobile devices, and only use the CVC2 number for one form of authentication. Our fingerprint or face can provide a much better identification of us than the card itself. We need to wean ourselves off plastic and start using EMV methods, and your mobile phone provides the best place to keep your credit cards.
Think about the risks …
- Whether you vendor asks you for the CVV2 number? If they don’t, it means they are storing it, and open to a breach.
- If you type your CVV2 number into a browser, how do you know that someone isn’t watching you? It could also be stored in the cache of the browser, or if it is being echoed to a criminal?
My advice is to keep your plastic cards in your pocket, as a back-up, but get your cards onto your mobile phone, and apply fingerprint or face recognition to their access, and only pay with contactless methods. Underneath there are complex cryptography methods involved in the handshake. For your CVV2 number is there is no complexity involved, and it just requires the knowledge of the number to reveal your details.
The EMV approach is just the start towards moving towards a more trusted world, and we need to use methods which look more like those used in cryptocurrencies, and where security, anonymity, and integrity are embedded into every part of the transaction. For just now, we just need to switch off our love of plastic and the CVV2 number.