34 comments

[ 3.2 ms ] story [ 34.9 ms ] thread
Obviously this is idiotic - however, is the information usable without the CVC number ('security' number on the back of the card)? I'm sure it's still useful information to have but probably not immediately useable.
In my case it's not, and you also need my billing address to use my card, which isn't printed on it. Still, if you manage to collect 5000 credit card numbers, the CVV is 3 digits, which gives you 1000 possibilities and 1 - 0.999 * * 5000 = 0.99, so statistically you should hit one in 5000 cards if you guess CVV randomly.
Well, as you point out, the probability of not hitting a valid CVV this way is non-zero, or 0.672% - if using R:

    choose(5000,0)*0.999^(5000-0)*0.001^0
But that means, by brute forcing, while you should crack at least one card, there is still a non-zero chance that this will be your unlucky day... (Cracking all cards with this methods, is - essentially - a zero-chance game, but even for that an infinitesimally small chance is left, that my computer cannot reproduce.)
Nothing is certain when combining uncertain independent events. Didnt need a calculator for basic measure theory..
There are some payment solutions where you don't even need to fill in the CVC. (I've ordered on Amazon a few years ago without needing to fill it in) Besides that, there were a couple people last year(s) who showed that you can obtain the CVC in an instant by submitting CVC's from 0 to 999, with the same credit card info, to many websites. (This was tested for Visa I believe)

Edit: See http://www.independent.co.uk/news/uk/crime/criminals-guess-v... / https://news.ycombinator.com/item?id=13099949

Amazon aren't allowed to store the CVV so transactions via their one click ordering has to be CVV less. The store gets lower fees on CVV transactions, but it has never been required.
Absolutely yes, a great many payment platforms will accept the details sans security code, as a card-not-present transaction.
As far as I understand, the CVC is only used for initial verification, and is not included in the data to the credit card processer.
(comment deleted)
The CVC number is just one security measure in a credit card. One of the legitimacy signals, so to speak, and its absence is not an immediate fraud flag.

While a bad security practise, a transaction can still go through if the other verification signals like expiry, name, billing address, etc (most of which are accessible through social media, btw) provide sufficient confidence in the legitimacy of the transaction.

I wonder if having the name and perhaps CVC on the front, and the card number on the back (and not in the way that they're currently produced, which leaves a mirror-image depression of the digits on the other side), would at least somewhat solve this problem of people wanting to show off their cards yet keep the critical information hidden.
The major clear web credit card scam site in the Philippines trades lists of websites which don't verify CVCs.
American Express prints a four digit CVC on the front of the card, not a 100% sure about the reasoning there.
Last I checked, Amazon don't require the CVC nor an exact billing address match. You could probably order downloadable goods (e.g. PSN/XBL cards) to resell unless Amazon/the CC company's fraud checks flag the order.
Is it actually possible to check the billing address? Because most places won't even accept my name as it is written on my card. So usually I just put something fake since they won't let me put the real information anyways. I have probably bought for several thousand usd as "Your Mamma" without ever being rejected.

Edit: Also as far as I know there's no specific address attached to my card or account except for the purpose of contacting me via snail mail.

Address validation just allows the retailer to check that the house number in the first line of the address and the numbers in the postcode match those of the card billing address.
Yes, it's immediately usable. CVC verifies you, not the transaction - websites ask for it not because they need it, but to see if you get it right.

So, lacking the CVC may cause some cautious companies to refuse to take the card, but that's just their decision. You can still use it with less-cautious companies, or your own merchant account.

(comment deleted)
I'm amazed by the fact this had actually gone through several levels of approval, and yet nobody noticed anything wrong with a request to snap a photo of your CC and post it online.
(comment deleted)
People do this on Twitter all the time. See https://twitter.com/needadebitcard for a collection.

Getting a credit /debit card has always been a rite of passage for young people. Before online social networks, showing off your card to your friends was a low-risk activity. Now broadcasting the same information to all your peers places you in danger.

Given that 10 tweets ago for that account is already in 2015, it (fortunately) doesn't seem like this is all that common.

As of this post, the latest guy who tweeted his card (Mar 9) has a... rather ironic username.

I'm a native speaker, and no, the text shown on that picture does not ask you to take a photo of the credit card. The text reads: "If you own a Mastercard or Maestro, take a photo of the stuff you have in your purse".

The problem here seems to be that people don't read what's written, but instead do what they think was written (Edit: apparently because it was shown in the example picture).

I also read the official rules linked there. The rules state that only the winners need to prove they own the card by contacting MasterCard directly with a slip from any transaction made with that card. So, even if you win, you don't have to show the card, only to prove you have used it.

The photo mastercard Serbia posted has a credit card in it...
Looks like that's what made all the confusion. They gave a bad example and people probably didn't read the text carefully and just followed the picture. You're right, that is misleading.
Problem is that people don't take the 30 seconds to read something. We are living in the age of "image"; this is why Instagram, Snapchat, 9gag, etc. are thriving, people want to get their "fix" by seeing at one-more-image..

Mastercard on the other hand should have thought about this and avoid putting the card on their photo, as "normal people" will tend to mimic without spending those 30 seconds thinking about "I ain't giving you my real name/surname/card details"!

But hey.. it worked :)

Now let's sit back and soon we'll learn how many hits would their cards have, from websites that don't require the card verification value (CVV) :)

websites that don't require the card verification value (CVV)

Are these still out there?

Yes, PCI-DSS rules state one is not allowed to store the CVV, therefore for subscription services or for things like one click ordering or app stores the CVV is not used for the transaction, though they may verify it on initial card entry a lot of companies don't as it doesn't actually help. Taking the CVV gives a lower fee to mastercard/visa if that particular transaction is reversed, this is how stores are incentivised to take it but it will only apply to initial transaction where card details are saved.
> Problem is that people don't take the 30 seconds to read something.

No, the problem is that Mastercard created a situation where you would show your credit card (since it's in your purse), and created an example which included a credit card, despite knowing full well about credit card fraud. They fucked up the contest, and your attempt at passing the buck on to random internet denizens, who aren't as familiar with the details of credit card fraud as Mastercard is, is misguided. Mastercard fucked up here, not the people who entered their contest.

They may not have explicitly asked, but A) the example picture shows a MasterCard, and B) your credit card is quite possibly included in "the stuff you have in your purse". At the very least, they shouldn't have used that example image, and probably should have explicitly said NOT to post your credit card.
> your credit card is quite possibly included in "the stuff you have in your purse"

I don't know about you, but all people I know hold their CC in their wallets. So, if you just empty your purse on a table, it wouldn't show the CC immediately.

> At the very least, they shouldn't have used that example image, and probably should have explicitly said NOT to post your credit card.

Agreed.