Security Review: CV2 codes

By zacf at 11:05 am on March 11, 2009Comments Off on Security Review: CV2 codes

A CV2 code is a three-digit number that is known to the issuing bank and printed on a credit to verify physical possession of the card. Online merchants often require customers to enter the CV2 code along with the rest of their credit card information when making a purchase.

Online merchants can verify that an entered CV2 code is correct for a particular credit card, but they will not be given the code if they don’t have it.

Assets: Money- Issuing banks want to avoid making payments to fraudulent merchants because they will typically not be able to recover those funds from the cardholder. This is because a rise in credit card fraud has led issuers to offer contracts in which the cardholder is not liable for unauthorized charges.

Merchandise- Merchants want to avoid shipping merchandise to customers committing fraud because they will most likely not be paid for it. Just as issuing banks have granted their cardholders a release from unauthorized charges, they have also used their negotiating power to obtain favorable terms from merchants, who must in most cases assume responsibility for fraudulent charges.

Threats: Fraudulent buyers- People who are trying to use a victim’s credit card to buy things for their own use or sale.

Credit card brokers- People who trade in stolen credit card numbers.

Weaknesses: Brevity- A CV2 code is only three digits. That makes it very easy to record or simply memorize any time a person sees the card. That reduces the security from verifying possession to verifying having seen the card. It also potentially exposes the code to a distributed brute-force attack. While an issuing bank would surely notice several queries on the same account, if they were spread out over time and came from different merchant accounts, they might not be detected.

Permanence- A CV2 code does not change as long as the card is in use. That means that once a customer provides a CV2 code to an online merchant or hands the card to a merchant in person, that merchant knows that customer’s CV2 code.

Defenses: One-time codes- Just like issuers offer one-time card numbers, one-time CV2 codes could be used to defend against exploits of the permanence weakness.

Merchant-specific codes- A CV2 code could be a function of the credit card account and the merchant account. That would prevent a malicious merchant from obtaining its customers’ codes and using them with other merchants.

Evaluation of risks: CV2 codes do not offer additional security beyond what the card already has. They are printed on the card, and they are often transferred along with the card number and expiration date, so in effect, all they do is make the card number three digits longer.

Conclusion: While CV2 codes don’t do much to help, they don’t hurt either, so a user shouldn’t rely on them, but also should worry about them.

Filed under: Security ReviewsComments Off on Security Review: CV2 codes