Ebellis: New page: '''Weak Amelioration Attempts''' To address the problems associated with shared secrets among large groups of people, the card associations came up with the concept of a security code (...

Ebellis — Tue, 30 Jun 2009 02:16:09 GMT

New page: '''Weak Amelioration Attempts''' To address the problems associated with shared secrets among large groups of people, the card associations came up with the concept of a security code (...

New page

'''Weak Amelioration Attempts'''

To address the problems associated with shared secrets among large groups of people, the card
associations came up with the concept of a security code (CV2), a three- or four-digit number
printed on the card. This is used as a pseudo-second factor for authentication, attempting to
prove the purchaser has the card in her possession.

There are two weaknesses in this patch to the system. First, the security code becomes an
additional shared secret. There are specific rules around handling security codes for merchants
and service providers, but again we rely on the weakest link in the purchase path. Second, not
all banks currently support this code, nor is it required in all cases. This means there is little
incentive for the merchant or acquirer to reject a purchase based on a failed check of this code.
Thus, the security code offers minimal improvement to the anti-fraud system.

While CV2 attempts to authenticate the consumer, we still lack authentication for the
merchant. How does the purchaser know the merchant is legitimate? What prevents
consumers from being socially engineered or phished out of their payment data?

The card associations and third-party payment providers have created additional security
programs to authenticate and authorize payments in card-not-present situations. Let’s analyze
a few of the more common processes in place today in order to assess what is working and any
areas that may be flawed.

Beautiful Trade/Weak Amelioration Attempts - Revision history

Ebellis: New page: '''Weak Amelioration Attempts''' To address the problems associated with shared secrets among large groups of people, the card associations came up with the concept of a security code (...