9

I am new to the credit card world. What are the security threats or possibilities, if someone knows my credit/debit card no. Will he be able to misuse it or will he require any additional information related to the card?

Anders
  • 64,406
  • 24
  • 178
  • 215
Mangu Singh Rajpurohit
  • 289
  • 3
  • 11
  • Just to keep an open mind, I would like to emphasize all the opportunities that this knowledge grants to one for successful social engineering attacks! – Master_ex Apr 07 '16 at 15:42

2 Answers2

21

An excerpt from another answer:

You don't actually need the CVV to perform transactions, they're just required by most retailers as a means of verifying that you have the physical card in your possession.

From Wikipedia (unsourced):

It is not mandatory for a merchant to require the security code for making a transaction, hence the card is still prone to fraud even if only its number is known to phishers.

On most EFTPOS systems, it's possible to manually enter the card details. When a field is not present, the operator simply presses enter to skip, which is common with cards that don't carry a start date. On these systems, it is trivial to charge a card without the CVV. When I worked in retail, we would frequently do this when the chip on a card wasn't working and the CVV had rubbed off. In such cases, all that was needed was the card number and expiry date, with a signature on the receipt for verification.

In other words:

You could use that number to make payments or purchases in some systems. But if they have also your CVV from the back of the card your card is fully compromised and can be used for all kind of payments.

Recommendation:

Contact your credit card bank or issuer. They can provide you a new credit card. Also CC are something pre-internet they don't have an amazing security and every bank in this world actually prefer to be like that because they can follow the money transaction and they can find who is the responsible for a CC fraud.

Community
  • 1
Lucian Nitescu
  • 1,802
  • 1
  • 13
  • 27
  • 7
    that Wikipedia quote is confirmed by the EMV Standard v.4.3, Book 4 (this standard is also used by Visa,Mastercard, American Express), which explains that it is possible for a terminal to support and recognize the "No CVM required" mode, and thus to skip this verification step. – A. Darwin Apr 07 '16 at 07:19
  • 2
    Great answear! I would encourage you to add links when referencing other answers, wikipedia, etc. – Anders Apr 07 '16 at 09:47
  • It should be noted that some banks novadays reject transactions without a CVV code. I wouldn't publish my own CC number just to prove it though. – Dmitry Grigoryev Apr 07 '16 at 11:08
  • Isn't 3-D Secure an answer here? Even if the attacker knows all of the details of my card, he won't be able to buy a thing without my phone. – Sergio Tulentsev Apr 07 '16 at 11:28
  • 1
    it depends like I said below if you have that option ... many of the banks world wide don't .. and also there is still a possibility of bypassing that. :) – Lucian Nitescu Apr 07 '16 at 11:30
  • CC predate the internet, but they have adopted to the internet. See http://security.stackexchange.com/a/116410/9640 for a discussion on virtual credit cards. With a virtual credit card assuming that the intended payee has already charged your card, it would not matter who else knows the number. After the initial charge, no one else can make a charge to the vcc and you can custom set its limit and expiration dates. – emory Apr 07 '16 at 15:21
4

In addition to the other (correct answer), I'd like to add that (at least in Europe) with most banks credit card number and CVV are by default not sufficient to authorize a transaction.

For example UBS forces you to choose a password that will be requested for any internet payment (and clearly it's not written on the credit card). Other banks in Italy do this or they send you a code on your mobile phone, so they would have to have your phone too. I don't know how widespread is this, or if it applies to the US, but my (limited) experience with banks up until now points in this direction :-)

Ant
  • 673
  • 1
  • 5
  • 12
  • Indeed but it depends on the Bank, system and if you opt in for a dual factor authentication. Also a few of the dual factor authentication don't do a thing most of the time! Some banks use that dual factor authentication for there system only... and not for the external systems :( – Lucian Nitescu Apr 07 '16 at 11:21
  • @dvvcnxc What is the difference? – Ant Apr 07 '16 at 11:33
  • For other banks from other country you have to choose this option (dual factor authentication) and you also have to pay for it. – Lucian Nitescu Apr 07 '16 at 12:19
  • @dvvcnxc Ah, I see! Thanks for the clarification :-) – Ant Apr 07 '16 at 12:20
  • With pleasure :) – Lucian Nitescu Apr 07 '16 at 12:22
  • Visa used to have a "Verified by Visa" program in the US, at least, where you would have to enter an additional password for certain online transactions, but I think that's defunct now. – JAB Apr 07 '16 at 13:48
  • And, as a risk mitigation measure, most banks give you the option of being notified via SMS when you credit card is being used for a transaction. This does not count as a 2FA, however it gives you the opportunity of being immediately notified in case of fraud (and, hopefully, of taking immediate action by blocking the card). – dr_ Apr 07 '16 at 13:53