60

There are quite a few cases where people are called out for disclosing the front-face of a credit or debit card (e.g. this tweet from Brian Krebs or this twitter account). So I was wondering what the impact of this disclosure for the card holder is likely to be.

From the front of a card, a fraudster could get the card PAN (16-digit number) start date/expiry date and cardholder name. Also for debit cards, the cardholders account number and sort code (that may vary by region).

So the question is, what's the likely impact of the disclosure of this information (i.e. what frauds could be committed).

Some initial thoughts I had were :-

  • Cardholder Not Present transactions shouldn't be possible as the CVV hasn't been disclosed
  • The card wouldn't be clonable with just that information as there's other information needed for the magstripe.
Rory McCune
  • 60,923
  • 14
  • 136
  • 217
  • 4
    I've "heard somewhere" that all you need is the front digits - that not all merchants require CVV or even expiration date. But this _really_ needs confirmation. – Henning Klevjer Oct 23 '12 at 07:17
  • Allthough the CCV was not disclosed I think guessing it would prove less than difficult. Most CCV codes consist of oonly three digits and have other restraints aswell. Im not certain but it could be a problem. Im guessing though that most banks would give you your money back if a transaction was discovered after being conducted that was not authorized by you. – Pablo Jomer Oct 23 '12 at 07:43
  • 7
    Amex CVC (Card Verification Code) is on the front. – Jeff Ferland Oct 23 '12 at 07:49
  • 7
    @HenningKlevjer et al: [How does Amazon bill me wihout the CVC / CVV / CVV2?](http://security.stackexchange.com/q/21168) [Why does Amazon ask for the CVC/CVV if it bills without it?](http://security.stackexchange.com/q/22733) Also related: [Could I be defrauded by a website who has my address, phone number, and credit card number?](http://security.stackexchange.com/q/10400) [Is it standard practice to ask a customer to send a photo of their credit card to confirm their identity?](http://security.stackexchange.com/q/18240) – Gilles 'SO- stop being evil' Oct 23 '12 at 08:56
  • @Gilles Very relevant, although there are no citations. Is is highly likely that it is the card issuer that rules what values are needed and the merchant that decides additional requirements, i.e. a "bad" merchant may allow just the PAN if the credit card issuer in question has a bad authentication assurance policy. – Henning Klevjer Oct 23 '12 at 09:03
  • @HenningKlevjer I asked that 1st question he linked to, and the guys there explained that all the relevant stuff would be defined in the [Amazon's] merchant agreement, which is obviously not available for general public. Plus, I wouldn't say, e.g., Amazon is a "bad" merchant and they don't ask for the CVV. The same aforementioned question mentions the reason why they can afford not asking for the stuff -- they keep the fraud rates low enough. – TC1 Oct 23 '12 at 09:34
  • 2
    On a related note: https://twitter.com/NeedADebitCard will find you all the credit cards you need if you want to buy something. :p – Fredy31 Oct 23 '12 at 12:23

5 Answers5

40

You don't actually need the CVV to perform transactions, they're just required by most retailers as a means of verifying that you have the physical card in your possession.

From Wikipedia (unsourced):

It is not mandatory for a merchant to require the security code for making a transaction, hence the card is still prone to fraud even if only its number is known to phishers.

On most EFTPOS systems, it's possible to manually enter the card details. When a field is not present, the operator simply presses enter to skip, which is common with cards that don't carry a start date. On these systems, it is trivial to charge a card without the CVV. When I worked in retail, we would frequently do this when the chip on a card wasn't working and the CVV had rubbed off. In such cases, all that was needed was the card number and expiry date, with a signature on the receipt for verification.

Polynomial
  • 132,208
  • 43
  • 298
  • 379
  • But wasn't it contrary to policy and rules to accept credit card information from a customer, in person, if they did not have the credit card in their possession? As a cashier, I always knew there were cameras, even intermittently, so I would have been implicated as an accessory if I were to accept payment from a customer without a card, if the customer was physically present in the store. – Ellie Kesselman Oct 23 '12 at 08:49
  • 4
    @FeralOink They had the card, but the chip didn't work and the CVV was rubbed off. I was simply providing an example of where I'd personally seen cards used without CVV. It's possible to set up a fraudulent merchant account and steal cash in this way. It's also possible to find stores that don't require CVV, though it's rare these days. – Polynomial Oct 23 '12 at 09:05
  • Okay! That makes more sense. I misunderstood you, thinking that the physical card wasn't req'd for an in-person transaction. Thanks! – Ellie Kesselman Oct 23 '12 at 09:07
  • 3
    @Polynomial +1. I worked in retail for 5 years and there was many a time I would manually just enter the credit card number/expiration date, but never the CVV. Some systems (like the one I worked at) don't even have a place to put the CVV in. – Gaff Oct 23 '12 at 12:45
19

Aside from the already mentioned attacks involving unauthorized usage of a credit card, the credit card information can also be used for social engineering and identity theft.

As a somewhat current example, see how Mat Honan got hacked last summer : http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all/

In his case, Apple only required the last digits for his credit card (which his attacker obtained from Amazon) in order to give up the account. It stands to reason that other vendors may be duped if an attacker were to provide a full credit card number including expiration dates.

Bushibytes
  • 454
  • 3
  • 4
  • 3
    +1 While the financial information leak may be more or less obvious, there are far more ways to use a credit card than just buying stuff, especially when so many vendors use the last 4 digits as a backup customer ID. – Phil Oct 23 '12 at 13:34
13

You would need CVV and expiration date for verification, although expiration date is on the front face of a card. Also required is the billing address, or at a minimum, the zip code of the billing address, neither of which are on the front or back of the card.

However, this depends on whether you're buying something retail, in person versus online. If you are working in retail where the card details can be manually entered, which is definitely an option unless there are policies against it, or maybe a POS machine that won't allow it (although that hasn't been my experience, as magnetic strips get demagnetized by women's magnetic purse fasteners A LOT), there would be the potential for fraud. There would be no need for billing zip code or billing address. It would require the complicity of the cashier as well as the customer though. This is why: Even though the card info can be entered manually, it is NEVER acceptable to take the information from a person who hands you a piece of paper with their card details.

On the phone, or online, you will need name, card number, expiration date, CVV (4 digit for AmEx, 3 digit for Visa/MC) and billing address (and shipping address) for a physical delivery. If you are ordering something that doesn't need to be delivered, and remember, you have now restricted your options for illegal purchases significantly, you would still need billing zip code, even though you wouldn't need address etc.

What can you buy online or on the phone, with name, card number, CVV and zip code? Well, iTunes cap's monthly purchases at $5,000 per month as a default. So you could buy a lot of iTunes music, or premium membership to expensive porn sites, or lots of cloud storage, or online games. But even if you were to do any of that, you would still need to use the services from somewhere that was associated with an IP address. I doubt that it is practical to play games via Tor, same is true for streaming porn, though I am not certain. And if you bought iTunes songs, Apple would need to know enough identifying information about you that it wouldn't be safe. You couldn't buy stuff via PayPal or Amazon, as you'd need to take physical delivery of the items, which would be incriminating, whether to you or someone else who acted for you.

And all of this would be moot without the billing zip code, which is not on the front of the card. I don't have any sources, just experience working at a casino, on a huge 500 person ship, for a year. And I purchase lots of clothes and things online. I'll look for something to cite, but it tends to be a result of widely observed electronic payment practices rather than technological impossibility.

EDIT:
See the answers to this question What is the use of stolen credit card details? The answers are based on access to mass quantities of cards, or willingness to allow someone to get in trouble for taking delivery of your purchases (the answer referred to that as "a rube"), or rather elaborate eBay card swapping schemes. It wasn't straightforward. (Many are in pursuit of credit card information, but I often wonder what most people can actually do with it, other than cause inconvenience and fear. ZeuS or SpyEye is the exception, as it appears disturbingly versatile).

Ellie Kesselman
  • 488
  • 4
  • 20
12

It's worth mentioning that American Express credit cards do have the CVV on the front side (not the back), along with the card number, the cardholder name, and the expiration date. Therefore, disclosing the front face of an Amex card would allow arbitrary purchases, even card-not-present purchases.

D.W.
  • 98,420
  • 30
  • 267
  • 572
8

All that is required to run a credit card transactions is the PAN (Primary Account Number), which is basically the 16 digits found on the front of a card. That's all that really happens when a card is swiped - the machine reads the PAN that is encoded onto the card's magnetic strip. Therefore - if someone has the front face of your card, your account is compromised.

Card Present, matching ID card/signature, CVV (security code), AVS (address verification), and others are added layers of security that a merchant might ask you for, especially in an risky environment such as online shopping. But, these are by no means required. You could get away running a transaction with just the 16 digits, though most merchants won't allow that because of the risk of fraud and charge backs.

John
  • 81
  • 1