Stolen Credit Card CVV/CVC Puzzle

Please note this sub-forum does not provide professional finance advice. You should seek advice from a licensed financial advisor.

To post in this sub-forum you must have made 100 posts or have Trust status or have completed our ID Verification.

If investing please consider our affiliate link for new accounts: Sharesies.

Forums › Finance and wealth management › Stolen Credit Card CVV/CVC Puzzle

SimonGilmour

31 posts

Geek

#316158 21-Sep-2024 00:02

Hi, Interested if anyone has some knowledge here.

I lost my wallet this morning. Was hoping that it might be handed in but then a few hours later I got 2FA texts - someone was trying to use my ANZ VISA Credit Card on "One NZ" (Previously Vodafone, I believe). The problem is that I cut the aerial on and literally shave off the CVC/CVV number off of my credit cards. So it can't be used for paywave and I can't see how it can be used online without the CVC number. I talked to ONE NZ and they swear that the CVC number is needed to make a purchase on their site.

So something doesn't add up. Is there a way around the CVC number? Did they brute-force guess it? Are OneNZ lying?

Any idea?

Thanks,

1 | 2 | 3 | 4 | 5 | 6

192 posts

Master Geek

#3284692 21-Sep-2024 00:49

I just checked, One prompt for CVC/CVV for prepaid topups from the app, but given the scope of One, it could be any avenue that has a weakness (Online Store/Phone Order/etc).

That said, instead of scratching off the numbers, I saw an ad at the mall the other day for ANZ advertising dynamic security codes for their cards. Might want to opt in for that, even if you have no intention to use it for phone/online transactions.

SaltyNZ

8231 posts

Uber Geek

Trusted

2degrees

Lifetime subscriber

#3284701 21-Sep-2024 07:38

snj:

That said, instead of scratching off the numbers, I saw an ad at the mall the other day for ANZ advertising dynamic security codes for their cards. Might want to opt in for that, even if you have no intention to use it for phone/online transactions.

it's enabled by default - unfortunately you have to dig through a couple of screens to read the current one. I've started using it for new transactions. The next step would be allow you to set your card to make it mandatory.

iPad Pro 11" + iPhone 15 Pro Max + 2degrees 4tw!

These comments are my own and do not represent the opinions of 2degrees.

jamesrt

1612 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#3284703 21-Sep-2024 07:54

The ANZ GoMoney app will let you disable paywave and also what they categorised as 'online shopping' purchases - which I assume is transactions when the card is not physically presented at the payment terminal [it's tagged by the terminal if a card is physically inserted I believe].

If the OP seeks card security, I'd recommend checking out these and the other options in the app.

robjg63

4098 posts

Uber Geek

Subscriber

#3284704 21-Sep-2024 07:58

SaltyNZ:

snj:

That said, instead of scratching off the numbers, I saw an ad at the mall the other day for ANZ advertising dynamic security codes for their cards. Might want to opt in for that, even if you have no intention to use it for phone/online transactions.

it's enabled by default - unfortunately you have to dig through a couple of screens to read the current one. I've started using it for new transactions. The next step would be allow you to set your card to make it mandatory.

As far as I know, the CVV on the card is always valid.

If you are using the card for an online purchase, then you can use the dynamic code - so you dont give away the cards 'permanent' CVV code.

If someone stole the card - then I understand that the dynamic code wont help you.

Nothing is impossible for the man who doesn't have to do it himself - A. H. Weiler

SimonGilmour

31 posts

Geek

#3284707 21-Sep-2024 08:15

jamesrt: The ANZ GoMoney app will let you disable paywave and also what they categorised as 'online shopping' purchases - which I assume is transactions when the card is not physically presented at the payment terminal [it's tagged by the terminal if a card is physically inserted I believe].

If the OP seeks card security, I'd recommend checking out these and the other options in the app.

Yeap. But what I'm really interested in is how they used it without the CVC. I think snj has to be right; OneNZ must have allowed a credit card without a CVC.

geek3001

64 posts

Master Geek

ID Verified

Subscriber

#3284709 21-Sep-2024 08:26

This could be a data verification sequence issue.

An incorrect CVC number would likely have been entered, however that error had not been dealt with yet, instead the payment process then moved to obtaining a 2FA response, which would have failed as those with the stolen card would not receive the 2FA challenge response and therefore could not complete the transaction.

I have experienced something similar in the past. While I am not dyslexic, I am human and I often key the numbers incorrectly when I am paying something via a web form. When I have queried the bank as to why the transaction failed, they have told me that it was due to one or more of the entered details being incorrect with that problem being detected upon checking of ALL entered data, even though I had been sent the 2FA challenge and responded to it.

SimonGilmour

31 posts

Geek

#3284710 21-Sep-2024 08:29

geek3001:

This could be a data verification sequence issue.

An incorrect CVC number would likely have been entered, however that error had not been dealt with yet, instead the payment process then moved to obtaining a 2FA response, which would have failed as those with the stolen card would not receive the 2FA challenge response and therefore could not complete the transaction.

I have experienced something similar in the past. While I am not dyslexic, I am human and I often key the numbers incorrectly when I am paying something via a web form. When I have queried the bank as to why the transaction failed, they have told me that it was due to one or more of the entered details being incorrect with that problem being detected upon checking of ALL entered data, even though I had been sent the 2FA challenge and responded to it.

Ah, right. Understood.

Sharesies

Trade NZ and US shares and funds with Sharesies (affiliate link).

Linux

11428 posts

Uber Geek

Trusted

Lifetime subscriber

#3284728 21-Sep-2024 09:31

I keep payway disabled in the bnz app and also online purchases until I require it

SimonGilmour

31 posts

Geek

#3284729 21-Sep-2024 09:49

Linux: I keep payway disabled in the bnz app and also online purchases until I require it

Yeah several years ago every year I'd get a fraudulent transaction or two. It just kept happening, and it didn't seem straight after using the card anywhere. It was a pain in the ass because every time I reported it ANZ would cancel the card and send me another and so you have to go to all your utility providers and update the card etc. But after 3 or 4 years I was confident it was Aliexpress. They're crafty - they'd wait a month or two after my transaction before commiting the fraud, and from memory they'd do a small transaction for a few dollars and then a while later a larger one - feeling out whether you will notice. And it isn't the vendors, of course, they don't see the credit card details. So it's someone at Aliexpress HQ so to speak, or someone at whoever processes their payments.

Problem was at the time ANZ was behind the times and you couldn't lock the card etc. (nowadays you can). So I got an ASB credit card which you can lock and that I keep locked until I need it for online xactions. And NEVER used the ANZ one online or on paywave.

neb

11294 posts

Uber Geek

Trusted

Lifetime subscriber

#3284913 21-Sep-2024 23:21

SimonGilmour: So something doesn't add up. Is there a way around the CVC number? Did they brute-force guess it? Are OneNZ lying?

Most issues with invalid CVVs are because the cardholder either mistypes it or doesn't have the card handy and tries to guess it. Because of this many payment processors choose to allow transactions with invalid CVVs on the grounds that it's more profitable to allow them than to decline them.

SomeoneSomewhere

1804 posts

Uber Geek

Lifetime subscriber

#3284917 22-Sep-2024 00:00

Are you certain that they attempted to use it online and not in store? I expect using it in store would report it as the specific store on the statement, but can't confirm.

I could see someone trying to force through a stripe-and-signature or chip-and-signature transaction by bamboozling the staff.

SimonGilmour

31 posts

Geek

#3284918 22-Sep-2024 00:25

SomeoneSomewhere:
Are you certain that they attempted to use it online and not in store? I expect using it in store would report it as the specific store on the statement, but can't confirm.

I could see someone trying to force through a stripe-and-signature or chip-and-signature transaction by bamboozling the staff.

I got 2FA texts with codes. Is that possible in a physical store?

boosacnoodle

963 posts

Ultimate Geek

#3284938 22-Sep-2024 09:26

Many stores don’t require a CVV or a valid one at that. Lotto is a notable one, as is Amazon. Shopify lets stores disable it too and they’d be one of the biggest ecommerce platforms around.

geek3001

64 posts

Master Geek

ID Verified

Subscriber

#3284942 22-Sep-2024 09:48

boosacnoodle: Many stores don’t require a CVC or a valid one at that. Lotto is a notable one, as is Amazon. Shopify lets stores disable it too and they’d be one of the biggest ecommerce platforms around.

This seems rather odd, as it puts into question the very purpose of the CVC number.

As far as I recall the PCI standard requires that the merchant / payment processor must securely collect the CVC number to enable a card not present transaction to be processed. Ditto over-the-phone and postal/mail-order card not present transactions. No CVC collected and a challenge by the actual card holder saying the charge on their account is invalid, would result in a determination of fraud and a charge-back to the merchant.

I purchase online regularly and have never encountered an online store that does not require the three-digit CVC.

Interestingly, I have encountered many online stores that do not ask for the card holder's name, or that will accept any string of incorrect characters in the card holder's name field. These always require the CVC.

In terms of Lotto, I presume you mean Lotto NZ? If so, I can assure you they definitely require the card's CVC number as part of the topping-up process when you buy a ticket manually via their smartphone app as I do this regularly.

Kyanar

4089 posts

Uber Geek

ID Verified

Trusted

#3284952 22-Sep-2024 10:14

neb:

Most issues with invalid CVVs are because the cardholder either mistypes it or doesn't have the card handy and tries to guess it. Because of this many payment processors choose to allow transactions with invalid CVVs on the grounds that it's more profitable to allow them than to decline them.

Er, no. Scheme rules (as in Mastercard, Visa, and Amex, not the banks) absolutely prohibit permitting a transaction with an invalid CVV. A CVV is not mandatory, but if it is provided, it absolutely must be correct.

1 | 2 | 3 | 4 | 5 | 6