SimonGilmour

#316158 21-Sep-2024 00:02
Hi, Interested if anyone has some knowledge here.

 

 

 

I lost my wallet this morning. Was hoping that it might be handed in but then a few hours later I got 2FA texts - someone was trying to use my ANZ VISA Credit Card on "One NZ" (Previously Vodafone, I believe). The problem is that I cut the aerial on and literally shave off the CVC/CVV number off of my credit cards. So it can't be used for paywave and I can't see how it can be used online without the CVC number. I talked to ONE NZ and they swear that the CVC number is needed to make a purchase on their site.

 

So something doesn't add up. Is there a way around the CVC number? Did they brute-force guess it? Are OneNZ lying?

 

Any idea?

 

 

 

Thanks,

 

s

snj

snj
  #3284692 21-Sep-2024 00:49
I just checked, One prompt for CVC/CVV for prepaid topups from the app, but given the scope of One, it could be any avenue that has a weakness (Online Store/Phone Order/etc).

 

That said, instead of scratching off the numbers, I saw an ad at the mall the other day for ANZ advertising dynamic security codes for their cards.  Might want to opt in for that, even if you have no intention to use it for phone/online transactions.



SaltyNZ
snj:

 

That said, instead of scratching off the numbers, I saw an ad at the mall the other day for ANZ advertising dynamic security codes for their cards.  Might want to opt in for that, even if you have no intention to use it for phone/online transactions.

 

 

 

 

it's enabled by default - unfortunately you have to dig through a couple of screens to read the current one. I've started using it for new transactions. The next step would be allow you to set your card to make it mandatory.




iPad Pro 11" + iPhone 15 Pro Max + 2degrees 4tw!

 

These comments are my own and do not represent the opinions of 2degrees.

jamesrt
The ANZ GoMoney app will let you disable paywave and also what they categorised as 'online shopping' purchases - which I assume is transactions when the card is not physically presented at the payment terminal [it's tagged by the terminal if a card is physically inserted I believe].

If the OP seeks card security, I'd recommend checking out these and the other options in the app.



robjg63
SaltyNZ:

 

snj:

 

That said, instead of scratching off the numbers, I saw an ad at the mall the other day for ANZ advertising dynamic security codes for their cards.  Might want to opt in for that, even if you have no intention to use it for phone/online transactions.

 

 

 

 

it's enabled by default - unfortunately you have to dig through a couple of screens to read the current one. I've started using it for new transactions. The next step would be allow you to set your card to make it mandatory.

 

 

As far as I know, the CVV on the card is always valid.

 

If you are using the card for an online purchase, then you can use the dynamic code - so you dont give away the cards 'permanent' CVV code.

 

If someone stole the card - then I understand that the dynamic code wont help you. 




Nothing is impossible for the man who doesn't have to do it himself - A. H. Weiler

SimonGilmour

  #3284707 21-Sep-2024 08:15
jamesrt: The ANZ GoMoney app will let you disable paywave and also what they categorised as 'online shopping' purchases - which I assume is transactions when the card is not physically presented at the payment terminal [it's tagged by the terminal if a card is physically inserted I believe].

If the OP seeks card security, I'd recommend checking out these and the other options in the app.

 

 

 

Yeap. But what I'm really interested in is how they used it without the CVC. I think snj has to be right; OneNZ must have allowed a credit card without a CVC.

geek3001
This could be a data verification sequence issue.

 

An incorrect CVC number would likely have been entered, however that error had not been dealt with yet, instead the payment process then moved to obtaining a 2FA response, which would have failed as those with the stolen card would not receive the 2FA challenge response and therefore could not complete the transaction.

 

I have experienced something similar in the past. While I am not dyslexic, I am human and I often key the numbers incorrectly when I am paying something via a web form. When I have queried the bank as to why the transaction failed, they have told me that it was due to one or more of the entered details being incorrect with that problem being detected upon checking of ALL entered data, even though I had been sent the 2FA challenge and responded to it.

 

 

SimonGilmour

  #3284710 21-Sep-2024 08:29
geek3001:

 

This could be a data verification sequence issue.

 

An incorrect CVC number would likely have been entered, however that error had not been dealt with yet, instead the payment process then moved to obtaining a 2FA response, which would have failed as those with the stolen card would not receive the 2FA challenge response and therefore could not complete the transaction.

 

I have experienced something similar in the past. While I am not dyslexic, I am human and I often key the numbers incorrectly when I am paying something via a web form. When I have queried the bank as to why the transaction failed, they have told me that it was due to one or more of the entered details being incorrect with that problem being detected upon checking of ALL entered data, even though I had been sent the 2FA challenge and responded to it.

 

 

 

 

 

 

Ah, right. Understood.

 
 
 
 

Send money globally for less with Wise - one free transfer up to NZ$900 (affiliate link).
Linux
I keep payway disabled in the bnz app and also online purchases until I require it

SimonGilmour

  #3284729 21-Sep-2024 09:49
Linux: I keep payway disabled in the bnz app and also online purchases until I require it

 

 

 

Yeah several years ago every year I'd get a fraudulent transaction or two. It just kept happening, and it didn't seem straight after using the card anywhere. It was a pain in the ass because every time I reported it ANZ would cancel the card and send me another and so you have to go to all your utility providers and update the card etc.  But after 3 or 4 years I was confident it was Aliexpress. They're crafty - they'd wait a month or two after my transaction before commiting the fraud, and from memory they'd do a small transaction for a few dollars and then a while later a larger one - feeling out whether you will notice. And it isn't the vendors, of course, they don't see the credit card details. So it's someone at Aliexpress HQ so to speak, or someone at whoever processes their payments.

 

Problem was at the time ANZ was behind the times and you couldn't lock the card etc. (nowadays you can). So I got an ASB credit card which you can lock and that I keep locked until I need it for online xactions. And NEVER used the ANZ one online or on paywave.

neb

neb
SimonGilmour: So something doesn't add up. Is there a way around the CVC number? Did they brute-force guess it? Are OneNZ lying?

 

Most issues with invalid CVVs are because the cardholder either mistypes it or doesn't have the card handy and tries to guess it.  Because of this many payment processors choose to allow transactions with invalid CVVs on the grounds that it's more profitable to allow them than to decline them.

SomeoneSomewhere
Are you certain that they attempted to use it online and not in store? I expect using it in store would report it as the specific store on the statement, but can't confirm.

 

 

 

I could see someone trying to force through a stripe-and-signature or chip-and-signature transaction by bamboozling the staff. 

SimonGilmour

  #3284918 22-Sep-2024 00:25
SomeoneSomewhere:

Are you certain that they attempted to use it online and not in store? I expect using it in store would report it as the specific store on the statement, but can't confirm.


 


I could see someone trying to force through a stripe-and-signature or chip-and-signature transaction by bamboozling the staff. 



I got 2FA texts with codes. Is that possible in a physical store?

boosacnoodle
  #3284938 22-Sep-2024 09:26
Many stores don’t require a CVV or a valid one at that. Lotto is a notable one, as is Amazon. Shopify lets stores disable it too and they’d be one of the biggest ecommerce platforms around.

geek3001
boosacnoodle: Many stores don’t require a CVC or a valid one at that. Lotto is a notable one, as is Amazon. Shopify lets stores disable it too and they’d be one of the biggest ecommerce platforms around.

 

This seems rather odd, as it puts into question the very purpose of the CVC number.

 

As far as I recall the PCI standard requires that the merchant / payment processor must securely collect the CVC number to enable a card not present transaction to be processed. Ditto over-the-phone and postal/mail-order card not present transactions. No CVC collected and a challenge by the actual card holder saying the charge on their account is invalid, would result in a determination of fraud and a charge-back to the merchant.

 

I purchase online regularly and have never encountered an online store that does not require the three-digit CVC.

 

Interestingly, I have encountered many online stores that do not ask for the card holder's name, or that will accept any string of incorrect characters in the card holder's name field. These always require the CVC.

 

In terms of Lotto, I presume you mean Lotto NZ? If so, I can assure you they definitely require the card's CVC number as part of the topping-up process when you buy a ticket manually via their smartphone app as I do this regularly.

Kyanar
neb:

 

Most issues with invalid CVVs are because the cardholder either mistypes it or doesn't have the card handy and tries to guess it.  Because of this many payment processors choose to allow transactions with invalid CVVs on the grounds that it's more profitable to allow them than to decline them.

 

 

Er, no. Scheme rules (as in Mastercard, Visa, and Amex, not the banks) absolutely prohibit permitting a transaction with an invalid CVV. A CVV is not mandatory, but if it is provided, it absolutely must be correct.

