I was recently reading an artical about a card company who have developed a card which has a battery and chip inside whoch allows the card to regenerate the security code for online transactions as a way to prevent fraud (sorry I donāt remember the source) and thought of a slightly different way whoch could be more in tune with the way that monzo is going.
The idea is to have the 3 digit code on the back of the card to be optionaly replaced with a 3 digit randomiser on the app which would be valid for x amount of time.
This would make the code on the back of the card innert and replaced with the one on the app.
The idea being similar to a 2 factor auth for the security code to make online purchaces.
Full disclosure: We are currently working very hard on building all the things necessary to launch as a full bank and we arenāt currently actively exploring ideas such as this.
Iām a Security and Fraud engineer here at Monzo. Iām really excited by all the cool things we can start experimenting with once we have everything up and running.
Hereās a flavour of some of the things I consider when evaluating ideas like this one:
Itās important to consider what problem you are trying to solve. This particular idea (at least how you presented it) would give some protection against the following type of fraud:
Fraud committed online with a merchant that requires the CVC2 to be entered.
It doesnāt protect against:
Fraud committed online with a merchant that doesnāt require the CVC2 (sending the CVC2 is at the discretion of the merchant)
Card present fraud (typically magnetic stripe)
Online fraud where the fraudster guesses the CVC2 (usually by trying each possible value)
So one of the first things I would do is try and work out how much fraud actually sits in that first bucket, if it turns out that it is only Ā£1 in every Ā£99 of fraud then it may not be as high a priority.
You also have to consider the increased complexity in the app and the potential for misunderstanding this will introduce (users can be really bad at understanding things).
It could, potentially, be better to allow the user to generate full one time PANs (primary account numbers i.e. the 16 digit card number) from within the app. One of the things I find quite frustrating about fraud is the lack of visibility we have (as a bank) into what facilitated certain instances of fraud. For example, we know that a criminal somehow got a copy of someoneās card details and did an online payment but we have no visibility into how they did that, did they skim the contactless? Did they breach the database of an online retailer? Did they have an ATM skimmer? Did they just guess the details? If we can use different PANs for different things then we get more visibility into how the criminals are getting the card details and know where to focus efforts.
While you refer to CVV I have always refered to it as CCV.
CCV stands for Card Code Verification
CVV stands for Card Verification Value
However, there is technically CVV and CVV2 with the CVV refering to the card number on the front and CVV2 refering to the 3 digit code on the back of the card (or 4 digit code on the front of the card in the case of AmEx).
Other common expressions for the 3 digit code are Card Validation Code (CVC) and Card Security Code (CSC).
It is crazy that there is no standard name for this security feature!
Perhaps for consistency Monzo should have a corporate standard and pick one of these to use, rather than alternate between them depending on the author of a particular posting?
It is a little crazy. There are actually more CVC/CVV/CSCs than you might think:
CVC1 - This is encoded on the magnetic stripe
CVC2 - This is the one printed on the back of the card.
CVC3 - This is a dynamic value used for contactless transactions when completed using magnetic stripe fallback mode (it emulates a magnetic stripe track over contactless)
Chip CVC / iCVC - The CVC value encoded on the chip
CVC, CVV and CSC all refer to the same thing. The term is a bit overloaded, almost always when it is written as just āCVC/CVV/CSCā it is referring to the CVC2/CVV2/CSC2 as this is the only one a user ever has to enter.
I donāt think it matters too much what they are referred to as from a customerās point of view they will only ever need to care about the one on the back as all others are handled automatically by the terminal.
Thatās right. My concern was while those of us who have worked with banks and tech will understand, other Monzo customers coming on to the community may get confused if reading CVV, CVV2, CCV, CSC, etc without realising that actually people are really trying to talk about the same thing
