Regenerating 3 digit CVV / security code


(Steven) #1

Hi all :smiley:

I was recently reading an artical about a card company who have developed a card which has a battery and chip inside whoch allows the card to regenerate the security code for online transactions as a way to prevent fraud (sorry I don’t remember the source) and thought of a slightly different way whoch could be more in tune with the way that monzo is going.

The idea is to have the 3 digit code on the back of the card to be optionaly replaced with a 3 digit randomiser on the app which would be valid for x amount of time.

This would make the code on the back of the card innert and replaced with the one on the app.

The idea being similar to a 2 factor auth for the security code to make online purchaces.


(Alex Sherwood) #2

I’m guessing that you’re thinking about the article from this post (or the BBC coverage of the same feature, in the comments) -

there’s been some discussion about this there.

Although this

is a slightly different implementation of the concept.


(Daniel Chatfield) #3

Full disclosure: We are currently working very hard on building all the things necessary to launch as a full bank and we aren’t currently actively exploring ideas such as this.

I’m a Security and Fraud engineer here at Monzo. I’m really excited by all the cool things we can start experimenting with once we have everything up and running.

Here’s a flavour of some of the things I consider when evaluating ideas like this one:
It’s important to consider what problem you are trying to solve. This particular idea (at least how you presented it) would give some protection against the following type of fraud:

  • Fraud committed online with a merchant that requires the CVC2 to be entered.

It doesn’t protect against:

  • Fraud committed online with a merchant that doesn’t require the CVC2 (sending the CVC2 is at the discretion of the merchant)
  • Card present fraud (typically magnetic stripe)
  • Online fraud where the fraudster guesses the CVC2 (usually by trying each possible value)

So one of the first things I would do is try and work out how much fraud actually sits in that first bucket, if it turns out that it is only £1 in every £99 of fraud then it may not be as high a priority.

You also have to consider the increased complexity in the app and the potential for misunderstanding this will introduce (users can be really bad at understanding things).

It could, potentially, be better to allow the user to generate full one time PANs (primary account numbers i.e. the 16 digit card number) from within the app. One of the things I find quite frustrating about fraud is the lack of visibility we have (as a bank) into what facilitated certain instances of fraud. For example, we know that a criminal somehow got a copy of someone’s card details and did an online payment but we have no visibility into how they did that, did they skim the contactless? Did they breach the database of an online retailer? Did they have an ATM skimmer? Did they just guess the details? If we can use different PANs for different things then we get more visibility into how the criminals are getting the card details and know where to focus efforts.


Online Virtual Cards
#4

While you refer to CVV I have always refered to it as CCV.

CCV stands for Card Code Verification
CVV stands for Card Verification Value

However, there is technically CVV and CVV2 with the CVV refering to the card number on the front and CVV2 refering to the 3 digit code on the back of the card (or 4 digit code on the front of the card in the case of AmEx).

Other common expressions for the 3 digit code are Card Validation Code (CVC) and Card Security Code (CSC).

It is crazy that there is no standard name for this security feature!

Perhaps for consistency Monzo should have a corporate standard and pick one of these to use, rather than alternate between them depending on the author of a particular posting?


(Daniel Chatfield) #5

It is a little crazy. There are actually more CVC/CVV/CSCs than you might think:

  • CVC1 - This is encoded on the magnetic stripe
  • CVC2 - This is the one printed on the back of the card.
  • CVC3 - This is a dynamic value used for contactless transactions when completed using magnetic stripe fallback mode (it emulates a magnetic stripe track over contactless)
  • Chip CVC / iCVC - The CVC value encoded on the chip

CVC, CVV and CSC all refer to the same thing. The term is a bit overloaded, almost always when it is written as just “CVC/CVV/CSC” it is referring to the CVC2/CVV2/CSC2 as this is the only one a user ever has to enter.

I don’t think it matters too much what they are referred to as from a customer’s point of view they will only ever need to care about the one on the back as all others are handled automatically by the terminal.


#6

That’s right. My concern was while those of us who have worked with banks and tech will understand, other Monzo customers coming on to the community may get confused if reading CVV, CVV2, CCV, CSC, etc without realising that actually people are really trying to talk about the same thing :slight_smile:


(James Billingham) #7

I always just refer to it as the “security code”. In the context of entering card details, that’s always clear.


(Ben Green) #8