mark :: blog

19 Apr 2009: My CCV was (int)0

A few years ago I received a Mastercard with a CCV of 000. The CCV is the last 3 digits printed on the signature strip on the back asked for by merchants to verify you actually hold the card as those digits are not encoded on the magstrip (although as anyone who has handled the card or has hacked any of the online mechants at the time you use it also knows it). It's sometimes called CVV, CVV2, or CVC2 too.

Having a CCV of 000 seems nice and easy to remember, but actually was a bit of a curse. To start with, companies would sometimes not believe that 000 is your real CCV when you tell them by phone. But usually after a few attempts you can convince them to at least try it, and then all is well.

The real problems came when using the card online as several merchants refused to accept the card. Any programmer reading this will have guessed the ways this could fail already. Rather than web applications checking for a CCV of three digits, I imagine some of them stored the field as an integer and had "0" overloaded as "didn't enter a CCV".

Scan Computers was the first casualty; my first order with them using the card appeared to get accepted, but then got stuck and the order stalled. That took a phone call to sort out, but at least the guy I spoke to by phone recognised and understood the problem and I only ended up getting my stuff a day late. It's worked okay with them since, I guess they fixed it.

Some other merchants I've been less lucky with. Some refused to accept the CCV at the time I entered it, but at least with those you know immediately and can use a different card. Other merchants accepted the CCV at the order time but then later rejected the order usually without giving a reason; probably when they did some batch processing with the stored CCV.

So you'd think there would be a lot of people with this problem: if the CCV is generated by the issuer using some hash then it ought to be 1/1000th of the card holding population. Perhaps some issuers deliberately avoid giving out a 000 security code, or perhaps I was just unlucky in my choice of merchants.

The experiment has sadly come to an end now as the card expired and was been replaced by one with a different CCV. I'm hoping one day to get 999.

Created: 19 Apr 2009

6 comments (new comments disabled)

Title: I had a CVV matching the last 3 digits of my card number...
Posted by: Simon Farnsworth
Time: Sun, 19 Apr 2009 18:24

There seem to be a lot of bad assumptions out there about what is and is not a legitimate CVV - Scan have been bitten before, for a start. Back in 2001, I had a VISA card, with a CVV that matched the last 3 digits of my card (so if the card was 4929 1234 5678 9012, the CVV was 012 - the numbers on the magstripe would have been 9012 012). The number of online merchants who would not accept it, and insisted that I had typed the last three digits of my card number instead of the CVV was insane - Scan were the first I tripped up on, but there were several others who could not handle this.

Title: Re: My CCV was (int)0
Posted by: Alex
Time: Sun, 19 Apr 2009 19:59

CCV is a pathetic attempt at security. We have this thing called public key cryptography. Why don't credit card companies start using it? The cost of changing equipment would likely be made up for entirely by the reduction in identity theft.

Title: Re: My CCV was (int)0
Posted by: Josh Bressers
Time: Sun, 19 Apr 2009 20:15

This would be a horrible curse. You had to wait YEARS to tell anyone about this, and it's far too cool to not talk about.

Title: Re: My CCV was (int)0
Posted by: Rich
Time: Sun, 19 Apr 2009 22:58

Yes! Same as me! Thankfully I got a new card last year which has a non-zero CVV and things are better. Still it's not as bad as the curse that is Verified by Visa. BTW I think it's CVV not CCV?

Title: Re: My CCV was (int)0
Posted by: Chris
Time: Mon, 20 Apr 2009 19:01

Huzzah! Now I know 2 numbers that *aren't* Mark's new pin! :)

Title: privet
Posted by: Jessicabrila
Time: Sun, 10 May 2009 16:46

Nice ! :).. Thanks buddy..

Hi! I'm Mark Cox. This blog gives my thoughts and opinions on my security work, open source, fedora, home automation, and other topics.