What is CVV Number and is it adding a security layer to your "Card-not-present" Transaction

A few days back, a friend of mine received a phone call from a person who introduced himself as a representative from a particular bank. Since the Government of India has recently made it a mandate to link your Aadhar with all your bank accounts. The telecaller explained the same and warned her to get it done immediately. Without, much knowledge about the processes involved, she followed the given instructions to link the Aadhar through the phone call itself.

Not paying any further heed to the consequences of her actions she shared the debit card details along with the expiry and CCV2 number. Immediately, an OTP was received. And without thinking about the security implications of her next action, she shared the OTP as well. After which she received a transaction failed SMS. Luckily, her bank account didn’t have enough balance which the telecaller (attacker) was trying to take away. That was an eye-opener, she immediately realized the gravity of the situation and blocked her debit card.

In these days of increased card security and with concepts like OTP and 3D Secure PIN doing the rounds, can anyone with just your Card Details and CVV number transact with it? What does the CVV number on your card mean? Are all transactions nowadays accompanied by the OTP?

Before we answer these questions ahead, let's first talk about 'Card-not-present' fraud.

Investopedia defines 'Card-not-present' fraud as a type of credit card scam in which the customer does not physically present the card to the merchant during the fraudulent transaction. Card-not-present fraud can occur with transactions that are conducted online or over the phone. It is theoretically harder to prevent than card-present fraud because the merchant cannot personally examine the credit card for signs of possible fraud, such as a missing hologram or altered account number.

Some interesting statistics to be noted on Card-not-present fraud:

1) According to a 2017 report by the US Payments Forum, the increased security of chip cards forced criminals to shift the focus of their activities to Card-not-present (CNP) transactions.

2) The United States is especially vulnerable to CNP fraud, as it leads the world with the highest percentage of e-commerce sales, with 77 percent of U.S. merchants selling online.

3) The Payments Forum report includes a prediction that the EMV implementation is projected to lead to an increase in CNP fraud in the U.S. from $3.1 billion in 2015 to $6.4 billion in 2018.

Source - creditcards.com

Now let's come back to what a CVV number means and whether it adds another security layer to your 'card-not-present' transaction.

What is the CVV Number?

The CVV (Card Verification Value) number is a 3-digit/4-digit number that is displayed on your debit or credit card. It's also known as Card Verification Data (CVD), Card Security Code (CSC), Personal Security Code, and Card Verification Code (CVC) as well as CVV2 numbers, which are the same as CVV numbers, except that these numbers have been generated by a 2nd generation process which makes them harder to "guess".

CVV is an anti-fraud security feature to help verify that you are in possession of your debit or credit card. This ensures that nobody can illegally use your credit/debit card number without actually having the card in their possession.

For Visa/Mastercard, the three-digit CVV number is printed on the signature panel on the back of the card immediately after the card's account number.

For American Express, the four-digit CVV number is printed on the front of the card above the card account number.

It was introduced in 1999 by Visa as a security code for e-commerce transactions to prevent fraudulent activities. Since then, there have been many more security measures have been added such as the 3D secure pin, OTP, etc. This infographic by VISA gives an overview of the 'Evolution of Payment Security'.

What Happens if we enter the wrong CVV number?

Only July 1, 2013, RBI has passed a circular that states “All mobile banking transactions shall be permitted only by validation through two-factor authentication.” Post which the OTP/3D Secure pin was used as an additional factor authentication.

Previously, any card transactions could be carried out with your card number and CVV. But as payment security measures increased, an additional layer of cross-checking using OTP and a 3D Secure PIN entry is also now initiated to protect your card. So transactions over any trusted sites can be carried out only with OTP verification and 3D Secure PIN apart from CVV. But there are many untrustworthy sites through which transactions are possible with just the CVV number.

What actually happens is if we enter a wrong CVV we still get an OTP. After entering the OTP, we get a transaction failure message stating the transaction was not successful due to incorrect CVV. Thus, for a successful transaction, both the factor of authentication should be validated.

But what if even after entering a wrong CVV number or any random CVV, can the payment be made successful? Yes, there was a recent issue with one of the Debit Card of a well-known private bank that led to a CVV Bypass issue. It was found that the implementation of payment using a Debit Card is flawed letting any attacker bypass the CVV. Having a precondition that the attacker should know the card number and expiry in advance, they can enter any random CVV and the payment gateway accepts it as a valid and processes the payment.

Imagine a case, a hacker gets access to a consumer's phone who has attached his card to PayTM/Ola/Uber app installed on the phone. All he needs to do is deposit money first in the consumer's PayTM account through the debit card without knowing the exact CVV ( though he has access to OTP) and then transfer the money to his PayTM account. The hacker won't need to hold the debit card physically in this particular case.

We tried reporting the above issue to the bank and this is how they responded:

"This is known as CVV bypass for 3D secured transactions. The control is through the dynamic OTP that is validated for all such transactions. CVV2 on the plastic is a static number and vulnerable to compromise, hence the Bank is employing a secure protocol. If the same person tries the transaction which is not 3D secured, then the CVV2 is validated.”

On 6th Dec 2016 RBI eases two-factor authentication for online card transactions up to Rs 2,000. Discarding two-factor authentication for purchases up to Rs 2,000 is an opt-in service, which means that customers will have to specifically opt for it. Now imagine for the above case, the user has opted out for OTP, then anyone can easily debit the amount by using a random CVV number.

The payments industry is revolutionizing at a rapid pace and soon the CVV number might be replaced with something else. It will be fascinating to see how the next five years pan out for the payments industry. There are many compliances in place with additional layers of security. Having said that the security threats would also keep arising from time to time. The important thing is to be aware and proactive about the same.