User: Password:
|
|
Subscribe / Log in / New account

Google Authenticator for multi-factor authentication

Google Authenticator for multi-factor authentication

Posted Dec 8, 2011 16:21 UTC (Thu) by jwarnica (guest, #27492)
In reply to: Google Authenticator for multi-factor authentication by ekj
Parent article: Google Authenticator for multi-factor authentication

The distinction of those methods (and also, signature, track 2) are ways that the CC companies can use as proof (well, evidence) that you actually have the card when doing that transaction.

Back in the physical swipe days, the embossing of the card and carbon paper made an imprint. The imprint was not just the card number, but demonstration that the card was actually there when the imprint happened.

"Track 2" data is similar; I dunno what it contains, but provides similar evidence that the actual card was actually used.

Expiry date help for phone or internet transactions, as does the CCV2 codes; just more evidence that someone has the card in hand.

Generally, the theory was that it is hard/impossible to copy two of these at the same time. Signature and CC # embossing are on the opposite side of the card. CCV2 # and CC#, opposite sides (for most cards), etc.

Obviously, as time has moved on, the effort/gain ratio of each of these has been overcome, and thus the introduction of more things.


(Log in to post comments)

Google Authenticator for multi-factor authentication - credit cards

Posted Dec 9, 2011 17:05 UTC (Fri) by giraffedata (subscriber, #1954) [Link]

Expiration date is not normally an authenticating factor. I used to successfully submit charges all the time with made up expiration dates. The reason the rules require the merchant to provide that is to prevent the merchant from neglecting to check the expiration date.

The key value of the card verification code (the few digits printed somewhere on the card, aka CCV2 et al) is that it isn't recorded and transmitted all around, like the card account number obviously is. Anyone involved in accounting can see your card account number, but few people ever see your card verification code.

In the original design, secrecy of the card account number wasn't considered a security feature at all. It was public knowledge and security was provided by physical presence of the card and a signature alone. As telephone ordering became more important, banks started trying to keep the account numbers secret as a security measure, but that's obviously pretty weak. Likewise, even secrecy of checking account numbers is now considered a security measure.

This is strange...

Posted Dec 10, 2011 6:51 UTC (Sat) by khim (subscriber, #9252) [Link]

I used to successfully submit charges all the time with made up expiration dates.

How can you do that? I've had card from a few banks, but they all reject transactions with incorrect expiration dates (at least electronic ones). This is PITA when card expires: if order is placed with old expiration date and is not shipped before it's annulled and new one is issued then you need to go to the web site and change the data. And not all sites provide nice interface to do that...

This is strange...

Posted Dec 10, 2011 15:16 UTC (Sat) by corbet (editor, #1) [Link]

Our experience as a credit card merchant suggests that banks differ widely in the practices they apply. For a lot of them, if you have a number, that's all they care about. We routinely get emails from people who realize they put in the wrong name or expiration date, but the charges go through just fine. Other banks insist on correct address information and will turn down charges because they don't like the position of the moon that night.

expiration date in credit card authentication

Posted Dec 10, 2011 18:02 UTC (Sat) by giraffedata (subscriber, #1954) [Link]

It doesn't surprise me that for some charges the expiration date has to be right. There's a lot of diversity in this area.

But I know that traditionally, the expiration date wasn't part of authentication. When I did it, it was in 1999 using a traditional merchant credit card terminal.

Banking computing standards often take a decade to make even a trivial change because regulators are very careful. I'm pretty sure that this terminal wasn't even capable of transmitting the expiration date I typed to its partner.

Google Authenticator for multi-factor authentication

Posted Dec 14, 2011 20:55 UTC (Wed) by eli (guest, #11265) [Link]

Signature and CC # embossing are on the opposite side of the card.
Take out one of your credit cards. Look at the back of it. Notice that everything on the front of the card is embossed into the card, which changes the shape of the back of the card. If you get a good image of the back of that card, you can read the data embossed on the front.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds