Hidden security code Posted on January 21, 2008 at 10:47:12 PM by De Macneill
The magnetic stripe on the back of a credit card is similar to magnetic tape used for cassette recordings, or to back up computer data. Every ATM card stripe is loaded with a three-digit security code, known as either CVV (Card Verification Value) or CVC (Card Verification Code). The characters are different from the CVV2 value that's actually printed on the card, and often requested of consumers when shopping online.
These CVV or CVC codes are invisible to consumers, so they can't be tricked into divulging the information. The secret data is supposed to prove the plastic inserted into an ATM machine is really the plastic issued to the consumer by the bank.
But many banks don't check the codes. They just skip the process, assuming that if the PIN is accurate, the card must be authentic.
"Banks are not checking the magnetic stripe data as they should ... It's not clear why," Litan said. "It's not an expensive process. It doesn't add much to the cost of the transaction."
Jevans said most banks just didn't think it was necessary until recently.
"Tons of people don't set up their ATMs to check (the security codes)," he said. "They never thought to turn it on. It was never a problem."
Banks targeted by such fraud can spend months trying to figure out what's happening, Litan said. But once they do, adding the security code check stops the thieves cold, she said.
"They are often quickly able to stop the crime with a relatively simple solution," she said. Would-be thieves then just move to the next "cashable" bank.
SunTrust Bank Inc. ATMs were described as "cashable" until last December in an online bulletin board devoted to ATM fraud. On the bulletin board pages, described by a bank security expert as a discussion between con artists talking about ATM white card fraud, criminals lament SunTrust's upgrade.
"Hey everyone. Again, really bad news," one bulletin board participant writes. "SunTrust is not cashable anymore, anywhere in the world. So I think we should start some other banks."
Responding to a question regarding the bulletin board, Hugh Suhr, a spokesman for SunTrust said: "(We) don’t have any input as this appears to pertain to security-related matters and we don’t publicly discuss as we see that as counterproductive to those efforts."