Software Trust #5: Always Wear Your Mask

When a user installs a product on his or her machine, a degree of trust is given to that application, and in return that application is required to meet some expectations. This series explores these expectations.

Using a credit card on the internet generally requires that the person using the card know a card number, cardholder name, expiry date and a number printed somewhere on the card. This number is called the Credit Card Verification (CCV) number. It exists as a means to verify that a person has, or had physical possession of the card being used to make a purchase when a person is not physically present where the transaction takes place, such as when ordering over the phone or on the internet.

This mechanism provides some degree of security against corrupt merchants who obtain the other requisite information from a point of sale system. This system is not foolproof as it is possible for that shopkeeper to see the CCV number, but to do so they would have to handle the card in an atypical way, which may or may not arouse the suspicion of a customer.

People are becoming increasingly comfortable using the internet to conduct financial transactions, not just in their own homes, but in public places via portable or public computers. I’ve noticed recently that a lot of websites do not mask the value entered into the CCV field on online forms. Given that this number is entered in close visual proximity to the other information some observer may need to conduct a fraudulent transaction, one would be forgiven for the presumption that it behooved merchants to protect this field since the stated purpose of it is as a proof that the person conducting the transaction possesses the card.

I have also never been asked to provide a CCV number when ordering over the phone. One assumes that the reason for this is so that the CCV number is not disclosed to a third party which seams reasonable at face value, however, this calls into question why it’s not OK to disclose the number directly, but OK to more easily enable passive disclosure to anyone who may pass by your computer screen.

It’s not as though there is no precident for masking values meant to remain secret. Every major computer operating system ever developed has had some form of masking technique for sensitive fields, and other devices used in financial transactions such as ATMs and EFT terminals mask the values of PIN numbers in a similar fashion to how a password is masked on a computer

Is there some crucial point to all of this that I’ve missed? Or perhaps I am right in thinking that the payment processing industry has failed to enforce the same standards on the internet as they do everywhere else?


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s