Google Authenticator for multi-factor authentication - credit cards

Posted Dec 9, 2011 17:05 UTC (Fri) by giraffedata (guest, #1954)
In reply to: Google Authenticator for multi-factor authentication by jwarnica
Parent article: Google Authenticator for multi-factor authentication

Expiration date is not normally an authenticating factor. I used to successfully submit charges all the time with made up expiration dates. The reason the rules require the merchant to provide that is to prevent the merchant from neglecting to check the expiration date.

The key value of the card verification code (the few digits printed somewhere on the card, aka CCV2 et al) is that it isn't recorded and transmitted all around, like the card account number obviously is. Anyone involved in accounting can see your card account number, but few people ever see your card verification code.

In the original design, secrecy of the card account number wasn't considered a security feature at all. It was public knowledge and security was provided by physical presence of the card and a signature alone. As telephone ordering became more important, banks started trying to keep the account numbers secret as a security measure, but that's obviously pretty weak. Likewise, even secrecy of checking account numbers is now considered a security measure.

to post comments

This is strange...

Posted Dec 10, 2011 6:51 UTC (Sat) by khim (subscriber, #9252) [Link] (2 responses)

I used to successfully submit charges all the time with made up expiration dates.

How can you do that? I've had card from a few banks, but they all reject transactions with incorrect expiration dates (at least electronic ones). This is PITA when card expires: if order is placed with old expiration date and is not shipped before it's annulled and new one is issued then you need to go to the web site and change the data. And not all sites provide nice interface to do that...

This is strange...

Posted Dec 10, 2011 15:16 UTC (Sat) by corbet (editor, #1) [Link] (1 responses)

Our experience as a credit card merchant suggests that banks differ widely in the practices they apply. For a lot of them, if you have a number, that's all they care about. We routinely get emails from people who realize they put in the wrong name or expiration date, but the charges go through just fine. Other banks insist on correct address information and will turn down charges because they don't like the position of the moon that night.

expiration date in credit card authentication

Posted Dec 10, 2011 18:02 UTC (Sat) by giraffedata (guest, #1954) [Link]

It doesn't surprise me that for some charges the expiration date has to be right. There's a lot of diversity in this area.

But I know that traditionally, the expiration date wasn't part of authentication. When I did it, it was in 1999 using a traditional merchant credit card terminal.

Banking computing standards often take a decade to make even a trivial change because regulators are very careful. I'm pretty sure that this terminal wasn't even capable of transmitting the expiration date I typed to its partner.