On 2023-11-15 01:44, Chris wrote:
> R.Wieser <address@is.invalid> wrote:
>> Chris,

[...]

>> I had no idea what a CVV was, so I looked it up and got this :
>>
>> https://www.nerdwallet.com/article/credit-cards/find-credit-card-cvv-number
>>
>> The most humorous part (in a very sad way) of it was this :
>>
>> "When you provide this number for an online or phone purchase, the merchant
>> will submit the CVV when it authorizes the transaction. It's an attempt to
>> verify that you have the physical card in your possession and that you're
>> not just using stolen card information."
>>
>> I cannot imagine how the merchant, on the other side of an online or phone
>> connection, will be able to see that you have the bank card in your hands,
>> and are infact "not just using stolen card information".
>
> CVV codes are by definition not stored anywhere so cannot be stolen.

Huh.

When I make a purchase with Amazon, for instance, they ask for *all* the
data on the card, including the CVV, and they do store it, so that from
that day on I can make purchases with only a click. They just resubmit
my card data to my bank and get paid, with my permission. But if they
are bad guys, they could get money from any client, they have millions
of cards stored including their cvv numbers.

--
Cheers,
Carlos E.R.

Carlos E. R. wrote:

> Chris wrote:
>
>> CVV codes are by definition not stored anywhere so cannot be stolen.

the PCI (payment card industry) standard says you can't store the CVV

> When I make a purchase with Amazon, for instance, they ask for *all* the
> data on the card, including the CVV, and they do store it, so that from
> that day on I can make purchases with only a click. They just resubmit
> my card data to my bank and get paid, with my permission. But if they
> are bad guys, they could get money from any client, they have millions
> of cards stored including their cvv numbers.

PCI says CVV isn't required for "card on file" transactions, so
presumably Amazon uses the CVV for the first transaction with a given
cards, then discard it as they won't need it for subsequent transactions?

Chris wrote:

> Andy Burns wrote:
>
>> You might want to check that with Jeremy Clarkson
>> <http://news.bbc.co.uk/1/hi/7174760.stm>
>
> That was 15 years ago.

So, what has changed about setting-up direct debits since then?

Carlos E. R. <robin_listas@es.invalid> wrote:
> On 2023-11-15 01:44, Chris wrote:
>> R.Wieser <address@is.invalid> wrote:
>>> Chris,
>
> [...]
>
>
>>> I had no idea what a CVV was, so I looked it up and got this :
>>>
>>> https://www.nerdwallet.com/article/credit-cards/find-credit-card-cvv-number
>>>
>>> The most humorous part (in a very sad way) of it was this :
>>>
>>> "When you provide this number for an online or phone purchase, the merchant
>>> will submit the CVV when it authorizes the transaction. It's an attempt to
>>> verify that you have the physical card in your possession and that you're
>>> not just using stolen card information."
>>>
>>> I cannot imagine how the merchant, on the other side of an online or phone
>>> connection, will be able to see that you have the bank card in your hands,
>>> and are infact "not just using stolen card information".
>>
>> CVV codes are by definition not stored anywhere so cannot be stolen.
>
> Huh.
>
> When I make a purchase with Amazon, for instance, they ask for *all* the
> data on the card, including the CVV, and they do store it, so that from
> that day on I can make purchases with only a click.

That's your choice by enabling one-click, however, I've just added a new
card on my account and at no point does it ask for the CVV.

> They just resubmit
> my card data to my bank and get paid, with my permission. But if they
> are bad guys, they could get money from any client, they have millions
> of cards stored including their cvv numbers.

I suspect it's more that you've pre-authorised your card for purchases from
Amazon with your bank. No storage of CVV is required.

Andy Burns <usenet@andyburns.uk> wrote:
> Chris wrote:
>
>> Andy Burns wrote:
>>
>>> You might want to check that with Jeremy Clarkson
>>> <http://news.bbc.co.uk/1/hi/7174760.stm>
>>
>> That was 15 years ago.
>
> So, what has changed about setting-up direct debits since then?

It's very easy to track them in your mobile app at least.

Chris,

> Number jacking isn't enough to get through security verification with the
> bank.

I was not thinking about manual 2FA, just the automated versions of it. But
how many situations do you know, banks included, where its handled by an
actual human ?

> They ask you for specific information you set up with them and/or
> something only known by you.

I'm afraid you dropped a word : "supposedly", after the "something". If
its info related to you (favorite color, a long-gone dogs race, grandmothers
name, etc.) than a even a cursory search could turn it up, as well as some
"social engenering" (a friendly conversation with someone). If its "set up"
than it might as well be a second password. And 'moar passwords' is really
something we need. :-|

> If you're smart you create pretend answers to the "memorable questions".

Remembering pretend answers isn't all that easy. Especially not when you
seldom have the need for it. Heck, I've got my current phonenumber for some
time now, and even that one I seem to have a hard time remembering ...

> I mean, all that is quite a reach even if it were feasible. Much, much
> easier to phish someone to give you their information willingly and
> directly.

Quite a reach ? The thing I pointed out is that putting the lock (the
request) and its key (the 2FA reply) into the same container isn't all that
smart. Its than not if, but when someone figures out a way to have a
program (malicious app) do the request and than grab the reply and stuff it
where it needs to go. No human intervention required.

They should be kept apart (as in : on two different devices), only
(temporarily!) "combined" when the user recognises the need for it.

And "if it where feasable" ? I think you wil be surprised what all is
feasable in the software realm. Either by just smart programming, using
stuf in a non-conventional way, or by making use of one of the (many)
software (or even hardware) bugs.

And yes, for the "less sophisticated" crooks (which use a more personal
approach instead of a carpet-bombing one) that, or with the aid of an
average-sized crowbar, works as well.

.... though I hope you are not trying to sell me the notion that because
simpler methods exist the more complex ones "therefore" do not or can be
ignored.

Regards,
Rudy Wieser

Chris,

> I can cancel any direct debit or standing order purely from my banking
> app.

Good for you. But thats, as mentioned, not how it works here (or worked, it
was some time ago).

> Mistakes happen, but it's easy to rectify.

Ah yes, you only have to notice that you can't pay your groceries anymore,
figure out why your account is empty, contact the bank to reverse the
incorrect charge, and wait for the money to come back into your account -
which, for some reason, could take a few days. And all the while you're
scrambling to find the money needed to pay for your groceries and incurring
"administrative costs" coming from the companies you have a direct-debit
agreement with which failed to go thru in the mean time. "administrative
costs" which you never get back ofcourse, even if it wasn't your fault.

> That's what direct debits allow say for paying off the minimum payment
> required on a credit card. It varies a lot month by month. That's a useful
> feature.

Agreed, its a usefull feature. But as said, the banks here do not offer
anything of the kind.

>> Take a wild guess. But I'll give you a hint : I allready mentioned it
>> in this thread.
>
> But not prepared to mention again?

Nope. Not before you tried to find it yourself first.

>>> That's illegal without your knowledge.
>>
>> Yes, and crooks are known to be lawfull citizens. /s
>
> Everything has to be foolproof to be useful, right?

Nope. But only a fool would try to make the case that because something
works most of the time we should therefore ignore when it doesn't. Are you
such a fool ?

>> Lol ? So anyone who finds a lost card can just pay with it ?
>> Fantastic. :-(
>
> That's always been true.

Nope. At least not here. And you could have known that, as I just
described that we have a (four digit) "password" here that we are not
supposed to share with anyone. You even quoted i.

> Nowadays it's easy to block a lost card.

Do read up on which part of the loss due to losing a card wil be absorbed by
the bank, and which part of it will be yours. You might be surprised to
find that any money that went gone before you called the bank is your
problem. So, keep checking that you stil have that card on you, otherwise
you could be in for a sad surprise.

>> No, the "bank code" here is something that isn't on the card and is
>> regarded the users "password", to be guearded with its life.
>
> No idea what that is.

You have no idea what a password is or what its used for ? How quaint
.....

The bottom line is that here you can find someones bank card, but without
its password its useless to you.

> CVV codes are by definition not stored anywhere so cannot be stolen.

I seem to remember you saying that they where printed on the bank cards
themselfs. So, what is it ? Some 'Schrodinger's Cat' kind of thing perhaps
?

I also seem to remeber that those numbers wher provided, over the internet
or in a phone conversation, to the merchant on the other side. That sounds
to me it can /very easily/ be stolen.

And by the way, I have not seen you respond to when I, effectivily, made fun
of the uselesness of such a mechanism. How come ?

>>>> When I was younger I was taught that running random executables
>>>> on a 'puter was taking a risk of getting malware.
>>>
>>> That's because it was.
>>
>> Yep. But the thing you overlooked is that it still is.
>
> No it isn't.

Just keep sticking your head in the sand, its no skin off of my back. Good
luck with that though.

Though is there any reason why you think that, in the below, you can ask me
for examples of something have happened, but at the same time do not even
/try/ explain the above, let alone substanciate it ?

> More or less than "random executables"?

*All* apps in that context are "random executables" to me. It just so
happens that, in what I described, a bunch of them are /purposely/ malicious
too.

And yes, that means that of the non-purposely malicious ones there are still
quite a number that, unintended by the developer, are also malicious (due to
them using other peoples libraries).

>> And thats apart from the well-working non-malicious apps that get sold to
>> some other "developer", who than make use of the automatic updating
>> mechanism of an established app to replace it with their own malicious
>> version of it.
>
> Sounds very theoretical and unrealistic.

:-) The updating mechanism for apps is quite well known, and even
complained about by users who see their app change "under their hands"..

> Any real examples?

You mean something like
https://theconversation.com/explainer-how-malware-gets-inside-your-apps-79485 ?

And I'm sure that a little bit of googling will return more stuff like it.

Consider yourself informed.

Regards,
Rudy Wieser

On 2023-11-15 09:35, Chris wrote:
> Carlos E. R. <robin_listas@es.invalid> wrote:
>> On 2023-11-15 01:44, Chris wrote:
>>> R.Wieser <address@is.invalid> wrote:
>>>> Chris,
>>
>> [...]
>>
>>
>>>> I had no idea what a CVV was, so I looked it up and got this :
>>>>
>>>> https://www.nerdwallet.com/article/credit-cards/find-credit-card-cvv-number
>>>>
>>>> The most humorous part (in a very sad way) of it was this :
>>>>
>>>> "When you provide this number for an online or phone purchase, the merchant
>>>> will submit the CVV when it authorizes the transaction. It's an attempt to
>>>> verify that you have the physical card in your possession and that you're
>>>> not just using stolen card information."
>>>>
>>>> I cannot imagine how the merchant, on the other side of an online or phone
>>>> connection, will be able to see that you have the bank card in your hands,
>>>> and are infact "not just using stolen card information".
>>>
>>> CVV codes are by definition not stored anywhere so cannot be stolen.
>>
>> Huh.
>>
>> When I make a purchase with Amazon, for instance, they ask for *all* the
>> data on the card, including the CVV, and they do store it, so that from
>> that day on I can make purchases with only a click.
>
> That's your choice by enabling one-click, however, I've just added a new
> card on my account and at no point does it ask for the CVV.

I did not enable one click. I have to enter my Amazon password at some
point in the purchase.

>
>> They just resubmit
>> my card data to my bank and get paid, with my permission. But if they
>> are bad guys, they could get money from any client, they have millions
>> of cards stored including their cvv numbers.
>
> I suspect it's more that you've pre-authorised your card for purchases from
> Amazon with your bank. No storage of CVV is required.

When I added my card to Google Wallet they also asked for the CVV, AFAIR.

--
Cheers,
Carlos E.R.

On 2023-11-15 10:23, R.Wieser wrote:
> Chris,

....

>>> Take a wild guess. But I'll give you a hint : I allready mentioned it
>>> in this thread.
>>
>> But not prepared to mention again?
>
> Nope. Not before you tried to find it yourself first.

My Thunderbird fails to find any string whatsoever in Usenet messages
bodies.

....

--
Cheers,
Carlos E.R.

Carlos E. R. <robin_listas@es.invalid> wrote:
> On 2023-11-15 10:23, R.Wieser wrote:
> > Chris,
>
> ...
>
> >>> Take a wild guess. But I'll give you a hint : I allready mentioned it
> >>> in this thread.
> >>
> >> But not prepared to mention again?
> >
> > Nope. Not before you tried to find it yourself first.
>
> My Thunderbird fails to find any string whatsoever in Usenet messages
> bodies.

Nitpick! The thread is just 104 articles, so you just have to re-read
them all.

You'll need to do that, because in Rudy's world it's perfectly fine to
snip any and all context, so when reading his articles, you might have
no idea what he's talking about. That's alright, because he's suffering
from the same problem.

Have fun. I think I'll schedule my next elective root canal procedure,
because sitting on my hands here, is also quite a challenge.

On 2023-11-15 13:37, Frank Slootweg wrote:
> Carlos E. R. <robin_listas@es.invalid> wrote:
>> On 2023-11-15 10:23, R.Wieser wrote:
>>> Chris,
>>
>> ...
>>
>>>>> Take a wild guess. But I'll give you a hint : I allready mentioned it
>>>>> in this thread.
>>>>
>>>> But not prepared to mention again?
>>>
>>> Nope. Not before you tried to find it yourself first.
>>
>> My Thunderbird fails to find any string whatsoever in Usenet messages
>> bodies.
>
> Nitpick! The thread is just 104 articles, so you just have to re-read
> them all.

X'-D

> You'll need to do that, because in Rudy's world it's perfectly fine to
> snip any and all context, so when reading his articles, you might have
> no idea what he's talking about. That's alright, because he's suffering
> from the same problem.
>
> Have fun. I think I'll schedule my next elective root canal procedure,
> because sitting on my hands here, is also quite a challenge.

:-)

You will get cramps. My doctor gave me some pills for aches in my hands
that come with age :-p

--
Cheers,
Carlos E.R.

Carlos,

>>> But not prepared to mention again?
>>
>> Nope. Not before you tried to find it yourself first.
>
> My Thunderbird fails to find any string whatsoever in Usenet messages
> bodies.

That sounds like a bug and you should report it ?

But you could always sort on the subject or, in this case, the person (me)
and look thru the relevant posts.

Or you could export the relevant messages / everything into a folder and let
the Windows do the searching for you.

Regards,
Rudy Wieser

Carlos E. R. <robin_listas@es.invalid> wrote:
> On 2023-11-15 09:35, Chris wrote:
>> Carlos E. R. <robin_listas@es.invalid> wrote:
>>> On 2023-11-15 01:44, Chris wrote:
>>>> R.Wieser <address@is.invalid> wrote:
>>>>> Chris,
>>>
>>> [...]
>>>
>>>
>>>>> I had no idea what a CVV was, so I looked it up and got this :
>>>>>
>>>>> https://www.nerdwallet.com/article/credit-cards/find-credit-card-cvv-number
>>>>>
>>>>> The most humorous part (in a very sad way) of it was this :
>>>>>
>>>>> "When you provide this number for an online or phone purchase, the merchant
>>>>> will submit the CVV when it authorizes the transaction. It's an attempt to
>>>>> verify that you have the physical card in your possession and that you're
>>>>> not just using stolen card information."
>>>>>
>>>>> I cannot imagine how the merchant, on the other side of an online or phone
>>>>> connection, will be able to see that you have the bank card in your hands,
>>>>> and are infact "not just using stolen card information".
>>>>
>>>> CVV codes are by definition not stored anywhere so cannot be stolen.
>>>
>>> Huh.
>>>
>>> When I make a purchase with Amazon, for instance, they ask for *all* the
>>> data on the card, including the CVV, and they do store it, so that from
>>> that day on I can make purchases with only a click.
>>
>> That's your choice by enabling one-click, however, I've just added a new
>> card on my account and at no point does it ask for the CVV.
>
> I did not enable one click. I have to enter my Amazon password at some
> point in the purchase.

Then why did you say you "can make purchases with only a click"? Isn't that
one click?

>>
>>> They just resubmit
>>> my card data to my bank and get paid, with my permission. But if they
>>> are bad guys, they could get money from any client, they have millions
>>> of cards stored including their cvv numbers.
>>
>> I suspect it's more that you've pre-authorised your card for purchases from
>> Amazon with your bank. No storage of CVV is required.
>
> When I added my card to Google Wallet they also asked for the CVV, AFAIR.

That doesn't mean it's stored.

R.Wieser <address@is.invalid> wrote:
> Chris,
>
>> I can cancel any direct debit or standing order purely from my banking
>> app.
>
> Good for you. But thats, as mentioned, not how it works here (or worked, it
> was some time ago).
>
>> Mistakes happen, but it's easy to rectify.
>
> Ah yes, you only have to notice that you can't pay your groceries anymore,
> figure out why your account is empty, contact the bank to reverse the
> incorrect charge, and wait for the money to come back into your account -
> which, for some reason, could take a few days. And all the while you're
> scrambling to find the money needed to pay for your groceries and incurring
> "administrative costs" coming from the companies you have a direct-debit
> agreement with which failed to go thru in the mean time. "administrative
> costs" which you never get back ofcourse, even if it wasn't your fault.

Nice story.

>> That's what direct debits allow say for paying off the minimum payment
>> required on a credit card. It varies a lot month by month. That's a useful
>> feature.
>
> Agreed, its a usefull feature. But as said, the banks here do not offer
> anything of the kind.

Get better banks.

>>> Take a wild guess. But I'll give you a hint : I allready mentioned it
>>> in this thread.
>>
>> But not prepared to mention again?
>
> Nope. Not before you tried to find it yourself first.
>
>>>> That's illegal without your knowledge.
>>>
>>> Yes, and crooks are known to be lawfull citizens. /s
>>
>> Everything has to be foolproof to be useful, right?
>
> Nope. But only a fool would try to make the case that because something
> works most of the time we should therefore ignore when it doesn't.

No-one is ignoring anything. Turning the world upside down because someone
somewhere did a bad thing once is hardly proportionate. living in fear is a
choice you've made.

> Are you
> such a fool ?

Pretty sure I'm communicating with one.

>>> Lol ? So anyone who finds a lost card can just pay with it ?
>>> Fantastic. :-(
>>
>> That's always been true.
>
> Nope. At least not here.

Of course it has. In the old days ppl would forge signatures from the back
of cards, or used them over the phone (just like you gave an example) and
now you can just tap to pay up to £100.

> And you could have known that, as I just
> described that we have a (four digit) "password" here that we are not
> supposed to share with anyone. You even quoted i.
>
>> Nowadays it's easy to block a lost card.
>
> Do read up on which part of the loss due to losing a card wil be absorbed by
> the bank, and which part of it will be yours. You might be surprised to
> find that any money that went gone before you called the bank is your
> problem. So, keep checking that you stil have that card on you, otherwise
> you could be in for a sad surprise.

Unlikely.

>>> No, the "bank code" here is something that isn't on the card and is
>>> regarded the users "password", to be guearded with its life.
>>
>> No idea what that is.
>
> You have no idea what a password is or what its used for ? How quaint
> ....

The "bank code". Cards don't have passwords.

> The bottom line is that here you can find someones bank card, but without
> its password its useless to you.
>
>> CVV codes are by definition not stored anywhere so cannot be stolen.
>
> I seem to remember you saying that they where printed on the bank cards
> themselfs. So, what is it ? Some 'Schrodinger's Cat' kind of thing perhaps
> ?

Go back and read the context.

They aren't stored electronically. You have to be in physical possession of
the card. The card may be stolen, but not the "details".

> I also seem to remeber that those numbers wher provided, over the internet
> or in a phone conversation, to the merchant on the other side. That sounds
> to me it can /very easily/ be stolen.
>
> And by the way, I have not seen you respond to when I, effectivily, made fun
> of the uselesness of such a mechanism. How come ?

You're not as funny as you think you are?

>>>>> When I was younger I was taught that running random executables
>>>>> on a 'puter was taking a risk of getting malware.
>>>>
>>>> That's because it was.
>>>
>>> Yep. But the thing you overlooked is that it still is.
>>
>> No it isn't.
>
> Just keep sticking your head in the sand, its no skin off of my back. Good
> luck with that though.
>
> Though is there any reason why you think that, in the below, you can ask me
> for examples of something have happened, but at the same time do not even
> /try/ explain the above, let alone substanciate it ?
>
>> More or less than "random executables"?
>
> *All* apps in that context are "random executables" to me. It just so
> happens that, in what I described, a bunch of them are /purposely/ malicious
> too.
>
> And yes, that means that of the non-purposely malicious ones there are still
> quite a number that, unintended by the developer, are also malicious (due to
> them using other peoples libraries).

"quite a number"? like 6? lol

>>> And thats apart from the well-working non-malicious apps that get sold to
>>> some other "developer", who than make use of the automatic updating
>>> mechanism of an established app to replace it with their own malicious
>>> version of it.
>>
>> Sounds very theoretical and unrealistic.
>
> :-) The updating mechanism for apps is quite well known, and even
> complained about by users who see their app change "under their hands"..
>
>> Any real examples?
>
> You mean something like
> https://theconversation.com/explainer-how-malware-gets-inside-your-apps-79485 ?

That's just noise.

> And I'm sure that a little bit of googling will return more stuff like it.
>
> Consider yourself informed.

I will when you actually share some information. Vague hand waving and FUD
is not information.

On 2023-11-15 23:40, Chris wrote:
> Carlos E. R. <robin_listas@es.invalid> wrote:
>> On 2023-11-15 09:35, Chris wrote:
>>> Carlos E. R. <robin_listas@es.invalid> wrote:
>>>> On 2023-11-15 01:44, Chris wrote:
>>>>> R.Wieser <address@is.invalid> wrote:
>>>>>> Chris,
>>>>
>>>> [...]
>>>>
>>>>
>>>>>> I had no idea what a CVV was, so I looked it up and got this :
>>>>>>
>>>>>> https://www.nerdwallet.com/article/credit-cards/find-credit-card-cvv-number
>>>>>>
>>>>>> The most humorous part (in a very sad way) of it was this :
>>>>>>
>>>>>> "When you provide this number for an online or phone purchase, the merchant
>>>>>> will submit the CVV when it authorizes the transaction. It's an attempt to
>>>>>> verify that you have the physical card in your possession and that you're
>>>>>> not just using stolen card information."
>>>>>>
>>>>>> I cannot imagine how the merchant, on the other side of an online or phone
>>>>>> connection, will be able to see that you have the bank card in your hands,
>>>>>> and are infact "not just using stolen card information".
>>>>>
>>>>> CVV codes are by definition not stored anywhere so cannot be stolen.
>>>>
>>>> Huh.
>>>>
>>>> When I make a purchase with Amazon, for instance, they ask for *all* the
>>>> data on the card, including the CVV, and they do store it, so that from
>>>> that day on I can make purchases with only a click.
>>>
>>> That's your choice by enabling one-click, however, I've just added a new
>>> card on my account and at no point does it ask for the CVV.
>>
>> I did not enable one click. I have to enter my Amazon password at some
>> point in the purchase.
>
> Then why did you say you "can make purchases with only a click"? Isn't that
> one click?

A click, a few clicks... who cares? :-)
The password I have to enter before that at some point.

If there is confusion, you ask and I clarify.

>
>>>
>>>> They just resubmit
>>>> my card data to my bank and get paid, with my permission. But if they
>>>> are bad guys, they could get money from any client, they have millions
>>>> of cards stored including their cvv numbers.
>>>
>>> I suspect it's more that you've pre-authorised your card for purchases from
>>> Amazon with your bank. No storage of CVV is required.
>>
>> When I added my card to Google Wallet they also asked for the CVV, AFAIR.
>
> That doesn't mean it's stored.

Then why ask for it?

--
Cheers,
Carlos E.R.

Carlos E. R. <robin_listas@es.invalid> wrote:
> On 2023-11-15 23:40, Chris wrote:
>> Carlos E. R. <robin_listas@es.invalid> wrote:
>>> On 2023-11-15 09:35, Chris wrote:
>>>> Carlos E. R. <robin_listas@es.invalid> wrote:
>>>>> On 2023-11-15 01:44, Chris wrote:
>>>>>> R.Wieser <address@is.invalid> wrote:
>>>>>>> Chris,
>>>>>
>>>>> [...]
>>>>>
>>>>>
>>>>>>> I had no idea what a CVV was, so I looked it up and got this :
>>>>>>>
>>>>>>> https://www.nerdwallet.com/article/credit-cards/find-credit-card-cvv-number
>>>>>>>
>>>>>>> The most humorous part (in a very sad way) of it was this :
>>>>>>>
>>>>>>> "When you provide this number for an online or phone purchase, the merchant
>>>>>>> will submit the CVV when it authorizes the transaction. It's an attempt to
>>>>>>> verify that you have the physical card in your possession and that you're
>>>>>>> not just using stolen card information."
>>>>>>>
>>>>>>> I cannot imagine how the merchant, on the other side of an online or phone
>>>>>>> connection, will be able to see that you have the bank card in your hands,
>>>>>>> and are infact "not just using stolen card information".
>>>>>>
>>>>>> CVV codes are by definition not stored anywhere so cannot be stolen.
>>>>>
>>>>> Huh.
>>>>>
>>>>> When I make a purchase with Amazon, for instance, they ask for *all* the
>>>>> data on the card, including the CVV, and they do store it, so that from
>>>>> that day on I can make purchases with only a click.
>>>>
>>>> That's your choice by enabling one-click, however, I've just added a new
>>>> card on my account and at no point does it ask for the CVV.
>>>
>>> I did not enable one click. I have to enter my Amazon password at some
>>> point in the purchase.
>>
>> Then why did you say you "can make purchases with only a click"? Isn't that
>> one click?
>
>
> A click, a few clicks... who cares? :-)
> The password I have to enter before that at some point.
>
> If there is confusion, you ask and I clarify.
>
>>
>>>>
>>>>> They just resubmit
>>>>> my card data to my bank and get paid, with my permission. But if they
>>>>> are bad guys, they could get money from any client, they have millions
>>>>> of cards stored including their cvv numbers.
>>>>
>>>> I suspect it's more that you've pre-authorised your card for purchases from
>>>> Amazon with your bank. No storage of CVV is required.
>>>
>>> When I added my card to Google Wallet they also asked for the CVV, AFAIR.
>>
>> That doesn't mean it's stored.
>
> Then why ask for it?

For added security/authorisation for "cardholder not present" transactions.
It is explicitly not stored so that database hacks can't expose it.
https://www.howtogeek.com/728199/what-is-a-cvv-number-on-a-credit-card/

Carlos,

>> Nitpick! The thread is just 104 articles, so you just have to re-read
>> them all.
>
> X'-D

I see you smiling at him, but I do hope you notice he's feeding you a line.

He's mentioning the total number of messages in this thread, but somehow,
wonderously, seems to forget that he would only need to look at /my/ posts.
And thats, in total, 17 (18 with this one). - though just 12 at the moment
he posted his question ...

If you think thats too much work for you (both of you), than why do you
think you may expect me to do it ? Yes, I would need to do the same, to
re-read what I said in context and answer it in that same context.

As for that question ?

>>> As for a smartphone for authentication ? I always found that odd. You
>>> have exactly *zero* control over what is going on on it, and if you make
>>> sure you can (rooting it) you are flagged as "insecure".
>>>
>> What "control" do you want by rooting?
>
> Take a wild guess. But I'll give you a hint : I allready mentioned it in
> this thread.

I'll spell it out for you (and Frank) :

The "Take a wild guess" showed my annoyance, as I've pretty much been
repeating it thru this thread : you have /no/ idea what apps are doing on
your smartphone. The hint was a bit of a joke - as the "*zero* control" is
directly followed by the reason for wanting it : "over whats going on on
it".

As in : being able to monitor if a program/app is obeying its permissions
and what he's doing online (if that permission was granted). And from
there being able to block any unwanted behaviour. Duh.

Regards,
Rudy Wieser

Chris,

> Nice story.

Not so nice, but I recognise refusal when I see it.

> Get better banks.

Funny thing that, they all gave the same answer - "we don't offer that"

>>> Everything has to be foolproof to be useful, right?
>>
>> Nope. But only a fool would try to make the case that because something
>> works most of the time we should therefore ignore when it doesn't.
>
> No-one is ignoring anything.

No-one was ? Than what did you try to say/accomplish there ?

> Turning the world upside down because someone somewhere did a bad
> thing once is hardly proportionate.

Lol. We are talking about the security of smartphones, and you try to turn
that upside-down (side-step it) with your 'but it mostly works well, no ?'
blurb.

> living in fear is a choice you've made.

:-) "Living in fear" is a far cry from acknowledging that problems /could/
arise and thinking how, if that happens, you can deal with it.

But if you think so I take it you do not have any kind of insurances or have
made sure that you can withstand some calamities ?

If you have/did either you are confessing that you yourself have thought
about such problems and, from seeing how you respond to a simple considering
of mine of (bad) possibilies, must be "living in fear" yourself ...

Are you ? If not, why do you think others must ?

> Pretty sure I'm communicating with one.

:-) Funny thing that : I think I've been giving straight-forward answers,
often underbuild. You and others on the other hand ....

Yes, its not funny when you think you can pull a fast one to only get it
thrown back into your face. My suggestion : don't try.

If you think I'm wrong that the least you can do is to explain how you think
I am.

And I'll tell you a secret : I've been known to graciously acknowledge
if/when I made a mistake. To me thats /much/ easier than the "try to get
out of it by digging the hole deeper" method some people seem to prefer.

>>>> Lol ? So anyone who finds a lost card can just pay with it ?
>>>> Fantastic. :-(
>>>
>>> That's always been true.
>>
>> Nope. At least not here.
>
> Of course it has. In the old days ppl would forge signatures from the back
> of cards, or used them over the phone (just like you gave an example) and
> now you can just tap to pay up to �100.

I didn't give that example. And as far as I know that "by phone" is an
American thing. Which I already blasted as stupid.

Also, you're changing the subject from "just use" to "and apply
circumventions". And you might be surprised how hard it is to create an
acceptable faximile of someone elses hancock - and how much time its costs
to get at that level.

But ... that was the old days. Nowerdays writing a cheque on the merchants
counter isn't considered normal anymore, and most of them will refuse to
accept them. In fact, my bank has done away with them.

And that leaves your last "you can just tap to pay up to �100". I can read
that in different ways.

No, you can't keep tapping �100 over-and-over again. After having
accumulated a certain ammount you will get the "dreaded"(?) "Enter PIN
please" response.

And here you are "turning the world upside-down" by pointing at a small (I
hope) loss as being the most important thing, and still having the rest of
your account as a seemingly "meh, who cares".

But yes, I left tapping out of my story. On purpose, as people here seemed
to have enough problems with understanding the rest of what I said.

>>> Nowadays it's easy to block a lost card.
>>
>> Do read up on which part of the loss due to losing a card wil be absorbed
>> by the bank, and which part of it will be yours. You might be surprised
>> to
>> find that any money that went gone before you called the bank is your
>> problem. So, keep checking that you stil have that card on you,
>> otherwise
>> you could be in for a sad surprise.
>
> Unlikely.

"Unlikely" what ?

>>>> No, the "bank code" here is something that isn't on the card and
>>>> is regarded the users "password", to be guearded with its life.
>>>
>>> No idea what that is.
>>
>> You have no idea what a password is or what its used for ? How
>> quaint ....
>
> The "bank code". Cards don't have passwords.

And you ofcourse absolutely missed that I put the word in double quotes, as
you yourself quoted. Take a wild gues why I did that...

And no, playing dumb doesn't score you any points. Or if you get them they
would be negative. For all intents-and-purposes that "bank code"(? see the,
your above quote) *is* the password - though agreed, not a particular strong
one.

>>> CVV codes are by definition not stored anywhere so cannot be stolen.
>>
>> I seem to remember you saying that they where printed on the bank
>> cards themselfs. So, what is it ? Some 'Schrodinger's Cat' kind of
>> thing
>> perhaps ?
>
> Go back and read the context.

Nope. I already pointed out that it happened, now its upto you to explain
how it could. I'm certainly not going to guess to what context you might
think you where in when you wrote either.

>> And by the way, I have not seen you respond to when I, effectivily, made
>> fun
>> of the uselesness of such a mechanism. How come ?
>
> You're not as funny as you think you are?

To me it looks like you have no clue how to respond to it, and just decided
to act if it never happened. Hows that for "not as funny" ?

>> And yes, that means that of the non-purposely malicious ones there are
>> still
>> quite a number that, unintended by the developer, are also malicious (due
>> to
>> them using other peoples libraries).
>
> "quite a number"? like 6? lol

I think you've found a marvelous way to tell us that you have no idea how
many, and could not care less either.

>>> Any real examples?
>>
>> You mean something like
>> https://theconversation.com/explainer-how-malware-gets-inside-your-apps-79485 ?
>
> That's just noise.

You're welcome to tell me why you think that.

.... but for some reason I don't think you wll even consider doing so.

>> And I'm sure that a little bit of googling will return more stuff like
>> it.
>>
>> Consider yourself informed.
>
> I will when you actually share some information. Vague hand waving and
> FUD is not information.

Declaring that everything you refuse to be informed about is FUD is one way
to keep your own ideas safe from compromise - even if that compromise might
be beneficial to you.

Kid, I think you've made clear you refuse to discuss the pros and cons most
of everything, so I think its a good idea that we stop bothering each other.

Goodbye.

Regards,
Rudy Wieser

On 2023-11-16 08:48, R.Wieser wrote:
> Carlos,
>
>>> Nitpick! The thread is just 104 articles, so you just have to re-read
>>> them all.
>>
>> X'-D
>
> I see you smiling at him, but I do hope you notice he's feeding you a line.
>
> He's mentioning the total number of messages in this thread, but somehow,
> wonderously, seems to forget that he would only need to look at /my/ posts.
> And thats, in total, 17 (18 with this one). - though just 12 at the moment
> he posted his question ...
>
>
> If you think thats too much work for you (both of you), than why do you
> think you may expect me to do it ? Yes, I would need to do the same, to
> re-read what I said in context and answer it in that same context.

There is a difference:

- Thunderbird search on the Sent folder does work.
- I know what I wrote and thus what to search for.

>
> As for that question ?
>
>>>> As for a smartphone for authentication ? I always found that odd. You
>>>> have exactly *zero* control over what is going on on it, and if you make
>>>> sure you can (rooting it) you are flagged as "insecure".
>>>>
>>> What "control" do you want by rooting?
>>
>> Take a wild guess. But I'll give you a hint : I allready mentioned it in
>> this thread.
>
> I'll spell it out for you (and Frank) :
>
> The "Take a wild guess" showed my annoyance, as I've pretty much been
> repeating it thru this thread : you have /no/ idea what apps are doing on
> your smartphone. The hint was a bit of a joke - as the "*zero* control" is
> directly followed by the reason for wanting it : "over whats going on on
> it".
>
> As in : being able to monitor if a program/app is obeying its permissions
> and what he's doing online (if that permission was granted). And from
> there being able to block any unwanted behaviour. Duh.

Huh, no, if an app doesn't have some permission it simply can not do it,
no matter how hard it tries.

--
Cheers,
Carlos E.R.

Carlos,

> There is a difference:
>
> - Thunderbird search on the Sent folder does work.

I gave you two ways to deal with that. Besides the 'check if your version
has a bug' suggestion.

> - I know what I wrote and thus what to search for.

Franks quote contained the phrase you could have looked for.

Though I hope you do agree that there is quite a difference between "104
articles" and just 12 to work your way thru.

> Huh, no, if an app doesn't have some permission it simply can not do it,
> no matter how hard it tries.

1) Do you know which permissions you actually gave ? I seem to remember a
change where a fine-grained permission granting was replaced by a much
coarser one, putting "similar" permissions together ...

IOW, you might have given a permission you are not even aware of.

2) Tell that to all the malware which makes use of bugs in the OS.

.... as a search (for for example "android zero day") will show you. Like
this :

https://www.bleepingcomputer.com/news/security/september-android-updates-fix-zero-day-exploited-in-attacks/

Yes, thats september *this* year.

But lets stop this. You're making it quite clear that you do not know and
do not *want* to know about it.

Goodbye.

Regards,
Rudy Wieser

On 2023-11-16 12:37, R.Wieser wrote:
> Carlos,
>
>> There is a difference:
>>
>> - Thunderbird search on the Sent folder does work.
>
> I gave you two ways to deal with that. Besides the 'check if your version
> has a bug' suggestion.
>
>> - I know what I wrote and thus what to search for.
>
> Franks quote contained the phrase you could have looked for.
>
> Though I hope you do agree that there is quite a difference between "104
> articles" and just 12 to work your way thru.
>
>> Huh, no, if an app doesn't have some permission it simply can not do it,
>> no matter how hard it tries.
>
> 1) Do you know which permissions you actually gave ? I seem to remember a
> change where a fine-grained permission granting was replaced by a much
> coarser one, putting "similar" permissions together ...
>
> IOW, you might have given a permission you are not even aware of.
>
> 2) Tell that to all the malware which makes use of bugs in the OS.
>
> ... as a search (for for example "android zero day") will show you. Like
> this :
>
> https://www.bleepingcomputer.com/news/security/september-android-updates-fix-zero-day-exploited-in-attacks/
>
> Yes, thats september *this* year.
>
> But lets stop this. You're making it quite clear that you do not know and
> do not *want* to know about it.

No, I make clear that I do not agree with you.

>
> Goodbye.
>
> Regards,
> Rudy Wieser
>
>

--
Cheers,
Carlos E.R.

R.Wieser <address@is.invalid> wrote:
> Carlos,
>
> >> Nitpick! The thread is just 104 articles, so you just have to re-read
> >> them all.
> >
> > X'-D
>
> I see you smiling at him, but I do hope you notice he's feeding you a line.
>
> He's mentioning the total number of messages in this thread, but somehow,
> wonderously, seems to forget that he would only need to look at /my/ posts.
> And thats, in total, 17 (18 with this one). - though just 12 at the moment
> he posted his question ...

Nope. What *you* seem to conveniently 'forget' is what I said in the
part of my post which you snipped (Clue-by-four: "You'll need to do
that, because ..."). As said many times before, your frantic dishonest
silent snipping and 'forgetting' context doesn't make that context go
away. Bummer, but that's life on NetNews.

And BTW, I didn't pose the question (you refused to answer), Chris
did. But never mind such details.

[...]

Chris <ithinkiam@gmail.com> wrote:
> R.Wieser <address@is.invalid> wrote:
> > Chris,
> >
> >> I can cancel any direct debit or standing order purely from my banking
> >> app.
> >
> > Good for you. But thats, as mentioned, not how it works here (or worked, it
> > was some time ago).
[...]
> >> That's what direct debits allow say for paying off the minimum payment
> >> required on a credit card. It varies a lot month by month. That's a useful
> >> feature.
> >
> > Agreed, its a usefull feature. But as said, the banks here do not offer
> > anything of the kind.
>
> Get better banks.

Because of his constantly silently snipping context, it's hard to be
sure what he's referring to, but assuming the most logical, cancel any
direct debit or standing order from one's bank app or website, then one
*can* do so "here" (in The Netherlands).

[...]

> >>> Lol ? So anyone who finds a lost card can just pay with it ?
> >>> Fantastic. :-(
> >>
> >> That's always been true.
> >
> > Nope. At least not here.
>
> Of course it has. In the old days ppl would forge signatures from the back
> of cards, or used them over the phone (just like you gave an example) and
> now you can just tap to pay up to £100.
>
> > And you could have known that, as I just
> > described that we have a (four digit) "password" here that we are not
> > supposed to share with anyone. You even quoted i.
> >
> >> Nowadays it's easy to block a lost card.
> >
> > Do read up on which part of the loss due to losing a card wil be absorbed by
> > the bank, and which part of it will be yours. You might be surprised to
> > find that any money that went gone before you called the bank is your
> > problem. So, keep checking that you stil have that card on you, otherwise
> > you could be in for a sad surprise.
>
> Unlikely.
>
> >>> No, the "bank code" here is something that isn't on the card and is
> >>> regarded the users "password", to be guearded with its life.
> >>
> >> No idea what that is.
> >
> > You have no idea what a password is or what its used for ? How quaint
> > ....
>
> The "bank code". Cards don't have passwords.
>
> > The bottom line is that here you can find someones bank card, but without
> > its password its useless to you.

You're obviously talking about credit cards, but, without saying so,
he's talking about debit cards. Debit cards - at least 'here' (NL) - do
have a (4-digit) PIN code. His use of "password" (with and without
quotes) and "bank code" (in quotes) is just confusing things, because
everybody knows what a PIN code is, so he should just have used the
correct term and there wouldn't have been any - or at least less -
confusion.

Without the PIN code, the debit card is useless, so therefor he
implied - with another illconceived 'joke' - someone who finds a lost
debit card (or steals a debit card) cannot do anything with it. (Unless
it's set up for contactless payments, in which case there normally is a
low - 50 Euro or so - maximum risk. When the limit is reached, the PIN
code is again required.)

[...]

Frank Slootweg <this@ddress.is.invalid> wrote:
> Chris <ithinkiam@gmail.com> wrote:
>> R.Wieser <address@is.invalid> wrote:
>>> Chris,
>>>
>>>> I can cancel any direct debit or standing order purely from my banking
>>>> app.
>>>
>>> Good for you. But thats, as mentioned, not how it works here (or worked, it
>>> was some time ago).
> [...]
>>>> That's what direct debits allow say for paying off the minimum payment
>>>> required on a credit card. It varies a lot month by month. That's a useful
>>>> feature.
>>>
>>> Agreed, its a usefull feature. But as said, the banks here do not offer
>>> anything of the kind.
>>
>> Get better banks.
>
> Because of his constantly silently snipping context, it's hard to be
> sure what he's referring to, but assuming the most logical, cancel any
> direct debit or standing order from one's bank app or website, then one
> *can* do so "here" (in The Netherlands).

I suspected as much.

>
>>>>> Lol ? So anyone who finds a lost card can just pay with it ?
>>>>> Fantastic. :-(
>>>>
>>>> That's always been true.
>>>
>>> Nope. At least not here.
>>
>> Of course it has. In the old days ppl would forge signatures from the back
>> of cards, or used them over the phone (just like you gave an example) and
>> now you can just tap to pay up to £100.
>>
>>> And you could have known that, as I just
>>> described that we have a (four digit) "password" here that we are not
>>> supposed to share with anyone. You even quoted i.
>>>
>>>> Nowadays it's easy to block a lost card.
>>>
>>> Do read up on which part of the loss due to losing a card wil be absorbed by
>>> the bank, and which part of it will be yours. You might be surprised to
>>> find that any money that went gone before you called the bank is your
>>> problem. So, keep checking that you stil have that card on you, otherwise
>>> you could be in for a sad surprise.
>>
>> Unlikely.
>>
>>>>> No, the "bank code" here is something that isn't on the card and is
>>>>> regarded the users "password", to be guearded with its life.
>>>>
>>>> No idea what that is.
>>>
>>> You have no idea what a password is or what its used for ? How quaint
>>> ....
>>
>> The "bank code". Cards don't have passwords.
>>
>>> The bottom line is that here you can find someones bank card, but without
>>> its password its useless to you.
>
> You're obviously talking about credit cards, but, without saying so,
> he's talking about debit cards. Debit cards - at least 'here' (NL) - do
> have a (4-digit) PIN code. His use of "password" (with and without
> quotes) and "bank code" (in quotes) is just confusing things, because
> everybody knows what a PIN code is, so he should just have used the
> correct term and there wouldn't have been any - or at least less -
> confusion.
>
> Without the PIN code, the debit card is useless, so therefor he
> implied - with another illconceived 'joke' - someone who finds a lost
> debit card (or steals a debit card) cannot do anything with it. (Unless
> it's set up for contactless payments, in which case there normally is a
> low - 50 Euro or so - maximum risk. When the limit is reached, the PIN
> code is again required.)

Credit/debit card doesn't matter. To the merchant they work the same so are
prone to the same risks.

They both have CVVs which are never stored and have contactless
capabilities that can be used to pay for things without the owner's
knowledge if stolen.

R.Wieser <address@is.invalid> wrote:
> Chris,
>
>> Nice story.
>
> Not so nice, but I recognise refusal when I see it.
>
>> Get better banks.
>
> Funny thing that, they all gave the same answer - "we don't offer that"

You lie.

[ .. snip .. ]

You're trying argue that some vague or extremely rare scenarios are
evidence of systemic failures with smartphones and/or banking. Unless you
can evidence real, ubiquitous issues then you shut up.