One time CVV for virtual cards

#1

There’s something I love about my Mexican bank: they gave me a virtual card with dynamic / one time CVV.

This would be very useful. Beside the disposable cards.

4 Likes

#2

Can you give a specific use case for this over the disposable cards. (Other than typing speed)

0 Likes

#3

Websites with pre authorisation? Dunno exactly how disposable works when the website charges once 1€ to verify then tries to charge the amount (example Microsoft)
Airlines/ ferry and any other means of transportation which might ask you to show “the card”

0 Likes

#4

The system can recognize pre-authorizations. Seems to work in most cases. This feature was added later.

0 Likes

#5

Interesting feature indeed. Yet I’m wondering how safe it can be? I think it’s easier to brake a 3 digits code than trying to associate random numbers to an unknown card number (be it virtual or physical).

Can anyone, who knows it better, enlighten us? If that can be a safe option to have dynamic CCV, then I would be in favour of it.

2 Likes

#6

Physical cards I’d like to have the standard CVV + 3D secure.

But the virtuales with dynamic CVV and no 3D secure (or the “light bypass one”)

0 Likes

#7

3DS will be mandatory in the EU this autumn. So that ship has sailed.

0 Likes

#8

With 3DS it looses the benefits of having a changing CVV.

BTW: Does anybody exactly know that will be mandatory in the EU regarding 3DS? Does it cover all transactions done by a card issued within the EU (or perhaps issued to residents of the EU, which is not necessary the same), independent of it’s use? Meaning, all online shops, be it the ones run by EU companies as well as all others outside the EU (US, Asia, …) require it?

If it’s an all in and it’s not allowed to process a single transaction without 3DS, then rotating CVV probably is no longer required. If not, it might still have its use.

BTW: @Big-B Guessing a 3-digit number is quite hard if you have 3 attempts and then the card is locked.

0 Likes

#9

It’s a little bit more complex, but the general idea is that 2FA should be applied for transactions above a certain limit, similar to how contactless card payments do not need 2FA right now. And then there are exemptions for recurring transactions with “trusted” merchants. Here’s a good overview: https://www.adyen.com/blog/psd2-understanding-strong-customer-authentication

1 Like

#10

Thank you for that link. For me, as it’s not an absolute mandatory system, the rotating CVV is still a good idea to be implemented.

What both systems for me lack is the user possibilities to have a fine grained control of what is allowed and what not. The described working could be a default setting at the start. But for me, especially the general allowance for recurring payments is much too open. I want, as a user, have full control over who I allow to automatically place recurring payments, in the same way they implement white lists to avoid 3DS for my trusted merchants. So the benefit of having a virtual Revolut card for online transactions and having it disabled while not expecting a transaction seems still to be the best option, even with the added security of 3DS because it still has huge holes.

0 Likes

#11

3DS can be awful sometimes. Just relying on a phone number scares me.

For example my credit card bank didn’t wanted to change my number to a foreign one and I wasn’t able to make online payments while traveling (booking a flight) because my network apparently had almost no roaming in Iran.

My other bank where I have the debit cards changed the number to any country I wanted, like revolut.

But still. Maybe no signal. Apocalypse. Hurricane. System down. Etc. I hate SMS (and regular phone calls) :))

1 Like

#12

I fully agree that SMS is no proper 2FA in today’s world. All should know that this is unsafe as it can be easily intercepted. The network used by Telcos to send SMS is in no way a safe network.

I more think about a proper 2FA App on a phone where I get a popup with the transaction details and I can hit yes/no as appropriate. Obviously, internet is required. But as we’re talking about online transactions, this should be ok.

1 Like

#13

3DS with N26 is pretty good. That’s the way to implement it.

0 Likes

#14

How is it? I haven’t got my N26 card yet

0 Likes

#15

It’s just all in app. Similar to how transfers are confirmed in app when initiated through online banking.

0 Likes

#16

bunq has rotating CVC on both virtual and physical cards, which I also like very much :slight_smile:

0 Likes

#17

Indeed sms isn’t the best way. Just like others sometimes I find myself in trouble when entering a country where no roaming is possible (due to various reasons) and my bank wouldn’t allow changing my phone number to a local one.
There should be an adequate solution for approving and securing the transactions without sms confirmation.

0 Likes

#18

Like this? :wink:

3 Likes

#19

Looks good! :smiley: That should be available and enforceable for every online transaction.

0 Likes