All 0s (zeros) in a bank card's CVC code

  • My bank card recently expired. I got a new one and this one turned out to be "lucky": its CVC code was 000.

    CVC code is 000

    For a few months I used it extensively, both online and offline, without any difficulties - until the day when I entered my card details on Booking.com. I filled in the form, clicked "submit" - only to see the page discard the value in the CVC field and demand that I enter it again.

    I contacted support. They confirmed that CVC code "000" is not acceptable because it is considered not secure enough (not an exact quote unfortunately, as the conversation was in Estonian), and they suggested that I order a new bank card where the CVC code would be different from "000".

    That puzzled me. As a former tester, I'm quite used to situations where I think I'm reporting a bug and then I'm told it is actually a feature, but this time it was somewhat against common sense. My current work is also related to information security and I can think of three reasons their claim doesn't make sense:

    1. CVC is not just a random number, there is a certain algorithm of generating it. This, in turn, means that all values are equally probable and some certain numbers can't just be excluded from it.
    2. I have already used this card with a number of other online services, including Amazon Web Services, whose security is out of any doubts.
    3. I don't quite understand what "not secure enough" means. Are "111" or "999" secure enough? If not, how about "123" or "234"? Again, it's not something I pick myself, it's something I'm given by a bank, and if the bank thinks it's secure, then it must be treated as such.

    Their response was very polite but not very helpful: "We totally understand your frustration and we are really sorry about causing you inconvenience. We handed your reasoning over to our management - they responded that 000 is considered invalid, and this is also a way banks indicate that the card is a forgery".

    I forwarded the mail chain to my bank and asked for their advice. They told me they'd issue a new card for free, which solved the problem for me.

    However, I still wonder:

    1. Are there any official regulations/prescriptions (from Visa/MC or elsewhere) or any best practices regarding "all-zero" CVC/CVV codes? Especially that bit about banks allegedly using 000 as an indication of a forgery - sounds like complete nonsense to me. I tried googling, but couldn't find anything.
    2. From a practical point of view, how reasonable it is to decline "000" as insecure? I listed my concerns above, but maybe I'm missing something?

    Update: Tough choice on which answer to accept... I liked the answer from Alexander O'Mara a lot - it is detailed and to the point. The latest revision of Harper's answer also seems very reasonable. Yet I eventually decided to accept the answer by Zoey - it seems the most relevant, as it, besides everything else, also sheds some light on the internals of hotel business.

    Thanks everyone for your answers and comments! What I'm going to do now is contact Booking.com support again and insist on getting this fixed. Will let you know about the outcome.

    Update 2: After several months of trying to contact Booking.com's support I officially give up. I haven't gone any further than a countless number of support tickets that were not even confirmed, not to mention being reacted on, and a couple of phone calls where I explained the situation and got nothing but a canned email "we are trying very hard to solve your problem". Bottomline: Booking.com's support doesn't work - unless your problem is very standard, it won't be solved nor escalated to higher management.

    The bug still exists. I'm now assured that it is nothing but a software bug, because CVC "000" is perfectly accepted when you add a new card, but it doesn't work when you are trying to update an expired (or otherwise invalid card). Here's the repro steps:

    1. Create a new booking that requires immediate payment.
    2. Enter an invalid card (expired or blocked).
    3. When the system sends a notification that the card can't be processed, select "update card details" and enter details of a valid card with CVC code 000.

    Expected result: the card data gets accepted for further processing.

    Actual result: the entered CVC code gets discarded and the dialog window complains that CVC code is not entered.

    Your reasoning is entirely correct, that's the long and short of it. Looks like `booking.com` employs some moron managers (I bet this wasn't an engineering decision).

    "they responded that 000 is considered invalid, and this is also a way banks indicate that the card is a forgery" I'd like to know why a bank would produce a forged card with 000 on it

    @MikeCaron While a bank wouldn't make a forged card they might have reason to make a deliberately invalid one, just like movies need deliberately invalid phone numbers.

    That's fine and wholly irrelevant to the quote I was responding to. Sample cards (like you suggest) are not the same as forgeries. The person claiming "the bank did it" is suggesting that somehow the bank is able to make the card have 000 for its CVV, which would be impossible if the bank did not also produce the card. Perhaps they are forging other banks' cards...

    @Jérôme, I could (the card has been deactivated upon re-issue), yet I'm curious what exactly are you expecting to see on the other side :)

    As a wild speculation, booking.com had a bug where the code could not tell the difference between somebody entering 000 and somebody leaving the field blank. Instead of fixing it properly they reject 000 as a CVC. The programmer should be fired, but you don't have that option. As I see it, you can either use a different vendor for hotels or call your bank and declare the card lost/stolen. They will issue a new card with a new number. With any luck the CVC will not be 000

    For what it's worth, "a way banks indicate that the card is a forgery" *could* be a garbled/ill-worded form of trying to express that it's how banks *recognize some* forgeries (that are lazy enough not to bother with producing a less special looking number).

    Hate to say it but @Harper's answer is likely the correct one. Occam's Razor should apply here; Zoey and Alexander's answers are plausible, but ultimately they're just grafting contrived logic onto a simple software bug. This is exacerbated by the fact that no one you could ever speak to on a customer service line would know anything about the system's back-end design, nor could they even hope to reach someone on the web development team even if they wanted to.

    minor nitpick : the fact that CVC is calculated with a deterministic algorithm isn't enough to show that all values are possible and equally probable.

    @WesSayeed, I agree that this is probably a bug, turned into a feature by stubborn and lazy management. That's why I'm going to give it another try and insist on getting this fixed.

    @VladNikiforov If they aren't willing to fix it, simply write up this story on an appropriate website (e.g. medium.com), then share it on appropriate social media (e.g. /r/programming on reddit). The amount of shaming booking.com will get for their incompetence will force them to fix it.

    *Amazon, whose security is out of any doubts* - wut? And you work in this sector?

    @Mazura, I probably should have been more specific - I meant AWS. I have no experience with the rest of Amazon, but AWS never spawned any doubts.

    CVC is considered confidential, similar with PIN. Since you have shared it here, please be sure to get a new one.

    Some new cards have a dynamic CVV (DCV), changing every half-hour or so... If you have such a card and 000 shows up, just wait for the next CVV to show up.

    Contact your card network (Visa/Mastercard) and file a complaint that the site maliciously refuses accepting your valid card. Visa has arguments big enough to make them fix their code. The site is displaying the logo under certain contract, and groundless refusal is probably violating it.

    @Luc Or worse, this was the decision of a lazy/inept engineer.

    Does this mean booking.com is rejecting 1 out of every 1000 valid credit cards — assuming all CVCs are equally likely?

    Assuming Amazon security is not to be doubted is a flaw, Amazon handle risks by using insurances and the fact that they can accept fraud to some extend as long as most customer are happy. Amazon even uses non ACID DB to handle stok as they can deal with eventual stock mistakes by refunding or offering something else to its customer.

    When designing the Enigma machines, the Germans prevented it from using any permutations in which a letter was mapped to itself, because that didn't *look* secure. This gave Allied cryptographers an easy way to quickly rule out large numbers of candidate keys. If the permutations that *looked* insecure had been permitted, it's quite possible that Enigma would never have been broken. The only thing prohibiting 000 does is give attackers a smaller set to guess from.

    @MrWhite Updated the post to specifically point to AWS, not just Amazon. Sorry for not making this clear in the first place.

    @Colin'tHart - it's likely booking.com rejects even more than that, because hotel bookings is a very high fraud area and their fraud detection probably has a non-negligible number of false positives. But it's also possible some credit card issuers purposefully do not issue cards with 000 as the CVV, so it may not be the case that 1 in 1000 cards has 000 as the CVV.

    @Luc I'd be absolutely shocked if this wasn't a poor engineering decision/bug that a manager later misunderstood or lied about. There are undoubtedly many sites that treat the input as an integer instead of a string, viewing `000` as `0`, and would treat `0` as invalid or as a default representing nothing being entered.

    I just googled this as I'm on the merchant end of this situation. Our payment processor that handles transactions automatically declines the transaction as an invalid security code, its a major payment processor. I've argued the same thing, its code given to the card that can be verified, but its an auto rejection.

  • Zoey

    Zoey Correct answer

    2 years ago

    Alexander O'Mara provided a correct answer, but having worked in a hotel that was using booking.com I believe I can provide additional information about the reason that CVV was denied.

    Every day the hotel I worked in would receive around 50 bookings, a quarter of these bookings would be using fake credit card details, and about 90% of people using fake credit card details would not show up.

    This resulted in a lot of guesswork when assigning rooms, we would often try to guess if the person will show up just based on their credit card details, and also sometimes take into consideration the name, location, how many days they will be staying, etc. We would also try to call the day before to confirm bookings, so that these fake bookings result in a minimal interruption to the business.

    Blocking CVV 000 is just booking.com's lazy attempt to reduce the amount of fake bookings. Some other CVVs are blocked as well.

    The reason why booking.com blocks the CVV and other websites do not is because other websites generally attempt to charge the credit card immediately, while booking.com only forwards information to the hotels which charge the credit card on the day of arrival.

    Why on earth do hotels not pre-authorize the credit card? They could do as little as $1 (as is used for free trial verification) and immediately stop this issue--and that wouldn't cause the side effect of maxing out any low-limit or debit cards out there.

    @aidanh010 smaller hotels often don't bother with it, either because they aren't familiar with the process or they assume it's too much effort for little benefit

    Are you saying a successful online platform like booking.com is not handling pre-authentication for their paying customers (aka hotels)?

    Actually it seems optional: https://partnerhelp.booking.com/hc/en-gb/articles/115003200353?utm_source=checkin&;utm_medium=link&utm_content=preauthorisation

    But reading this comment, why on earth would a scammer give you 000 as the CVV? Since it's not checked beyond "000 looks suspicious", why not use 472 as the CVV or any one of the other 999 possible numbers?

    This explanation about booking.com's handling of credit card data raises the question for me whether their process is actually PCI DSS compliant, or in violation thereof. One could argue that they do not do authorization and thus are not in violation ("Sensitive authentication data must not be stored after authorization (even if encrypted)."), but this would seem like a pretty bad way of dealing with sensitive credit card information...

    @gnasher729: Well, they didn't know. Now, after this answer has been posted, on the other hand ... ;)

    @Lucero That procedure is standard for travel. If you book a flight, the airline is the one who charges your card, not the travel site, you're going to a travel "agent" not "reseller". Hotels, cruises, rental cars are the same. The only exception is when you're purchasing a heavily discounted opaque fare (Priceline, Hotwire, packages, etc.).

    IMO, buggy validation like `if (!(int(cvv) && checkCvv(cvv))) { return "It's not valid CVV" }` is a much more likely explanation why this got rejected rather than being a deliberate security design decision.

    This makes me wonder if OP could have entered any other value as CVV and successfully get the booking. If yes, it would have to be fixed later with the hotel (“_oh sorry, it was a typo_”). If not, it means there is a stronger check afterwards, making the "000" check irrelevant… Well, except maybe if the stronger check is a paying service, which is also possible. They would most likely not communicate about it if it was the case, I guess.

    @gnasher729: I don't think the 25% of those using fake credit card numbers to book hotels without showing up are scammers.

    Why exactly would scammers book hotels and not show up? Is this a way to see if the credit card is still valid? Seems silly if it winds up not getting charged anyways b/c they didn't show up.

    I'm curious if places avoid doing the $1 charge system, because it costs them money. A credit card provider usually charges at least 3% to process the card transaction. If they did a charge of $1, and refund it, they may only receive 97c and then return $1, losing 3c. This could cost them a lot of money in the long run if fake cards are used (but are given an allocation of $1 to look valid).

    @RichardDuerr it depends how much you lost on a fake booking I guess? I would guess they stand to lose more than 3c per fake booking

    @Patrice Yup, I would argue they did (lost of labor, possible printing, time, etc). I just simplified it to make it easier to grok.

    This answer hinges on assumption that 000 translates to a fake booking. But it provides no reasoning on how those two are connected. I read it as "Why are you wearing a green sweater? Because mom is sleeping." It needs establishing some link, like "all my other sweaters make noises when I move"

    @Lucero technically, if booking.com doesn't charge credit cards themselves at all then they wouldn't have to comply with PCI DSS, as it's a private standard. But it's definitely absurd to store a CCV and transmit it to a third party--I certainly would never use such a service. If nobody can be bothered to deal with credit cards, the least they could do is use Stripe and never have to touch the data

    @aidanh010 Well, I guess because, surprisingly enough, credit and debit cards don't work the same all over the world. Recently I bought something off a US merchant with my Argentina debit card. Then the order was canceled and the charge wasn't removed. The merchant told me they didn't charge my card, but only put an authorization on it. My banks told me debit cards in Argentina don't do authorizations, only charges. Now my money is in a limbo and 2 months later I'm still not able to get it back.

    @gnasher729 I suspect the problem here isn't smart, motivated scammers, if 90% of the entries with fake details don't show up. 000 is probably just the person being lazy.

    @RichardDuerr Hotels wouldn't normally use a charge to "check" a card; they'd place an authorization hold for the base cost of the stay, ensuring that the card can be charged for at least that amount at the end of the stay. I have no idea why any hotel would not do this simple and common procedure.

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM