[Dataloss] (update) eBay forum mysteriously leaks account details on 1, 200 users

[Avery Sawaba]

CVV is definitely used online, or anywhere a merchant wants to reduce
risk (and therefore the rate they are charged by their processor). The
security code concept is supposed to be a greater guarantee that the
person using a card has it in their physical possession, since the
only place you are supposed to be able to find it is physically
printed on the back of the card. Its purpose is very similar to that
of a PIN number.

The only time security codes are requested (or should be requested) is
right before a transaction is processed. The codes are validated in
real time.

--Sawaba

On 9/26/07, Cory Gould <corygould at gmail.com> wrote:
> Why would ebay have credit cards to begin with, unless paypal was breeched
> and the ebay discussion group used to spread the word. Also, correct me if
> I'm wrong but I don't believe paypal/ebay requests CVV2 information when
> signing up anyway. In fact, the only time I'm required to give out that
> information is when using a credit card over the phone, never online.
>
> On 9/26/07, Avery Sawaba <avery.sawaba at gmail.com> wrote:
> >
> > On 9/26/07, Arsen Shirokov <1and1 at canadaballoons.com> wrote:
> > > The fact that the data was posted on eBay forum doesn't necessarily
> > > mean it was stolen from eBay.
> >
> > Hence my disclaimer, "If this information is accurate". The fact that
> > CVV2 data is included may help disprove their claim, as it is highly
> > unlikely that someone like Ebay would be foolish enough to do so.
> >
> > --Sawaba
> > _______________________________________________
> > Dataloss Mailing List (dataloss at attrition.org)
> > http://attrition.org/dataloss
> >
> > Tenable Network Security offers data leakage and compliance monitoring
> > solutions for large and small networks. Scan your network and monitor your
> > traffic to find the data needing protection before it leaks out!
> > http://www.tenablesecurity.com/products/compliance.shtml
> >
>
>