All 0's (zeros) in a bank card's CVC code
As my bank card had expired, I got a new one, and this one turned out to be "lucky": its CVC code was 000.
For a few months I used it extensively, both online and offline, without any difficulties - until the day when I was to enter my card details on Booking.com website. I filled in the form, clicked "submit" - only to see that the page discards the value in CVC field and demands to enter it again.
I contacted support. They confirmed that CVC code "000" is not accepted, because it is considered not secure enough (not a close quote unfortunately, as the conversation was in Estonian), and they suggest me to order a new bank card where CVC code would be different from "000".
That got me puzzled. As a former tester, I'm quite used to situations, where I think I'm reporting a bug, and then I'm told it is actually a feature - but this time it was somewhat against common sense. My current work is also related to infosecurity, so I came up with objections:
- First of all, CVC is not just a random number, there is a certain algorithm of generating it. This, in turn, means that all values are equally probable and some certain numbers can't be just excluded from it.
- Second, I have already used this card with a number of other online services, including Amazon, whose security is out of any doubts.
- Third, I don't quite understand what does "not secure enough" mean. Are "111" or "999" secure enough? If not, how about "123" or "234"? Again, it's not something I pick by myself, it's something I'm given by a bank, and if bank thinks it's secure, then it must be treated as such.
The response was very polite yet held out little hope: "We totally understand your frustration and we are really sorry about causing you inconvenience. We handed your reasoning over to our management - they responded that 000 is considered invalid, and this is also a way banks indicate that the card is a forgery".
I forwarded all the mail chain to my bank and asked for their advice. They told me they'll issue a new card for free, which solved the problem for me.
However, I still puzzled:
- Are there any official regulations/prescriptions (from Visa/MC or elsewhere) or any best practices regarding "all-zeroes" CVC/CVV codes? Especially that bit about banks allegedly using 000 as an indication of a forgery - sounds like a complete nonsense to me. I tried googling, but couldn't find anything.
- From practical point of view, how reasonable it is to decline "000" as insecure? I listed my concerns above, but maybe I'm missing something?
Update: Tough choice on which answer to accept... I liked a lot the answer from Alexander O'Mara - detailed and to the point. The latest revision of Harper's answer also seems very reasonable. Yet I eventually decided to accept the answer by Zoey - it seems the most relevant, as it, besides everything else, also sheds some light on internals of hotel business.
Thanks everyone for your answers and comments! What I'm going to do now is contact Booking.com support again and insist on getting this fixed. Will let know about the outcome.
credit-card
asked Dec 22 at 20:30
Vlad Nikiforov
47827
New contributor
Vlad Nikiforov is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
 |Â
show 10 more comments
As my bank card had expired, I got a new one, and this one turned out to be "lucky": its CVC code was 000.
For a few months I used it extensively, both online and offline, without any difficulties - until the day when I was to enter my card details on Booking.com website. I filled in the form, clicked "submit" - only to see that the page discards the value in CVC field and demands to enter it again.
I contacted support. They confirmed that CVC code "000" is not accepted, because it is considered not secure enough (not a close quote unfortunately, as the conversation was in Estonian), and they suggest me to order a new bank card where CVC code would be different from "000".
That got me puzzled. As a former tester, I'm quite used to situations, where I think I'm reporting a bug, and then I'm told it is actually a feature - but this time it was somewhat against common sense. My current work is also related to infosecurity, so I came up with objections:
- First of all, CVC is not just a random number, there is a certain algorithm of generating it. This, in turn, means that all values are equally probable and some certain numbers can't be just excluded from it.
- Second, I have already used this card with a number of other online services, including Amazon, whose security is out of any doubts.
- Third, I don't quite understand what does "not secure enough" mean. Are "111" or "999" secure enough? If not, how about "123" or "234"? Again, it's not something I pick by myself, it's something I'm given by a bank, and if bank thinks it's secure, then it must be treated as such.
The response was very polite yet held out little hope: "We totally understand your frustration and we are really sorry about causing you inconvenience. We handed your reasoning over to our management - they responded that 000 is considered invalid, and this is also a way banks indicate that the card is a forgery".
I forwarded all the mail chain to my bank and asked for their advice. They told me they'll issue a new card for free, which solved the problem for me.
However, I still puzzled:
- Are there any official regulations/prescriptions (from Visa/MC or elsewhere) or any best practices regarding "all-zeroes" CVC/CVV codes? Especially that bit about banks allegedly using 000 as an indication of a forgery - sounds like a complete nonsense to me. I tried googling, but couldn't find anything.
- From practical point of view, how reasonable it is to decline "000" as insecure? I listed my concerns above, but maybe I'm missing something?
Update: Tough choice on which answer to accept... I liked a lot the answer from Alexander O'Mara - detailed and to the point. The latest revision of Harper's answer also seems very reasonable. Yet I eventually decided to accept the answer by Zoey - it seems the most relevant, as it, besides everything else, also sheds some light on internals of hotel business.
Thanks everyone for your answers and comments! What I'm going to do now is contact Booking.com support again and insist on getting this fixed. Will let know about the outcome.
credit-card
asked Dec 22 at 20:30
Vlad Nikiforov
47827
New contributor
Vlad Nikiforov is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
29
Your reasoning is entirely correct, that's the long and short of it. Looks likebooking.comemploys some moron managers (I bet this wasn't an engineering decision).
– Luc
Dec 22 at 23:03
45
"they responded that 000 is considered invalid, and this is also a way banks indicate that the card is a forgery" I'd like to know why a bank would produce a forged card with 000 on it
– Mike Caron
Dec 23 at 0:46
4
@MikeCaron While a bank wouldn't make a forged card they might have reason to make a deliberately invalid one, just like movies need deliberately invalid phone numbers.
– Loren Pechtel
Dec 23 at 5:13
6
@Jérôme, I could (the card has been deactivated upon re-issue), yet I'm curious what exactly are you expecting to see on the other side :)
– Vlad Nikiforov
2 days ago
2
Just kidding, of course. But the joke falls flat. I forgot about the reissue deactivation. NVM.
– Jérôme
2 days ago
 |Â
show 10 more comments
As my bank card had expired, I got a new one, and this one turned out to be "lucky": its CVC code was 000.
For a few months I used it extensively, both online and offline, without any difficulties - until the day when I was to enter my card details on Booking.com website. I filled in the form, clicked "submit" - only to see that the page discards the value in CVC field and demands to enter it again.
I contacted support. They confirmed that CVC code "000" is not accepted, because it is considered not secure enough (not a close quote unfortunately, as the conversation was in Estonian), and they suggest me to order a new bank card where CVC code would be different from "000".
That got me puzzled. As a former tester, I'm quite used to situations, where I think I'm reporting a bug, and then I'm told it is actually a feature - but this time it was somewhat against common sense. My current work is also related to infosecurity, so I came up with objections:
- First of all, CVC is not just a random number, there is a certain algorithm of generating it. This, in turn, means that all values are equally probable and some certain numbers can't be just excluded from it.
- Second, I have already used this card with a number of other online services, including Amazon, whose security is out of any doubts.
- Third, I don't quite understand what does "not secure enough" mean. Are "111" or "999" secure enough? If not, how about "123" or "234"? Again, it's not something I pick by myself, it's something I'm given by a bank, and if bank thinks it's secure, then it must be treated as such.
The response was very polite yet held out little hope: "We totally understand your frustration and we are really sorry about causing you inconvenience. We handed your reasoning over to our management - they responded that 000 is considered invalid, and this is also a way banks indicate that the card is a forgery".
I forwarded all the mail chain to my bank and asked for their advice. They told me they'll issue a new card for free, which solved the problem for me.
However, I still puzzled:
- Are there any official regulations/prescriptions (from Visa/MC or elsewhere) or any best practices regarding "all-zeroes" CVC/CVV codes? Especially that bit about banks allegedly using 000 as an indication of a forgery - sounds like a complete nonsense to me. I tried googling, but couldn't find anything.
- From practical point of view, how reasonable it is to decline "000" as insecure? I listed my concerns above, but maybe I'm missing something?
Update: Tough choice on which answer to accept... I liked a lot the answer from Alexander O'Mara - detailed and to the point. The latest revision of Harper's answer also seems very reasonable. Yet I eventually decided to accept the answer by Zoey - it seems the most relevant, as it, besides everything else, also sheds some light on internals of hotel business.
Thanks everyone for your answers and comments! What I'm going to do now is contact Booking.com support again and insist on getting this fixed. Will let know about the outcome.
credit-card
asked Dec 22 at 20:30
Vlad Nikiforov
47827
New contributor
Vlad Nikiforov is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
As my bank card had expired, I got a new one, and this one turned out to be "lucky": its CVC code was 000.
For a few months I used it extensively, both online and offline, without any difficulties - until the day when I was to enter my card details on Booking.com website. I filled in the form, clicked "submit" - only to see that the page discards the value in CVC field and demands to enter it again.
I contacted support. They confirmed that CVC code "000" is not accepted, because it is considered not secure enough (not a close quote unfortunately, as the conversation was in Estonian), and they suggest me to order a new bank card where CVC code would be different from "000".
That got me puzzled. As a former tester, I'm quite used to situations, where I think I'm reporting a bug, and then I'm told it is actually a feature - but this time it was somewhat against common sense. My current work is also related to infosecurity, so I came up with objections:
- First of all, CVC is not just a random number, there is a certain algorithm of generating it. This, in turn, means that all values are equally probable and some certain numbers can't be just excluded from it.
- Second, I have already used this card with a number of other online services, including Amazon, whose security is out of any doubts.
- Third, I don't quite understand what does "not secure enough" mean. Are "111" or "999" secure enough? If not, how about "123" or "234"? Again, it's not something I pick by myself, it's something I'm given by a bank, and if bank thinks it's secure, then it must be treated as such.
The response was very polite yet held out little hope: "We totally understand your frustration and we are really sorry about causing you inconvenience. We handed your reasoning over to our management - they responded that 000 is considered invalid, and this is also a way banks indicate that the card is a forgery".
I forwarded all the mail chain to my bank and asked for their advice. They told me they'll issue a new card for free, which solved the problem for me.
However, I still puzzled:
- Are there any official regulations/prescriptions (from Visa/MC or elsewhere) or any best practices regarding "all-zeroes" CVC/CVV codes? Especially that bit about banks allegedly using 000 as an indication of a forgery - sounds like a complete nonsense to me. I tried googling, but couldn't find anything.
- From practical point of view, how reasonable it is to decline "000" as insecure? I listed my concerns above, but maybe I'm missing something?
Update: Tough choice on which answer to accept... I liked a lot the answer from Alexander O'Mara - detailed and to the point. The latest revision of Harper's answer also seems very reasonable. Yet I eventually decided to accept the answer by Zoey - it seems the most relevant, as it, besides everything else, also sheds some light on internals of hotel business.
Thanks everyone for your answers and comments! What I'm going to do now is contact Booking.com support again and insist on getting this fixed. Will let know about the outcome.
credit-card
credit-card
asked Dec 22 at 20:30
Vlad Nikiforov
47827
New contributor
Vlad Nikiforov is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked Dec 22 at 20:30
Vlad Nikiforov
47827
New contributor
Vlad Nikiforov is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited yesterday
asked Dec 22 at 20:30
Vlad Nikiforov
47827
New contributor
Vlad Nikiforov is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked Dec 22 at 20:30
Vlad Nikiforov
47827
asked Dec 22 at 20:30
Vlad Nikiforov
47827
47827
New contributor
Vlad Nikiforov is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Vlad Nikiforov is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Vlad Nikiforov is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
29
Your reasoning is entirely correct, that's the long and short of it. Looks likebooking.comemploys some moron managers (I bet this wasn't an engineering decision).
– Luc
Dec 22 at 23:03
45
"they responded that 000 is considered invalid, and this is also a way banks indicate that the card is a forgery" I'd like to know why a bank would produce a forged card with 000 on it
– Mike Caron
Dec 23 at 0:46
4
@MikeCaron While a bank wouldn't make a forged card they might have reason to make a deliberately invalid one, just like movies need deliberately invalid phone numbers.
– Loren Pechtel
Dec 23 at 5:13
6
@Jérôme, I could (the card has been deactivated upon re-issue), yet I'm curious what exactly are you expecting to see on the other side :)
– Vlad Nikiforov
2 days ago
2
Just kidding, of course. But the joke falls flat. I forgot about the reissue deactivation. NVM.
– Jérôme
2 days ago
 |Â
show 10 more comments
29
Your reasoning is entirely correct, that's the long and short of it. Looks likebooking.comemploys some moron managers (I bet this wasn't an engineering decision).
– Luc
Dec 22 at 23:03
45
"they responded that 000 is considered invalid, and this is also a way banks indicate that the card is a forgery" I'd like to know why a bank would produce a forged card with 000 on it
– Mike Caron
Dec 23 at 0:46
4
@MikeCaron While a bank wouldn't make a forged card they might have reason to make a deliberately invalid one, just like movies need deliberately invalid phone numbers.
– Loren Pechtel
Dec 23 at 5:13
6
@Jérôme, I could (the card has been deactivated upon re-issue), yet I'm curious what exactly are you expecting to see on the other side :)
– Vlad Nikiforov
2 days ago
2
Just kidding, of course. But the joke falls flat. I forgot about the reissue deactivation. NVM.
– Jérôme
2 days ago
29
29
Your reasoning is entirely correct, that's the long and short of it. Looks like
booking.com employs some moron managers (I bet this wasn't an engineering decision).– Luc
Dec 22 at 23:03
Your reasoning is entirely correct, that's the long and short of it. Looks like
booking.com employs some moron managers (I bet this wasn't an engineering decision).– Luc
Dec 22 at 23:03
45
45
"they responded that 000 is considered invalid, and this is also a way banks indicate that the card is a forgery" I'd like to know why a bank would produce a forged card with 000 on it
– Mike Caron
Dec 23 at 0:46
"they responded that 000 is considered invalid, and this is also a way banks indicate that the card is a forgery" I'd like to know why a bank would produce a forged card with 000 on it
– Mike Caron
Dec 23 at 0:46
4
4
@MikeCaron While a bank wouldn't make a forged card they might have reason to make a deliberately invalid one, just like movies need deliberately invalid phone numbers.
– Loren Pechtel
Dec 23 at 5:13
@MikeCaron While a bank wouldn't make a forged card they might have reason to make a deliberately invalid one, just like movies need deliberately invalid phone numbers.
– Loren Pechtel
Dec 23 at 5:13
6
6
@Jérôme, I could (the card has been deactivated upon re-issue), yet I'm curious what exactly are you expecting to see on the other side :)
– Vlad Nikiforov
2 days ago
@Jérôme, I could (the card has been deactivated upon re-issue), yet I'm curious what exactly are you expecting to see on the other side :)
– Vlad Nikiforov
2 days ago
2
2
Just kidding, of course. But the joke falls flat. I forgot about the reissue deactivation. NVM.
– Jérôme
2 days ago
Just kidding, of course. But the joke falls flat. I forgot about the reissue deactivation. NVM.
– Jérôme
2 days ago
 |Â
show 10 more comments
3 Answers
3
active
oldest
votes
Alexander O'Mara provided a correct answer, but having worked in a hotel that was using booking.com I believe I can provide additional information about the reason that CVV was denied.
Every day the hotel I worked in would receive around 50 bookings, a quarter of these bookings would be using fake credit card details, and about 90% of people using fake credit card details would not show up.
This resulted in a lot of guesswork when assigning rooms, we would often try to guess if the person will show up just based on their credit card details, and also sometimes take into consideration the name, location, how many days they will be staying, etc.
We would also try to call the day before to confirm bookings, so that these fake bookings result in a minimal interruption to the business.
Blocking CVV 000 is just booking.com's lazy attempt to reduce the amount of fake bookings. Some other CVVs are blocked as well.
The reason why booking.com blocks the CVV and other websites do not is because other websites generally attempt to charge the credit card immediately, while booking.com only forwards information to the hotels which charge the credit card on the day of arrival.
answered Dec 23 at 1:21
Zoey
61147
34
Why on earth do hotels not pre-authorize the credit card? They could do as little as $1 (as is used for free trial verification) and immediately stop this issue--and that wouldn't cause the side effect of maxing out any low-limit or debit cards out there.
– aidanh010
Dec 23 at 3:20
35
Are you saying a successful online platform like booking.com is not handling pre-authentication for their paying customers (aka hotels)?
– eckes
2 days ago
9
Actually it seems optional: partnerhelp.booking.com/hc/en-gb/articles/…
– eckes
2 days ago
14
But reading this comment, why on earth would a scammer give you 000 as the CVV? Since it's not checked beyond "000 looks suspicious", why not use 472 as the CVV or any one of the other 999 possible numbers?
– gnasher729
2 days ago
13
IMO, buggy validation likeif (!(int(cvv) && checkCvv(cvv))) return "It's not valid CVV"is a much more likely explanation why this got rejected rather than being a deliberate security design decision.
– Lie Ryan
2 days ago
 |Â
show 6 more comments
The only weak argument I can think of to reject such a CVV would be that if someone were trying to brute-force your 3-digit code, they might start with 000 first (but would they also reject 001?).
From practical point of view, how reasonable it is to decline "000" as insecure?
It's not really reasonable. Either you can charge the card with the provided CVC/CVV code or you can't. There's no good reason to reject this code, since it is valid, and you can't really be sure if a credit card's codes are valid until you actually try to charge it.
Sadly, poorly-designed input validation is all too common. Some developers have a tendency to just assume certain values are invalid without checking the spec, or not properly unit test their input validations.
Some examples include:
- IP address 1.1.1.1
- Version checking bugs like "10" < "9" if only the first character in the string is checking
- Names with non-alpha character (like the apostrophe in my name)
It's also not uncommon that people in customer service will respond to your bug reports with something along the lines of "that's not a bug, it's a feature" without ever even consulting the developers.
answered Dec 22 at 21:57
Alexander O'Mara
7,09142734
83
var cvv = parseInt(form.cvv); if(!cvv) markInvalid()
– Mike Caron
Dec 23 at 0:47
3
The 1.1.1.1 thing is even worse, because the people knew that it was an IP address and decided they would unilaterally decide for the NIC that it would remain unused forever.
– aidanh010
Dec 23 at 3:18
3
@MikeCaron Sadly, I could see even myself making this mistake and not catching it until a support call came in... but is that the actual JS code from Booking.com?
– Chris Cirefice
2 days ago
10
You can add email aliases (address+alias@example.com) to your examples list, very annoying when someone decides to be extra safe without a valid reason
– Felipe Pereira
2 days ago
4
@gnasher729 it's also the reason why there wasn't any windows 9. Too many programs check if the OS is windows 95 or 98 by checking if "Windows 9" is in the OS' name.
– Eric Duminil
yesterday
 |Â
show 5 more comments
This is a frame challenge of the company's claims. A random number in the range 000-999 is more secure than 001-998, rejecting values weakens it.
It's a software bug. They can't admit it.
Just one example: say, somewhere in the stack, they use a language with untyped variables (i.e. Where the same variable can hold 123.45, "late for dinner", a 0-character string, an "undefined" token, etc). It's commonplace to write this:
if ($CVC) # is CVC field present?
In an untyped language, a blank string evaluates to 0 (false) as the programmer intended, but so does 000! There are better ways to do that.
In this case, we know the problem is not in the public-facing web UI you use, but in the back-end platform that both of you share. The agent should open a bug on it in the ticketing system.
So why did they claim what they said? Because normal businesses are very reluctant to admit this kind of structural error that makes them look incompetent. But they also cannot send you off with an "I don't know", as that has the same effect. So they need to say something to you right now that feels sellable to them.
Obviously it is wrong; as proven by all the other people you do business with who have no problem with it. But try it yourself; try a competing booking platform and see how it goes.
answered 2 days ago
Harper
1,234412
7
The string000doesn't evaluate false in Perl, Python or JavaScript.
– Blrfl
2 days ago
8
Well, in JavaScript, if you compare"000"to false ("000" == false) with just 2 equals signs, it will evaluate totrue.
– Stefnotch
2 days ago
3
It's more likely a case of what Mike Caron says:if(!to_number(input)) reject(). The number zero is falsy in both Javascript and PHP.
– John Dvorak
2 days ago
1
@Birfl without knowing which language is used, this could absolutely be a valid answer - especially considering JavaScript is wonky like this. Look at someone who's last name is literally "Null" wired.com/2015/11/null
– WernerCD
2 days ago
2
@Blrfl I think the main point is that there are possibilities on how a modern web stack could EASILY get broke on edge cases - purposely or accidentally. There is code on the back end, middle end, front end, etc that could ALL easily break on untested edge cases. JavaScript being the easiest culprit to point fingers at - but as my example about Mr. Null (his actual name) shows, it's hard to point fingers at JS when it could be any step. (I would say "you got bs'd" is a bad part of the answer... but the rest is valid)
– WernerCD
2 days ago
 |Â
show 8 more comments
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
Alexander O'Mara provided a correct answer, but having worked in a hotel that was using booking.com I believe I can provide additional information about the reason that CVV was denied.
Every day the hotel I worked in would receive around 50 bookings, a quarter of these bookings would be using fake credit card details, and about 90% of people using fake credit card details would not show up.
This resulted in a lot of guesswork when assigning rooms, we would often try to guess if the person will show up just based on their credit card details, and also sometimes take into consideration the name, location, how many days they will be staying, etc.
We would also try to call the day before to confirm bookings, so that these fake bookings result in a minimal interruption to the business.
Blocking CVV 000 is just booking.com's lazy attempt to reduce the amount of fake bookings. Some other CVVs are blocked as well.
The reason why booking.com blocks the CVV and other websites do not is because other websites generally attempt to charge the credit card immediately, while booking.com only forwards information to the hotels which charge the credit card on the day of arrival.
answered Dec 23 at 1:21
Zoey
61147
34
Why on earth do hotels not pre-authorize the credit card? They could do as little as $1 (as is used for free trial verification) and immediately stop this issue--and that wouldn't cause the side effect of maxing out any low-limit or debit cards out there.
– aidanh010
Dec 23 at 3:20
35
Are you saying a successful online platform like booking.com is not handling pre-authentication for their paying customers (aka hotels)?
– eckes
2 days ago
9
Actually it seems optional: partnerhelp.booking.com/hc/en-gb/articles/…
– eckes
2 days ago
14
But reading this comment, why on earth would a scammer give you 000 as the CVV? Since it's not checked beyond "000 looks suspicious", why not use 472 as the CVV or any one of the other 999 possible numbers?
– gnasher729
2 days ago
13
IMO, buggy validation likeif (!(int(cvv) && checkCvv(cvv))) return "It's not valid CVV"is a much more likely explanation why this got rejected rather than being a deliberate security design decision.
– Lie Ryan
2 days ago
 |Â
show 6 more comments
Alexander O'Mara provided a correct answer, but having worked in a hotel that was using booking.com I believe I can provide additional information about the reason that CVV was denied.
Every day the hotel I worked in would receive around 50 bookings, a quarter of these bookings would be using fake credit card details, and about 90% of people using fake credit card details would not show up.
This resulted in a lot of guesswork when assigning rooms, we would often try to guess if the person will show up just based on their credit card details, and also sometimes take into consideration the name, location, how many days they will be staying, etc.
We would also try to call the day before to confirm bookings, so that these fake bookings result in a minimal interruption to the business.
Blocking CVV 000 is just booking.com's lazy attempt to reduce the amount of fake bookings. Some other CVVs are blocked as well.
The reason why booking.com blocks the CVV and other websites do not is because other websites generally attempt to charge the credit card immediately, while booking.com only forwards information to the hotels which charge the credit card on the day of arrival.
answered Dec 23 at 1:21
Zoey
61147
34
Why on earth do hotels not pre-authorize the credit card? They could do as little as $1 (as is used for free trial verification) and immediately stop this issue--and that wouldn't cause the side effect of maxing out any low-limit or debit cards out there.
– aidanh010
Dec 23 at 3:20
35
Are you saying a successful online platform like booking.com is not handling pre-authentication for their paying customers (aka hotels)?
– eckes
2 days ago
9
Actually it seems optional: partnerhelp.booking.com/hc/en-gb/articles/…
– eckes
2 days ago
14
But reading this comment, why on earth would a scammer give you 000 as the CVV? Since it's not checked beyond "000 looks suspicious", why not use 472 as the CVV or any one of the other 999 possible numbers?
– gnasher729
2 days ago
13
IMO, buggy validation likeif (!(int(cvv) && checkCvv(cvv))) return "It's not valid CVV"is a much more likely explanation why this got rejected rather than being a deliberate security design decision.
– Lie Ryan
2 days ago
 |Â
show 6 more comments
Alexander O'Mara provided a correct answer, but having worked in a hotel that was using booking.com I believe I can provide additional information about the reason that CVV was denied.
Every day the hotel I worked in would receive around 50 bookings, a quarter of these bookings would be using fake credit card details, and about 90% of people using fake credit card details would not show up.
This resulted in a lot of guesswork when assigning rooms, we would often try to guess if the person will show up just based on their credit card details, and also sometimes take into consideration the name, location, how many days they will be staying, etc.
We would also try to call the day before to confirm bookings, so that these fake bookings result in a minimal interruption to the business.
Blocking CVV 000 is just booking.com's lazy attempt to reduce the amount of fake bookings. Some other CVVs are blocked as well.
The reason why booking.com blocks the CVV and other websites do not is because other websites generally attempt to charge the credit card immediately, while booking.com only forwards information to the hotels which charge the credit card on the day of arrival.
answered Dec 23 at 1:21
Zoey
61147
Alexander O'Mara provided a correct answer, but having worked in a hotel that was using booking.com I believe I can provide additional information about the reason that CVV was denied.
Every day the hotel I worked in would receive around 50 bookings, a quarter of these bookings would be using fake credit card details, and about 90% of people using fake credit card details would not show up.
This resulted in a lot of guesswork when assigning rooms, we would often try to guess if the person will show up just based on their credit card details, and also sometimes take into consideration the name, location, how many days they will be staying, etc.
We would also try to call the day before to confirm bookings, so that these fake bookings result in a minimal interruption to the business.
Blocking CVV 000 is just booking.com's lazy attempt to reduce the amount of fake bookings. Some other CVVs are blocked as well.
The reason why booking.com blocks the CVV and other websites do not is because other websites generally attempt to charge the credit card immediately, while booking.com only forwards information to the hotels which charge the credit card on the day of arrival.
answered Dec 23 at 1:21
Zoey
61147
answered Dec 23 at 1:21
Zoey
61147
answered Dec 23 at 1:21
Zoey
61147
answered Dec 23 at 1:21
Zoey
61147
61147
34
Why on earth do hotels not pre-authorize the credit card? They could do as little as $1 (as is used for free trial verification) and immediately stop this issue--and that wouldn't cause the side effect of maxing out any low-limit or debit cards out there.
– aidanh010
Dec 23 at 3:20
35
Are you saying a successful online platform like booking.com is not handling pre-authentication for their paying customers (aka hotels)?
– eckes
2 days ago
9
Actually it seems optional: partnerhelp.booking.com/hc/en-gb/articles/…
– eckes
2 days ago
14
But reading this comment, why on earth would a scammer give you 000 as the CVV? Since it's not checked beyond "000 looks suspicious", why not use 472 as the CVV or any one of the other 999 possible numbers?
– gnasher729
2 days ago
13
IMO, buggy validation likeif (!(int(cvv) && checkCvv(cvv))) return "It's not valid CVV"is a much more likely explanation why this got rejected rather than being a deliberate security design decision.
– Lie Ryan
2 days ago
 |Â
show 6 more comments
34
Why on earth do hotels not pre-authorize the credit card? They could do as little as $1 (as is used for free trial verification) and immediately stop this issue--and that wouldn't cause the side effect of maxing out any low-limit or debit cards out there.
– aidanh010
Dec 23 at 3:20
35
Are you saying a successful online platform like booking.com is not handling pre-authentication for their paying customers (aka hotels)?
– eckes
2 days ago
9
Actually it seems optional: partnerhelp.booking.com/hc/en-gb/articles/…
– eckes
2 days ago
14
But reading this comment, why on earth would a scammer give you 000 as the CVV? Since it's not checked beyond "000 looks suspicious", why not use 472 as the CVV or any one of the other 999 possible numbers?
– gnasher729
2 days ago
13
IMO, buggy validation likeif (!(int(cvv) && checkCvv(cvv))) return "It's not valid CVV"is a much more likely explanation why this got rejected rather than being a deliberate security design decision.
– Lie Ryan
2 days ago
34
34
Why on earth do hotels not pre-authorize the credit card? They could do as little as $1 (as is used for free trial verification) and immediately stop this issue--and that wouldn't cause the side effect of maxing out any low-limit or debit cards out there.
– aidanh010
Dec 23 at 3:20
Why on earth do hotels not pre-authorize the credit card? They could do as little as $1 (as is used for free trial verification) and immediately stop this issue--and that wouldn't cause the side effect of maxing out any low-limit or debit cards out there.
– aidanh010
Dec 23 at 3:20
35
35
Are you saying a successful online platform like booking.com is not handling pre-authentication for their paying customers (aka hotels)?
– eckes
2 days ago
Are you saying a successful online platform like booking.com is not handling pre-authentication for their paying customers (aka hotels)?
– eckes
2 days ago
9
9
Actually it seems optional: partnerhelp.booking.com/hc/en-gb/articles/…
– eckes
2 days ago
Actually it seems optional: partnerhelp.booking.com/hc/en-gb/articles/…
– eckes
2 days ago
14
14
But reading this comment, why on earth would a scammer give you 000 as the CVV? Since it's not checked beyond "000 looks suspicious", why not use 472 as the CVV or any one of the other 999 possible numbers?
– gnasher729
2 days ago
But reading this comment, why on earth would a scammer give you 000 as the CVV? Since it's not checked beyond "000 looks suspicious", why not use 472 as the CVV or any one of the other 999 possible numbers?
– gnasher729
2 days ago
13
13
IMO, buggy validation like
if (!(int(cvv) && checkCvv(cvv))) return "It's not valid CVV" is a much more likely explanation why this got rejected rather than being a deliberate security design decision.– Lie Ryan
2 days ago
IMO, buggy validation like
if (!(int(cvv) && checkCvv(cvv))) return "It's not valid CVV" is a much more likely explanation why this got rejected rather than being a deliberate security design decision.– Lie Ryan
2 days ago
 |Â
show 6 more comments
The only weak argument I can think of to reject such a CVV would be that if someone were trying to brute-force your 3-digit code, they might start with 000 first (but would they also reject 001?).
From practical point of view, how reasonable it is to decline "000" as insecure?
It's not really reasonable. Either you can charge the card with the provided CVC/CVV code or you can't. There's no good reason to reject this code, since it is valid, and you can't really be sure if a credit card's codes are valid until you actually try to charge it.
Sadly, poorly-designed input validation is all too common. Some developers have a tendency to just assume certain values are invalid without checking the spec, or not properly unit test their input validations.
Some examples include:
- IP address 1.1.1.1
- Version checking bugs like "10" < "9" if only the first character in the string is checking
- Names with non-alpha character (like the apostrophe in my name)
It's also not uncommon that people in customer service will respond to your bug reports with something along the lines of "that's not a bug, it's a feature" without ever even consulting the developers.
answered Dec 22 at 21:57
Alexander O'Mara
7,09142734
83
var cvv = parseInt(form.cvv); if(!cvv) markInvalid()
– Mike Caron
Dec 23 at 0:47
3
The 1.1.1.1 thing is even worse, because the people knew that it was an IP address and decided they would unilaterally decide for the NIC that it would remain unused forever.
– aidanh010
Dec 23 at 3:18
3
@MikeCaron Sadly, I could see even myself making this mistake and not catching it until a support call came in... but is that the actual JS code from Booking.com?
– Chris Cirefice
2 days ago
10
You can add email aliases (address+alias@example.com) to your examples list, very annoying when someone decides to be extra safe without a valid reason
– Felipe Pereira
2 days ago
4
@gnasher729 it's also the reason why there wasn't any windows 9. Too many programs check if the OS is windows 95 or 98 by checking if "Windows 9" is in the OS' name.
– Eric Duminil
yesterday
 |Â
show 5 more comments
The only weak argument I can think of to reject such a CVV would be that if someone were trying to brute-force your 3-digit code, they might start with 000 first (but would they also reject 001?).
From practical point of view, how reasonable it is to decline "000" as insecure?
It's not really reasonable. Either you can charge the card with the provided CVC/CVV code or you can't. There's no good reason to reject this code, since it is valid, and you can't really be sure if a credit card's codes are valid until you actually try to charge it.
Sadly, poorly-designed input validation is all too common. Some developers have a tendency to just assume certain values are invalid without checking the spec, or not properly unit test their input validations.
Some examples include:
- IP address 1.1.1.1
- Version checking bugs like "10" < "9" if only the first character in the string is checking
- Names with non-alpha character (like the apostrophe in my name)
It's also not uncommon that people in customer service will respond to your bug reports with something along the lines of "that's not a bug, it's a feature" without ever even consulting the developers.
answered Dec 22 at 21:57
Alexander O'Mara
7,09142734
83
var cvv = parseInt(form.cvv); if(!cvv) markInvalid()
– Mike Caron
Dec 23 at 0:47
3
The 1.1.1.1 thing is even worse, because the people knew that it was an IP address and decided they would unilaterally decide for the NIC that it would remain unused forever.
– aidanh010
Dec 23 at 3:18
3
@MikeCaron Sadly, I could see even myself making this mistake and not catching it until a support call came in... but is that the actual JS code from Booking.com?
– Chris Cirefice
2 days ago
10
You can add email aliases (address+alias@example.com) to your examples list, very annoying when someone decides to be extra safe without a valid reason
– Felipe Pereira
2 days ago
4
@gnasher729 it's also the reason why there wasn't any windows 9. Too many programs check if the OS is windows 95 or 98 by checking if "Windows 9" is in the OS' name.
– Eric Duminil
yesterday
 |Â
show 5 more comments
The only weak argument I can think of to reject such a CVV would be that if someone were trying to brute-force your 3-digit code, they might start with 000 first (but would they also reject 001?).
From practical point of view, how reasonable it is to decline "000" as insecure?
It's not really reasonable. Either you can charge the card with the provided CVC/CVV code or you can't. There's no good reason to reject this code, since it is valid, and you can't really be sure if a credit card's codes are valid until you actually try to charge it.
Sadly, poorly-designed input validation is all too common. Some developers have a tendency to just assume certain values are invalid without checking the spec, or not properly unit test their input validations.
Some examples include:
- IP address 1.1.1.1
- Version checking bugs like "10" < "9" if only the first character in the string is checking
- Names with non-alpha character (like the apostrophe in my name)
It's also not uncommon that people in customer service will respond to your bug reports with something along the lines of "that's not a bug, it's a feature" without ever even consulting the developers.
answered Dec 22 at 21:57
Alexander O'Mara
7,09142734
The only weak argument I can think of to reject such a CVV would be that if someone were trying to brute-force your 3-digit code, they might start with 000 first (but would they also reject 001?).
From practical point of view, how reasonable it is to decline "000" as insecure?
It's not really reasonable. Either you can charge the card with the provided CVC/CVV code or you can't. There's no good reason to reject this code, since it is valid, and you can't really be sure if a credit card's codes are valid until you actually try to charge it.
Sadly, poorly-designed input validation is all too common. Some developers have a tendency to just assume certain values are invalid without checking the spec, or not properly unit test their input validations.
Some examples include:
- IP address 1.1.1.1
- Version checking bugs like "10" < "9" if only the first character in the string is checking
- Names with non-alpha character (like the apostrophe in my name)
It's also not uncommon that people in customer service will respond to your bug reports with something along the lines of "that's not a bug, it's a feature" without ever even consulting the developers.
answered Dec 22 at 21:57
Alexander O'Mara
7,09142734
answered Dec 22 at 21:57
Alexander O'Mara
7,09142734
answered Dec 22 at 21:57
Alexander O'Mara
7,09142734
answered Dec 22 at 21:57
Alexander O'Mara
7,09142734
7,09142734
83
var cvv = parseInt(form.cvv); if(!cvv) markInvalid()
– Mike Caron
Dec 23 at 0:47
3
The 1.1.1.1 thing is even worse, because the people knew that it was an IP address and decided they would unilaterally decide for the NIC that it would remain unused forever.
– aidanh010
Dec 23 at 3:18
3
@MikeCaron Sadly, I could see even myself making this mistake and not catching it until a support call came in... but is that the actual JS code from Booking.com?
– Chris Cirefice
2 days ago
10
You can add email aliases (address+alias@example.com) to your examples list, very annoying when someone decides to be extra safe without a valid reason
– Felipe Pereira
2 days ago
4
@gnasher729 it's also the reason why there wasn't any windows 9. Too many programs check if the OS is windows 95 or 98 by checking if "Windows 9" is in the OS' name.
– Eric Duminil
yesterday
 |Â
show 5 more comments
83
var cvv = parseInt(form.cvv); if(!cvv) markInvalid()
– Mike Caron
Dec 23 at 0:47
3
The 1.1.1.1 thing is even worse, because the people knew that it was an IP address and decided they would unilaterally decide for the NIC that it would remain unused forever.
– aidanh010
Dec 23 at 3:18
3
@MikeCaron Sadly, I could see even myself making this mistake and not catching it until a support call came in... but is that the actual JS code from Booking.com?
– Chris Cirefice
2 days ago
10
You can add email aliases (address+alias@example.com) to your examples list, very annoying when someone decides to be extra safe without a valid reason
– Felipe Pereira
2 days ago
4
@gnasher729 it's also the reason why there wasn't any windows 9. Too many programs check if the OS is windows 95 or 98 by checking if "Windows 9" is in the OS' name.
– Eric Duminil
yesterday
83
83
var cvv = parseInt(form.cvv); if(!cvv) markInvalid()– Mike Caron
Dec 23 at 0:47
var cvv = parseInt(form.cvv); if(!cvv) markInvalid()– Mike Caron
Dec 23 at 0:47
3
3
The 1.1.1.1 thing is even worse, because the people knew that it was an IP address and decided they would unilaterally decide for the NIC that it would remain unused forever.
– aidanh010
Dec 23 at 3:18
The 1.1.1.1 thing is even worse, because the people knew that it was an IP address and decided they would unilaterally decide for the NIC that it would remain unused forever.
– aidanh010
Dec 23 at 3:18
3
3
@MikeCaron Sadly, I could see even myself making this mistake and not catching it until a support call came in... but is that the actual JS code from Booking.com?
– Chris Cirefice
2 days ago
@MikeCaron Sadly, I could see even myself making this mistake and not catching it until a support call came in... but is that the actual JS code from Booking.com?
– Chris Cirefice
2 days ago
10
10
You can add email aliases (address+alias@example.com) to your examples list, very annoying when someone decides to be extra safe without a valid reason
– Felipe Pereira
2 days ago
You can add email aliases (address+alias@example.com) to your examples list, very annoying when someone decides to be extra safe without a valid reason
– Felipe Pereira
2 days ago
4
4
@gnasher729 it's also the reason why there wasn't any windows 9. Too many programs check if the OS is windows 95 or 98 by checking if "Windows 9" is in the OS' name.
– Eric Duminil
yesterday
@gnasher729 it's also the reason why there wasn't any windows 9. Too many programs check if the OS is windows 95 or 98 by checking if "Windows 9" is in the OS' name.
– Eric Duminil
yesterday
 |Â
show 5 more comments
This is a frame challenge of the company's claims. A random number in the range 000-999 is more secure than 001-998, rejecting values weakens it.
It's a software bug. They can't admit it.
Just one example: say, somewhere in the stack, they use a language with untyped variables (i.e. Where the same variable can hold 123.45, "late for dinner", a 0-character string, an "undefined" token, etc). It's commonplace to write this:
if ($CVC) # is CVC field present?
In an untyped language, a blank string evaluates to 0 (false) as the programmer intended, but so does 000! There are better ways to do that.
In this case, we know the problem is not in the public-facing web UI you use, but in the back-end platform that both of you share. The agent should open a bug on it in the ticketing system.
So why did they claim what they said? Because normal businesses are very reluctant to admit this kind of structural error that makes them look incompetent. But they also cannot send you off with an "I don't know", as that has the same effect. So they need to say something to you right now that feels sellable to them.
Obviously it is wrong; as proven by all the other people you do business with who have no problem with it. But try it yourself; try a competing booking platform and see how it goes.
answered 2 days ago
Harper
1,234412
7
The string000doesn't evaluate false in Perl, Python or JavaScript.
– Blrfl
2 days ago
8
Well, in JavaScript, if you compare"000"to false ("000" == false) with just 2 equals signs, it will evaluate totrue.
– Stefnotch
2 days ago
3
It's more likely a case of what Mike Caron says:if(!to_number(input)) reject(). The number zero is falsy in both Javascript and PHP.
– John Dvorak
2 days ago
1
@Birfl without knowing which language is used, this could absolutely be a valid answer - especially considering JavaScript is wonky like this. Look at someone who's last name is literally "Null" wired.com/2015/11/null
– WernerCD
2 days ago
2
@Blrfl I think the main point is that there are possibilities on how a modern web stack could EASILY get broke on edge cases - purposely or accidentally. There is code on the back end, middle end, front end, etc that could ALL easily break on untested edge cases. JavaScript being the easiest culprit to point fingers at - but as my example about Mr. Null (his actual name) shows, it's hard to point fingers at JS when it could be any step. (I would say "you got bs'd" is a bad part of the answer... but the rest is valid)
– WernerCD
2 days ago
 |Â
show 8 more comments
This is a frame challenge of the company's claims. A random number in the range 000-999 is more secure than 001-998, rejecting values weakens it.
It's a software bug. They can't admit it.
Just one example: say, somewhere in the stack, they use a language with untyped variables (i.e. Where the same variable can hold 123.45, "late for dinner", a 0-character string, an "undefined" token, etc). It's commonplace to write this:
if ($CVC) # is CVC field present?
In an untyped language, a blank string evaluates to 0 (false) as the programmer intended, but so does 000! There are better ways to do that.
In this case, we know the problem is not in the public-facing web UI you use, but in the back-end platform that both of you share. The agent should open a bug on it in the ticketing system.
So why did they claim what they said? Because normal businesses are very reluctant to admit this kind of structural error that makes them look incompetent. But they also cannot send you off with an "I don't know", as that has the same effect. So they need to say something to you right now that feels sellable to them.
Obviously it is wrong; as proven by all the other people you do business with who have no problem with it. But try it yourself; try a competing booking platform and see how it goes.
answered 2 days ago
Harper
1,234412
7
The string000doesn't evaluate false in Perl, Python or JavaScript.
– Blrfl
2 days ago
8
Well, in JavaScript, if you compare"000"to false ("000" == false) with just 2 equals signs, it will evaluate totrue.
– Stefnotch
2 days ago
3
It's more likely a case of what Mike Caron says:if(!to_number(input)) reject(). The number zero is falsy in both Javascript and PHP.
– John Dvorak
2 days ago
1
@Birfl without knowing which language is used, this could absolutely be a valid answer - especially considering JavaScript is wonky like this. Look at someone who's last name is literally "Null" wired.com/2015/11/null
– WernerCD
2 days ago
2
@Blrfl I think the main point is that there are possibilities on how a modern web stack could EASILY get broke on edge cases - purposely or accidentally. There is code on the back end, middle end, front end, etc that could ALL easily break on untested edge cases. JavaScript being the easiest culprit to point fingers at - but as my example about Mr. Null (his actual name) shows, it's hard to point fingers at JS when it could be any step. (I would say "you got bs'd" is a bad part of the answer... but the rest is valid)
– WernerCD
2 days ago
 |Â
show 8 more comments
This is a frame challenge of the company's claims. A random number in the range 000-999 is more secure than 001-998, rejecting values weakens it.
It's a software bug. They can't admit it.
Just one example: say, somewhere in the stack, they use a language with untyped variables (i.e. Where the same variable can hold 123.45, "late for dinner", a 0-character string, an "undefined" token, etc). It's commonplace to write this:
if ($CVC) # is CVC field present?
In an untyped language, a blank string evaluates to 0 (false) as the programmer intended, but so does 000! There are better ways to do that.
In this case, we know the problem is not in the public-facing web UI you use, but in the back-end platform that both of you share. The agent should open a bug on it in the ticketing system.
So why did they claim what they said? Because normal businesses are very reluctant to admit this kind of structural error that makes them look incompetent. But they also cannot send you off with an "I don't know", as that has the same effect. So they need to say something to you right now that feels sellable to them.
Obviously it is wrong; as proven by all the other people you do business with who have no problem with it. But try it yourself; try a competing booking platform and see how it goes.
answered 2 days ago
Harper
1,234412
This is a frame challenge of the company's claims. A random number in the range 000-999 is more secure than 001-998, rejecting values weakens it.
It's a software bug. They can't admit it.
Just one example: say, somewhere in the stack, they use a language with untyped variables (i.e. Where the same variable can hold 123.45, "late for dinner", a 0-character string, an "undefined" token, etc). It's commonplace to write this:
if ($CVC) # is CVC field present?
In an untyped language, a blank string evaluates to 0 (false) as the programmer intended, but so does 000! There are better ways to do that.
In this case, we know the problem is not in the public-facing web UI you use, but in the back-end platform that both of you share. The agent should open a bug on it in the ticketing system.
So why did they claim what they said? Because normal businesses are very reluctant to admit this kind of structural error that makes them look incompetent. But they also cannot send you off with an "I don't know", as that has the same effect. So they need to say something to you right now that feels sellable to them.
Obviously it is wrong; as proven by all the other people you do business with who have no problem with it. But try it yourself; try a competing booking platform and see how it goes.
answered 2 days ago
Harper
1,234412
edited yesterday
answered 2 days ago
Harper
1,234412
answered 2 days ago
Harper
1,234412
answered 2 days ago
Harper
1,234412
1,234412
7
The string000doesn't evaluate false in Perl, Python or JavaScript.
– Blrfl
2 days ago
8
Well, in JavaScript, if you compare"000"to false ("000" == false) with just 2 equals signs, it will evaluate totrue.
– Stefnotch
2 days ago
3
It's more likely a case of what Mike Caron says:if(!to_number(input)) reject(). The number zero is falsy in both Javascript and PHP.
– John Dvorak
2 days ago
1
@Birfl without knowing which language is used, this could absolutely be a valid answer - especially considering JavaScript is wonky like this. Look at someone who's last name is literally "Null" wired.com/2015/11/null
– WernerCD
2 days ago
2
@Blrfl I think the main point is that there are possibilities on how a modern web stack could EASILY get broke on edge cases - purposely or accidentally. There is code on the back end, middle end, front end, etc that could ALL easily break on untested edge cases. JavaScript being the easiest culprit to point fingers at - but as my example about Mr. Null (his actual name) shows, it's hard to point fingers at JS when it could be any step. (I would say "you got bs'd" is a bad part of the answer... but the rest is valid)
– WernerCD
2 days ago
 |Â
show 8 more comments
7
The string000doesn't evaluate false in Perl, Python or JavaScript.
– Blrfl
2 days ago
8
Well, in JavaScript, if you compare"000"to false ("000" == false) with just 2 equals signs, it will evaluate totrue.
– Stefnotch
2 days ago
3
It's more likely a case of what Mike Caron says:if(!to_number(input)) reject(). The number zero is falsy in both Javascript and PHP.
– John Dvorak
2 days ago
1
@Birfl without knowing which language is used, this could absolutely be a valid answer - especially considering JavaScript is wonky like this. Look at someone who's last name is literally "Null" wired.com/2015/11/null
– WernerCD
2 days ago
2
@Blrfl I think the main point is that there are possibilities on how a modern web stack could EASILY get broke on edge cases - purposely or accidentally. There is code on the back end, middle end, front end, etc that could ALL easily break on untested edge cases. JavaScript being the easiest culprit to point fingers at - but as my example about Mr. Null (his actual name) shows, it's hard to point fingers at JS when it could be any step. (I would say "you got bs'd" is a bad part of the answer... but the rest is valid)
– WernerCD
2 days ago
7
7
The string
000 doesn't evaluate false in Perl, Python or JavaScript.– Blrfl
2 days ago
The string
000 doesn't evaluate false in Perl, Python or JavaScript.– Blrfl
2 days ago
8
8
Well, in JavaScript, if you compare
"000" to false ("000" == false) with just 2 equals signs, it will evaluate to true.– Stefnotch
2 days ago
Well, in JavaScript, if you compare
"000" to false ("000" == false) with just 2 equals signs, it will evaluate to true.– Stefnotch
2 days ago
3
3
It's more likely a case of what Mike Caron says:
if(!to_number(input)) reject(). The number zero is falsy in both Javascript and PHP.– John Dvorak
2 days ago
It's more likely a case of what Mike Caron says:
if(!to_number(input)) reject(). The number zero is falsy in both Javascript and PHP.– John Dvorak
2 days ago
1
1
@Birfl without knowing which language is used, this could absolutely be a valid answer - especially considering JavaScript is wonky like this. Look at someone who's last name is literally "Null" wired.com/2015/11/null
– WernerCD
2 days ago
@Birfl without knowing which language is used, this could absolutely be a valid answer - especially considering JavaScript is wonky like this. Look at someone who's last name is literally "Null" wired.com/2015/11/null
– WernerCD
2 days ago
2
2
@Blrfl I think the main point is that there are possibilities on how a modern web stack could EASILY get broke on edge cases - purposely or accidentally. There is code on the back end, middle end, front end, etc that could ALL easily break on untested edge cases. JavaScript being the easiest culprit to point fingers at - but as my example about Mr. Null (his actual name) shows, it's hard to point fingers at JS when it could be any step. (I would say "you got bs'd" is a bad part of the answer... but the rest is valid)
– WernerCD
2 days ago
@Blrfl I think the main point is that there are possibilities on how a modern web stack could EASILY get broke on edge cases - purposely or accidentally. There is code on the back end, middle end, front end, etc that could ALL easily break on untested edge cases. JavaScript being the easiest culprit to point fingers at - but as my example about Mr. Null (his actual name) shows, it's hard to point fingers at JS when it could be any step. (I would say "you got bs'd" is a bad part of the answer... but the rest is valid)
– WernerCD
2 days ago
 |Â
show 8 more comments
Vlad Nikiforov is a new contributor. Be nice, and check out our Code of Conduct.
Vlad Nikiforov is a new contributor. Be nice, and check out our Code of Conduct.
Vlad Nikiforov is a new contributor. Be nice, and check out our Code of Conduct.
Vlad Nikiforov is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f200243%2fall-0s-zeros-in-a-bank-cards-cvc-code%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
29
Your reasoning is entirely correct, that's the long and short of it. Looks like
booking.comemploys some moron managers (I bet this wasn't an engineering decision).– Luc
Dec 22 at 23:03
45
"they responded that 000 is considered invalid, and this is also a way banks indicate that the card is a forgery" I'd like to know why a bank would produce a forged card with 000 on it
– Mike Caron
Dec 23 at 0:46
4
@MikeCaron While a bank wouldn't make a forged card they might have reason to make a deliberately invalid one, just like movies need deliberately invalid phone numbers.
– Loren Pechtel
Dec 23 at 5:13
6
@Jérôme, I could (the card has been deactivated upon re-issue), yet I'm curious what exactly are you expecting to see on the other side :)
– Vlad Nikiforov
2 days ago
2
Just kidding, of course. But the joke falls flat. I forgot about the reissue deactivation. NVM.
– Jérôme
2 days ago