4 posts • joined Tuesday 30th June 2009 12:52 GMT
"...properly lubricate all objects prior to spammer insertion."
A suitable lubricant can be obtained by mixing superglue, broken glass and rusty nails. Apply liberally to object before using on spammer.
If I remember correctly, way back in the early noughties when I was writing ecommerce sites and the 3-digit CVV was introduced, the instruction was that it was never to be stored anywhere in your DB, on pain of some kind of nastiness to your merchant account. I presume (but don't know) it's also not stored in a machine-readable format on the card.
Thus, the extra level of security this provides is not to turn a 16-digit number into a 19-digit one, but to guard against your card number being usable if a database where it's stored is compromised (quite likely at the time, having seen the sort of shoddy code being rushed out back then) or your card is skimmed.
So, in theory, if a card number is presented with CVV it is more likely that the person presenting it has (access to) the physical card, and less likely that they're using a card number stolen from somewhere.
I do recall having to tell coders who hadn't read the documentation that the CVV wasn't to be stored in the DB, so I'm assuming that there are various implementations out there that do store it and thus neuter it as a security measure - it's a slightly brittle solution in that respect.
Spam from Monty
I recently received an email invite from Monty to sign this petition - quite obviously a bulk mailshot. Not sure why, as the only time I recall providing my e-mail address for anything MySQL-related would be many years ago in a comment on the documentation, so presumably I have a mysql.com "account".
I was pretty pissed off TBH - if Monty is no longer part of MySQL, how is he able to get hold of this data? No unsubscribe info, unsolicited, bulk, so in my book it ticks all the boxes for being spam.
Not a great way to go about garnering support...
Stop watching my fingers!
The asterisks stop shoulder-surfing from people reading your screen... but not watching your fingers on your keyboard. If passwords were displayed as typed, it wouldn't take long before people started looking around a little more carefully at who's watching before typing their password, instead of being lulled into a false sense of security by the fact that their password can't be seen on screen, and ignoring the fact that watching fingers is pretty easy (see AC's 70WPM comment).
However, as in many things, there is no 'one size fits all' answer. In some cases, I can see this improving security (and, as seems to have been somewhat forgotten as one of the original points of the article, usability), although in many cases it will of course not do so.