[InclinedPlane]

Bank of America uses a horrible method for generating debit card numbers. It's a standard prefix + account number + sequence number + check digit. If you have stolen someone's BofA debit card number then you can easily guess the replacement card's number (just increment the sequence number and recalculate the check digit). From there you just need to guess the expiration date (a comparatively trivial task).

[ig1]

Also they generate your PIN by running your account number through a DES encryption round. This method is known to be vulnerable to attack:

http://www.cl.cam.ac.uk/~mkb23/research/PIN-Cracking.pdf

[wdewind]

Chase PINs are by default 3210 - guess how many people still have that pin.

[ubernostrum]

Either you're skipping over a lot of information in the process of how that number's generated, or that's not how they do it anymore (and not how they've done it for at least the last couple of years).

[blasdel]

I got a replacement BofA debit card a few months ago, and this is exactly how they did it — only the last two digits are different.

This may be only in Washington and Idaho though, as there are several different legacy BofA backends as a result of M&A bullshit.

[nodata]

But that's for debit cards - I think most banks include the account number in a debit card number. You would still need the CCV number from the back of the card for the attack to work.

[InclinedPlane]

I haven't noticed any other bank which had the same practice.

Also, not all online merchants use CCV. Also consider the risk of creating fake physical CCs, no address or CCV necessary.

[Cushman]

Just checked— my credit union debit card number includes my account number.

[hboon]

CCVs aren't always required for transactions.

[lwhi]

CCV proves the cardholder was present at the time of the transaction. Online merchants are never allowed to store CCV numbers.

[dedward]

edit: CCV proves that you at one time had access to the CCV number.

Online merchants are supposed to comply with PCI-DSS - not store your CCV ever, never transmit your number unencrypted, never store cardholder information unencrypted, plus tons of management controls and audit controls over the same.

In practice, let's just say lazy programming is everywhere. I've seen many people who handle online transactions and violate PCI-DSS to some degree, including storing CCV numbers.

[nodata]

They can ask for them though.

[lwhi]

.. indeed, and they often do.