I have two bank cards - one for Credit Agricole here in France and the other for HSBC in the UK. They both have the same CVV code on the back. (Does make life easier mind you.)
I find that really strange. OH says it’s not so surprising as the CVV code is only 3 numbers and think of all the millions (billions) of cards in circulation.
Can anyone work out the statistical probability of having that happen please? I think it’s less common than OH thinks, but I don’t know enough maths to work it out.
1:1000, assuming that they are random and evenly distributed (AFAIK CVV’s can start with a 0 - eg 085, not sure if 00x or 000 is possible)
The odds are simply that the 2nd card has a particular CVV (i.e the same as the 1st).
Clearly if a bank has 1,000,000 customers whco also have cards with another bank then 1000 of them will experience this sort of thing.
3 Likes
The uniqueness comes not just from the CVV but the CVV in combination with the card number, surely 
As is often the case, there may be an arithmetical formula that confirms validity when the whole (or part) of the card number is assessed with the CVV - I would imagine that this would not usually be published widely to aid security.
The logic behind CVV generation:
To generate or calculate the 3-digit CVV, the algorithm requires is:
Primary Account Number (PAN), a 4-digit Expiration Date, a pair of DES keys (CVKs), and a 3-digit Service Code. This algorithm is only known to the bank and not for any person or organization.
2 Likes
Why don’t you just give me all the numbers on both cards and I’ll send you a postcard from somewhere sunny wth no extradition treaty…? 
13 Likes
Bearing in mind that there are two cards held by the same person that each have 1000 different possibilities, then the odds that said person will have two cards with the same number has to be 1000 x 1000 which is the fabled 1 in a million.
Perhaps @SuePJ should start picking some lotto numbers.
1 Like
I think the odds are still 1 in a thousand. The one in a million odds are for the cards being a, specific number in the range 001-999.
The first card can have any number 001-999 what is unusual is that the second card also has the same number.
3 Likes
Hmmm, it seems you might be right.
It would be much more secure if they were random - doing it algorithmically, however secure it seems with DES keys and whatnot opens the possibility that the secret sauce for calculating them could get into the wild - at which point it’s out there forever and immediately all cards are compromised.
If it’s random I could even give a hacker the source code to the exact random number generator used, and no cards would be compromised (assuming a cryptographically strong RNG fed with a decent entropy pool).
But then, the banks do like to do things which have more the appearance of security than actual security - I bet someone quoted the cost of adding an extra field to the database and they said f**k that, come up with something cheaper, don’t worry if it is not as secure.
1 Like
We’ve just had a big row with Barclays - number 1 idiot stepson had been using his mothers card details for Uber stuff. When we found out a couple of months ago the card was "stopped " and a new one issued, which BB assured us would solve the problem, unless we wanted to pursue a fraud investigation (probably best not too, i was told!).
I was fairly surprised last week when I saw new card had been used for Uber stuff. Even more surprised, shocked even when BB then said that "another " company “sold” new card numbers to businesses such as Uber, amazon etc to allow smooth continuation of transactions . Gobsmacked!!
2 Likes
I like the idea of one in a million. 
Feels like it ought to be as rare as that.
Far be it from me to contradict what BB says, as clearly I’m just someone with a keen interest in fintech, not a banking expert, but I’ve never heard of this selling business, but I do know it is actually a thing that MasterCard and Visa have allowed for a little while now via their APIs, although it is really meant to be opt-in from the account holder and only with merchants who have opted in themselves.
It is actually a very useful tool, at the end of card validity you could have a dozen or more card based payments that you’d have to go round and update with each company individually, say to them ‘I’ve got a new card, here are the new details’, which sometimes with something like an annual magazine subscription say you may not even remember about. So the idea is that the bank lets these people know the new card details so you don’t have to bother. Great in theory, and generally in practice, although the fintechs in the U.K. (Monzo, Starling etc) make this opt-in so you can choose for it not to happen if youd rather, so in a case of fraud you can have it not happen. I guess not everyone is ‘opt-in’ which isn’t ideal at all.
But I’ve never heard of ‘selling’ the details, tbh that just sounds like the bank blaming someone else for the fact that they do it automatically rather than allowing you to opt in and now facing an angry customer (you) for something they’ve caused to happen.
Here’s Visa and MasterCard’s information about it on their developer sites if you are interested
https://developer.visa.com/use-cases/identify-merchants-receiving-automatic-card-updates
https://developer.mastercard.com/product/automatic-billing-updater-abu
1 Like
That was how it was explained to me by someone sitting in a windowless “call centre (Barclays fraud number)” many thousands of km away. What really pissed me off was the 2 different explanations. I’ve now raised an official complaint with the bank, and its certainly not anything we’ve opted into.
3 Likes
I refuse to call Barclays a bank… I usually refer to it as Bankleys Bark
1 Like
The odds are 1 in 1000. There are 1 million combinations of two 3-digit numbers. 1000 of these combinations are where the two numbers are the same. So the odds of them being the same are 1000 in 1000000 which is 1 in 1000.
2 Likes
However, whilst I would agree that the odds of a particular person receiving any one particular 3 digit combination on their bank card are indeed 1 in 1000, when that same person has a second card, then the odds of any particular number appearing on that second card are also 1 in 1000.
Therefore, as there are two separate incidences of the odds being 1 in 1000 coming together, then the overall odds must surely be a multiplication of one set of odds by the other.
Isn’t this why it is possible to obtain such good overall odds on an accumulator bet at the bookmakers ?
1 Like
The unusual issue is that the cards have the same number not that they have a specific number.
Eg - you are issued with a card with say number 123. For a 2nd card to be issued with that same number the odds would be 1 in 999.
The odds for receiving 2 cards with a specific number that you wanted, let’s say you wanted 777 as a number then yes the odds would be 999 x 999. (approx 1M)
3 Likes
Would it not be fair to say that the odds vary according to whether or not the first number is already known at the time of calculation ?
In the instance I very much doubt the cards turned up at an identical time, therefore 1 number was already known.
So when you already have one card the likelyhood of the 2nd card arriving with the same number as the one you already have is 1 in 999.
I agree with you on that point because the first number is already known, but would you agree that at this present time, the odds of the future replacement cards both having the same 3 digit code are 1 in a million precisely because the identity of the number on one of the cards is not already known ?
Not that it really matters apart from pure academic interest of course. 
It matters to me! I was just so surprised when I finally realised.