All 0's (zeros) in a bank card's CVC code












81














As my bank card had expired, I got a new one, and this one turned out to be "lucky": its CVC code was 000.



CVC code is 000



For a few months I used it extensively, both online and offline, without any difficulties - until the day when I was to enter my card details on Booking.com website. I filled in the form, clicked "submit" - only to see that the page discards the value in CVC field and demands to enter it again.



I contacted support. They confirmed that CVC code "000" is not accepted, because it is considered not secure enough (not a close quote unfortunately, as the conversation was in Estonian), and they suggest me to order a new bank card where CVC code would be different from "000".



That got me puzzled. As a former tester, I'm quite used to situations, where I think I'm reporting a bug, and then I'm told it is actually a feature - but this time it was somewhat against common sense. My current work is also related to infosecurity, so I came up with objections:




  1. First of all, CVC is not just a random number, there is a certain algorithm of generating it. This, in turn, means that all values are equally probable and some certain numbers can't be just excluded from it.

  2. Second, I have already used this card with a number of other online services, including Amazon, whose security is out of any doubts.

  3. Third, I don't quite understand what does "not secure enough" mean. Are "111" or "999" secure enough? If not, how about "123" or "234"? Again, it's not something I pick by myself, it's something I'm given by a bank, and if bank thinks it's secure, then it must be treated as such.


The response was very polite yet held out little hope: "We totally understand your frustration and we are really sorry about causing you inconvenience. We handed your reasoning over to our management - they responded that 000 is considered invalid, and this is also a way banks indicate that the card is a forgery".



I forwarded all the mail chain to my bank and asked for their advice. They told me they'll issue a new card for free, which solved the problem for me.



However, I still puzzled:




  1. Are there any official regulations/prescriptions (from Visa/MC or elsewhere) or any best practices regarding "all-zeroes" CVC/CVV codes? Especially that bit about banks allegedly using 000 as an indication of a forgery - sounds like a complete nonsense to me. I tried googling, but couldn't find anything.

  2. From practical point of view, how reasonable it is to decline "000" as insecure? I listed my concerns above, but maybe I'm missing something?


Update: Tough choice on which answer to accept... I liked a lot the answer from Alexander O'Mara - detailed and to the point. The latest revision of Harper's answer also seems very reasonable. Yet I eventually decided to accept the answer by Zoey - it seems the most relevant, as it, besides everything else, also sheds some light on internals of hotel business.



Thanks everyone for your answers and comments! What I'm going to do now is contact Booking.com support again and insist on getting this fixed. Will let know about the outcome.










share|improve this question









New contributor




Vlad Nikiforov is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
















  • 33




    Your reasoning is entirely correct, that's the long and short of it. Looks like booking.com employs some moron managers (I bet this wasn't an engineering decision).
    – Luc
    Dec 22 at 23:03






  • 49




    "they responded that 000 is considered invalid, and this is also a way banks indicate that the card is a forgery" I'd like to know why a bank would produce a forged card with 000 on it
    – Mike Caron
    Dec 23 at 0:46






  • 4




    @MikeCaron While a bank wouldn't make a forged card they might have reason to make a deliberately invalid one, just like movies need deliberately invalid phone numbers.
    – Loren Pechtel
    Dec 23 at 5:13






  • 6




    @Jérôme, I could (the card has been deactivated upon re-issue), yet I'm curious what exactly are you expecting to see on the other side :)
    – Vlad Nikiforov
    Dec 23 at 11:20






  • 2




    Just kidding, of course. But the joke falls flat. I forgot about the reissue deactivation. NVM.
    – Jérôme
    Dec 23 at 12:51
















81














As my bank card had expired, I got a new one, and this one turned out to be "lucky": its CVC code was 000.



CVC code is 000



For a few months I used it extensively, both online and offline, without any difficulties - until the day when I was to enter my card details on Booking.com website. I filled in the form, clicked "submit" - only to see that the page discards the value in CVC field and demands to enter it again.



I contacted support. They confirmed that CVC code "000" is not accepted, because it is considered not secure enough (not a close quote unfortunately, as the conversation was in Estonian), and they suggest me to order a new bank card where CVC code would be different from "000".



That got me puzzled. As a former tester, I'm quite used to situations, where I think I'm reporting a bug, and then I'm told it is actually a feature - but this time it was somewhat against common sense. My current work is also related to infosecurity, so I came up with objections:




  1. First of all, CVC is not just a random number, there is a certain algorithm of generating it. This, in turn, means that all values are equally probable and some certain numbers can't be just excluded from it.

  2. Second, I have already used this card with a number of other online services, including Amazon, whose security is out of any doubts.

  3. Third, I don't quite understand what does "not secure enough" mean. Are "111" or "999" secure enough? If not, how about "123" or "234"? Again, it's not something I pick by myself, it's something I'm given by a bank, and if bank thinks it's secure, then it must be treated as such.


The response was very polite yet held out little hope: "We totally understand your frustration and we are really sorry about causing you inconvenience. We handed your reasoning over to our management - they responded that 000 is considered invalid, and this is also a way banks indicate that the card is a forgery".



I forwarded all the mail chain to my bank and asked for their advice. They told me they'll issue a new card for free, which solved the problem for me.



However, I still puzzled:




  1. Are there any official regulations/prescriptions (from Visa/MC or elsewhere) or any best practices regarding "all-zeroes" CVC/CVV codes? Especially that bit about banks allegedly using 000 as an indication of a forgery - sounds like a complete nonsense to me. I tried googling, but couldn't find anything.

  2. From practical point of view, how reasonable it is to decline "000" as insecure? I listed my concerns above, but maybe I'm missing something?


Update: Tough choice on which answer to accept... I liked a lot the answer from Alexander O'Mara - detailed and to the point. The latest revision of Harper's answer also seems very reasonable. Yet I eventually decided to accept the answer by Zoey - it seems the most relevant, as it, besides everything else, also sheds some light on internals of hotel business.



Thanks everyone for your answers and comments! What I'm going to do now is contact Booking.com support again and insist on getting this fixed. Will let know about the outcome.










share|improve this question









New contributor




Vlad Nikiforov is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
















  • 33




    Your reasoning is entirely correct, that's the long and short of it. Looks like booking.com employs some moron managers (I bet this wasn't an engineering decision).
    – Luc
    Dec 22 at 23:03






  • 49




    "they responded that 000 is considered invalid, and this is also a way banks indicate that the card is a forgery" I'd like to know why a bank would produce a forged card with 000 on it
    – Mike Caron
    Dec 23 at 0:46






  • 4




    @MikeCaron While a bank wouldn't make a forged card they might have reason to make a deliberately invalid one, just like movies need deliberately invalid phone numbers.
    – Loren Pechtel
    Dec 23 at 5:13






  • 6




    @Jérôme, I could (the card has been deactivated upon re-issue), yet I'm curious what exactly are you expecting to see on the other side :)
    – Vlad Nikiforov
    Dec 23 at 11:20






  • 2




    Just kidding, of course. But the joke falls flat. I forgot about the reissue deactivation. NVM.
    – Jérôme
    Dec 23 at 12:51














81












81








81


18





As my bank card had expired, I got a new one, and this one turned out to be "lucky": its CVC code was 000.



CVC code is 000



For a few months I used it extensively, both online and offline, without any difficulties - until the day when I was to enter my card details on Booking.com website. I filled in the form, clicked "submit" - only to see that the page discards the value in CVC field and demands to enter it again.



I contacted support. They confirmed that CVC code "000" is not accepted, because it is considered not secure enough (not a close quote unfortunately, as the conversation was in Estonian), and they suggest me to order a new bank card where CVC code would be different from "000".



That got me puzzled. As a former tester, I'm quite used to situations, where I think I'm reporting a bug, and then I'm told it is actually a feature - but this time it was somewhat against common sense. My current work is also related to infosecurity, so I came up with objections:




  1. First of all, CVC is not just a random number, there is a certain algorithm of generating it. This, in turn, means that all values are equally probable and some certain numbers can't be just excluded from it.

  2. Second, I have already used this card with a number of other online services, including Amazon, whose security is out of any doubts.

  3. Third, I don't quite understand what does "not secure enough" mean. Are "111" or "999" secure enough? If not, how about "123" or "234"? Again, it's not something I pick by myself, it's something I'm given by a bank, and if bank thinks it's secure, then it must be treated as such.


The response was very polite yet held out little hope: "We totally understand your frustration and we are really sorry about causing you inconvenience. We handed your reasoning over to our management - they responded that 000 is considered invalid, and this is also a way banks indicate that the card is a forgery".



I forwarded all the mail chain to my bank and asked for their advice. They told me they'll issue a new card for free, which solved the problem for me.



However, I still puzzled:




  1. Are there any official regulations/prescriptions (from Visa/MC or elsewhere) or any best practices regarding "all-zeroes" CVC/CVV codes? Especially that bit about banks allegedly using 000 as an indication of a forgery - sounds like a complete nonsense to me. I tried googling, but couldn't find anything.

  2. From practical point of view, how reasonable it is to decline "000" as insecure? I listed my concerns above, but maybe I'm missing something?


Update: Tough choice on which answer to accept... I liked a lot the answer from Alexander O'Mara - detailed and to the point. The latest revision of Harper's answer also seems very reasonable. Yet I eventually decided to accept the answer by Zoey - it seems the most relevant, as it, besides everything else, also sheds some light on internals of hotel business.



Thanks everyone for your answers and comments! What I'm going to do now is contact Booking.com support again and insist on getting this fixed. Will let know about the outcome.










share|improve this question









New contributor




Vlad Nikiforov is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











As my bank card had expired, I got a new one, and this one turned out to be "lucky": its CVC code was 000.



CVC code is 000



For a few months I used it extensively, both online and offline, without any difficulties - until the day when I was to enter my card details on Booking.com website. I filled in the form, clicked "submit" - only to see that the page discards the value in CVC field and demands to enter it again.



I contacted support. They confirmed that CVC code "000" is not accepted, because it is considered not secure enough (not a close quote unfortunately, as the conversation was in Estonian), and they suggest me to order a new bank card where CVC code would be different from "000".



That got me puzzled. As a former tester, I'm quite used to situations, where I think I'm reporting a bug, and then I'm told it is actually a feature - but this time it was somewhat against common sense. My current work is also related to infosecurity, so I came up with objections:




  1. First of all, CVC is not just a random number, there is a certain algorithm of generating it. This, in turn, means that all values are equally probable and some certain numbers can't be just excluded from it.

  2. Second, I have already used this card with a number of other online services, including Amazon, whose security is out of any doubts.

  3. Third, I don't quite understand what does "not secure enough" mean. Are "111" or "999" secure enough? If not, how about "123" or "234"? Again, it's not something I pick by myself, it's something I'm given by a bank, and if bank thinks it's secure, then it must be treated as such.


The response was very polite yet held out little hope: "We totally understand your frustration and we are really sorry about causing you inconvenience. We handed your reasoning over to our management - they responded that 000 is considered invalid, and this is also a way banks indicate that the card is a forgery".



I forwarded all the mail chain to my bank and asked for their advice. They told me they'll issue a new card for free, which solved the problem for me.



However, I still puzzled:




  1. Are there any official regulations/prescriptions (from Visa/MC or elsewhere) or any best practices regarding "all-zeroes" CVC/CVV codes? Especially that bit about banks allegedly using 000 as an indication of a forgery - sounds like a complete nonsense to me. I tried googling, but couldn't find anything.

  2. From practical point of view, how reasonable it is to decline "000" as insecure? I listed my concerns above, but maybe I'm missing something?


Update: Tough choice on which answer to accept... I liked a lot the answer from Alexander O'Mara - detailed and to the point. The latest revision of Harper's answer also seems very reasonable. Yet I eventually decided to accept the answer by Zoey - it seems the most relevant, as it, besides everything else, also sheds some light on internals of hotel business.



Thanks everyone for your answers and comments! What I'm going to do now is contact Booking.com support again and insist on getting this fixed. Will let know about the outcome.







credit-card






share|improve this question









New contributor




Vlad Nikiforov is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question









New contributor




Vlad Nikiforov is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question








edited 3 hours ago









yoozer8

1661210




1661210






New contributor




Vlad Nikiforov is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked Dec 22 at 20:30









Vlad Nikiforov

49327




49327




New contributor




Vlad Nikiforov is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





Vlad Nikiforov is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






Vlad Nikiforov is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.








  • 33




    Your reasoning is entirely correct, that's the long and short of it. Looks like booking.com employs some moron managers (I bet this wasn't an engineering decision).
    – Luc
    Dec 22 at 23:03






  • 49




    "they responded that 000 is considered invalid, and this is also a way banks indicate that the card is a forgery" I'd like to know why a bank would produce a forged card with 000 on it
    – Mike Caron
    Dec 23 at 0:46






  • 4




    @MikeCaron While a bank wouldn't make a forged card they might have reason to make a deliberately invalid one, just like movies need deliberately invalid phone numbers.
    – Loren Pechtel
    Dec 23 at 5:13






  • 6




    @Jérôme, I could (the card has been deactivated upon re-issue), yet I'm curious what exactly are you expecting to see on the other side :)
    – Vlad Nikiforov
    Dec 23 at 11:20






  • 2




    Just kidding, of course. But the joke falls flat. I forgot about the reissue deactivation. NVM.
    – Jérôme
    Dec 23 at 12:51














  • 33




    Your reasoning is entirely correct, that's the long and short of it. Looks like booking.com employs some moron managers (I bet this wasn't an engineering decision).
    – Luc
    Dec 22 at 23:03






  • 49




    "they responded that 000 is considered invalid, and this is also a way banks indicate that the card is a forgery" I'd like to know why a bank would produce a forged card with 000 on it
    – Mike Caron
    Dec 23 at 0:46






  • 4




    @MikeCaron While a bank wouldn't make a forged card they might have reason to make a deliberately invalid one, just like movies need deliberately invalid phone numbers.
    – Loren Pechtel
    Dec 23 at 5:13






  • 6




    @Jérôme, I could (the card has been deactivated upon re-issue), yet I'm curious what exactly are you expecting to see on the other side :)
    – Vlad Nikiforov
    Dec 23 at 11:20






  • 2




    Just kidding, of course. But the joke falls flat. I forgot about the reissue deactivation. NVM.
    – Jérôme
    Dec 23 at 12:51








33




33




Your reasoning is entirely correct, that's the long and short of it. Looks like booking.com employs some moron managers (I bet this wasn't an engineering decision).
– Luc
Dec 22 at 23:03




Your reasoning is entirely correct, that's the long and short of it. Looks like booking.com employs some moron managers (I bet this wasn't an engineering decision).
– Luc
Dec 22 at 23:03




49




49




"they responded that 000 is considered invalid, and this is also a way banks indicate that the card is a forgery" I'd like to know why a bank would produce a forged card with 000 on it
– Mike Caron
Dec 23 at 0:46




"they responded that 000 is considered invalid, and this is also a way banks indicate that the card is a forgery" I'd like to know why a bank would produce a forged card with 000 on it
– Mike Caron
Dec 23 at 0:46




4




4




@MikeCaron While a bank wouldn't make a forged card they might have reason to make a deliberately invalid one, just like movies need deliberately invalid phone numbers.
– Loren Pechtel
Dec 23 at 5:13




@MikeCaron While a bank wouldn't make a forged card they might have reason to make a deliberately invalid one, just like movies need deliberately invalid phone numbers.
– Loren Pechtel
Dec 23 at 5:13




6




6




@Jérôme, I could (the card has been deactivated upon re-issue), yet I'm curious what exactly are you expecting to see on the other side :)
– Vlad Nikiforov
Dec 23 at 11:20




@Jérôme, I could (the card has been deactivated upon re-issue), yet I'm curious what exactly are you expecting to see on the other side :)
– Vlad Nikiforov
Dec 23 at 11:20




2




2




Just kidding, of course. But the joke falls flat. I forgot about the reissue deactivation. NVM.
– Jérôme
Dec 23 at 12:51




Just kidding, of course. But the joke falls flat. I forgot about the reissue deactivation. NVM.
– Jérôme
Dec 23 at 12:51










3 Answers
3






active

oldest

votes


















75














Alexander O'Mara provided a correct answer, but having worked in a hotel that was using booking.com I believe I can provide additional information about the reason that CVV was denied.



Every day the hotel I worked in would receive around 50 bookings, a quarter of these bookings would be using fake credit card details, and about 90% of people using fake credit card details would not show up.



This resulted in a lot of guesswork when assigning rooms, we would often try to guess if the person will show up just based on their credit card details, and also sometimes take into consideration the name, location, how many days they will be staying, etc.
We would also try to call the day before to confirm bookings, so that these fake bookings result in a minimal interruption to the business.



Blocking CVV 000 is just booking.com's lazy attempt to reduce the amount of fake bookings. Some other CVVs are blocked as well.



The reason why booking.com blocks the CVV and other websites do not is because other websites generally attempt to charge the credit card immediately, while booking.com only forwards information to the hotels which charge the credit card on the day of arrival.






share|improve this answer

















  • 36




    Why on earth do hotels not pre-authorize the credit card? They could do as little as $1 (as is used for free trial verification) and immediately stop this issue--and that wouldn't cause the side effect of maxing out any low-limit or debit cards out there.
    – aidanh010
    Dec 23 at 3:20






  • 37




    Are you saying a successful online platform like booking.com is not handling pre-authentication for their paying customers (aka hotels)?
    – eckes
    Dec 23 at 12:13






  • 9




    Actually it seems optional: partnerhelp.booking.com/hc/en-gb/articles/…
    – eckes
    Dec 23 at 12:24






  • 16




    But reading this comment, why on earth would a scammer give you 000 as the CVV? Since it's not checked beyond "000 looks suspicious", why not use 472 as the CVV or any one of the other 999 possible numbers?
    – gnasher729
    2 days ago






  • 16




    IMO, buggy validation like if (!(int(cvv) && checkCvv(cvv))) { return "It's not valid CVV" } is a much more likely explanation why this got rejected rather than being a deliberate security design decision.
    – Lie Ryan
    2 days ago



















74














The only weak argument I can think of to reject such a CVV would be that if someone were trying to brute-force your 3-digit code, they might start with 000 first (but would they also reject 001?).




From practical point of view, how reasonable it is to decline "000" as insecure?




It's not really reasonable. Either you can charge the card with the provided CVC/CVV code or you can't. There's no good reason to reject this code, since it is valid, and you can't really be sure if a credit card's codes are valid until you actually try to charge it.



Sadly, poorly-designed input validation is all too common. Some developers have a tendency to just assume certain values are invalid without checking the spec, or not properly unit test their input validations.



Some examples include:




  • IP address 1.1.1.1

  • Version checking bugs like "10" < "9" if only the first character in the string is checking

  • Names with non-alpha character (like the apostrophe in my name)


It's also not uncommon that people in customer service will respond to your bug reports with something along the lines of "that's not a bug, it's a feature" without ever even consulting the developers.






share|improve this answer

















  • 91




    var cvv = parseInt(form.cvv); if(!cvv) markInvalid()
    – Mike Caron
    Dec 23 at 0:47






  • 3




    The 1.1.1.1 thing is even worse, because the people knew that it was an IP address and decided they would unilaterally decide for the NIC that it would remain unused forever.
    – aidanh010
    Dec 23 at 3:18






  • 3




    @MikeCaron Sadly, I could see even myself making this mistake and not catching it until a support call came in... but is that the actual JS code from Booking.com?
    – Chris Cirefice
    Dec 23 at 10:23






  • 12




    You can add email aliases (address+alias@example.com) to your examples list, very annoying when someone decides to be extra safe without a valid reason
    – Felipe Pereira
    Dec 23 at 13:15






  • 4




    @gnasher729 it's also the reason why there wasn't any windows 9. Too many programs check if the OS is windows 95 or 98 by checking if "Windows 9" is in the OS' name.
    – Eric Duminil
    2 days ago



















30














This is a frame challenge of the company's claims. A random number in the range 000-999 is more secure than 001-998, rejecting values weakens it.



It's a software bug. They can't admit it.



Just one example: say, somewhere in the stack, they use a language with untyped variables (i.e. Where the same variable can hold 123.45, "late for dinner", a 0-character string, an "undefined" token, etc). It's commonplace to write this:



if ($CVC) # is CVC field present?



In an untyped language, a blank string evaluates to 0 (false) as the programmer intended, but so does 000! There are better ways to do that.



In this case, we know the problem is not in the public-facing web UI you use, but in the back-end platform that both of you share. The agent should open a bug on it in the ticketing system.



So why did they claim what they said? Because normal businesses are very reluctant to admit this kind of structural error that makes them look incompetent. But they also cannot send you off with an "I don't know", as that has the same effect. So they need to say something to you right now that feels sellable to them.



Obviously it is wrong; as proven by all the other people you do business with who have no problem with it. But try it yourself; try a competing booking platform and see how it goes.






share|improve this answer



















  • 9




    The string 000 doesn't evaluate false in Perl, Python or JavaScript.
    – Blrfl
    2 days ago






  • 10




    Well, in JavaScript, if you compare "000" to false ("000" == false) with just 2 equals signs, it will evaluate to true.
    – Stefnotch
    2 days ago






  • 3




    It's more likely a case of what Mike Caron says: if(!to_number(input)) reject(). The number zero is falsy in both Javascript and PHP.
    – John Dvorak
    2 days ago








  • 1




    @Birfl without knowing which language is used, this could absolutely be a valid answer - especially considering JavaScript is wonky like this. Look at someone who's last name is literally "Null" wired.com/2015/11/null
    – WernerCD
    2 days ago






  • 3




    @Blrfl I think the main point is that there are possibilities on how a modern web stack could EASILY get broke on edge cases - purposely or accidentally. There is code on the back end, middle end, front end, etc that could ALL easily break on untested edge cases. JavaScript being the easiest culprit to point fingers at - but as my example about Mr. Null (his actual name) shows, it's hard to point fingers at JS when it could be any step. (I would say "you got bs'd" is a bad part of the answer... but the rest is valid)
    – WernerCD
    2 days ago











Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "162"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});






Vlad Nikiforov is a new contributor. Be nice, and check out our Code of Conduct.










draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f200243%2fall-0s-zeros-in-a-bank-cards-cvc-code%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























3 Answers
3






active

oldest

votes








3 Answers
3






active

oldest

votes









active

oldest

votes






active

oldest

votes









75














Alexander O'Mara provided a correct answer, but having worked in a hotel that was using booking.com I believe I can provide additional information about the reason that CVV was denied.



Every day the hotel I worked in would receive around 50 bookings, a quarter of these bookings would be using fake credit card details, and about 90% of people using fake credit card details would not show up.



This resulted in a lot of guesswork when assigning rooms, we would often try to guess if the person will show up just based on their credit card details, and also sometimes take into consideration the name, location, how many days they will be staying, etc.
We would also try to call the day before to confirm bookings, so that these fake bookings result in a minimal interruption to the business.



Blocking CVV 000 is just booking.com's lazy attempt to reduce the amount of fake bookings. Some other CVVs are blocked as well.



The reason why booking.com blocks the CVV and other websites do not is because other websites generally attempt to charge the credit card immediately, while booking.com only forwards information to the hotels which charge the credit card on the day of arrival.






share|improve this answer

















  • 36




    Why on earth do hotels not pre-authorize the credit card? They could do as little as $1 (as is used for free trial verification) and immediately stop this issue--and that wouldn't cause the side effect of maxing out any low-limit or debit cards out there.
    – aidanh010
    Dec 23 at 3:20






  • 37




    Are you saying a successful online platform like booking.com is not handling pre-authentication for their paying customers (aka hotels)?
    – eckes
    Dec 23 at 12:13






  • 9




    Actually it seems optional: partnerhelp.booking.com/hc/en-gb/articles/…
    – eckes
    Dec 23 at 12:24






  • 16




    But reading this comment, why on earth would a scammer give you 000 as the CVV? Since it's not checked beyond "000 looks suspicious", why not use 472 as the CVV or any one of the other 999 possible numbers?
    – gnasher729
    2 days ago






  • 16




    IMO, buggy validation like if (!(int(cvv) && checkCvv(cvv))) { return "It's not valid CVV" } is a much more likely explanation why this got rejected rather than being a deliberate security design decision.
    – Lie Ryan
    2 days ago
















75














Alexander O'Mara provided a correct answer, but having worked in a hotel that was using booking.com I believe I can provide additional information about the reason that CVV was denied.



Every day the hotel I worked in would receive around 50 bookings, a quarter of these bookings would be using fake credit card details, and about 90% of people using fake credit card details would not show up.



This resulted in a lot of guesswork when assigning rooms, we would often try to guess if the person will show up just based on their credit card details, and also sometimes take into consideration the name, location, how many days they will be staying, etc.
We would also try to call the day before to confirm bookings, so that these fake bookings result in a minimal interruption to the business.



Blocking CVV 000 is just booking.com's lazy attempt to reduce the amount of fake bookings. Some other CVVs are blocked as well.



The reason why booking.com blocks the CVV and other websites do not is because other websites generally attempt to charge the credit card immediately, while booking.com only forwards information to the hotels which charge the credit card on the day of arrival.






share|improve this answer

















  • 36




    Why on earth do hotels not pre-authorize the credit card? They could do as little as $1 (as is used for free trial verification) and immediately stop this issue--and that wouldn't cause the side effect of maxing out any low-limit or debit cards out there.
    – aidanh010
    Dec 23 at 3:20






  • 37




    Are you saying a successful online platform like booking.com is not handling pre-authentication for their paying customers (aka hotels)?
    – eckes
    Dec 23 at 12:13






  • 9




    Actually it seems optional: partnerhelp.booking.com/hc/en-gb/articles/…
    – eckes
    Dec 23 at 12:24






  • 16




    But reading this comment, why on earth would a scammer give you 000 as the CVV? Since it's not checked beyond "000 looks suspicious", why not use 472 as the CVV or any one of the other 999 possible numbers?
    – gnasher729
    2 days ago






  • 16




    IMO, buggy validation like if (!(int(cvv) && checkCvv(cvv))) { return "It's not valid CVV" } is a much more likely explanation why this got rejected rather than being a deliberate security design decision.
    – Lie Ryan
    2 days ago














75












75








75






Alexander O'Mara provided a correct answer, but having worked in a hotel that was using booking.com I believe I can provide additional information about the reason that CVV was denied.



Every day the hotel I worked in would receive around 50 bookings, a quarter of these bookings would be using fake credit card details, and about 90% of people using fake credit card details would not show up.



This resulted in a lot of guesswork when assigning rooms, we would often try to guess if the person will show up just based on their credit card details, and also sometimes take into consideration the name, location, how many days they will be staying, etc.
We would also try to call the day before to confirm bookings, so that these fake bookings result in a minimal interruption to the business.



Blocking CVV 000 is just booking.com's lazy attempt to reduce the amount of fake bookings. Some other CVVs are blocked as well.



The reason why booking.com blocks the CVV and other websites do not is because other websites generally attempt to charge the credit card immediately, while booking.com only forwards information to the hotels which charge the credit card on the day of arrival.






share|improve this answer












Alexander O'Mara provided a correct answer, but having worked in a hotel that was using booking.com I believe I can provide additional information about the reason that CVV was denied.



Every day the hotel I worked in would receive around 50 bookings, a quarter of these bookings would be using fake credit card details, and about 90% of people using fake credit card details would not show up.



This resulted in a lot of guesswork when assigning rooms, we would often try to guess if the person will show up just based on their credit card details, and also sometimes take into consideration the name, location, how many days they will be staying, etc.
We would also try to call the day before to confirm bookings, so that these fake bookings result in a minimal interruption to the business.



Blocking CVV 000 is just booking.com's lazy attempt to reduce the amount of fake bookings. Some other CVVs are blocked as well.



The reason why booking.com blocks the CVV and other websites do not is because other websites generally attempt to charge the credit card immediately, while booking.com only forwards information to the hotels which charge the credit card on the day of arrival.







share|improve this answer












share|improve this answer



share|improve this answer










answered Dec 23 at 1:21









Zoey

65147




65147








  • 36




    Why on earth do hotels not pre-authorize the credit card? They could do as little as $1 (as is used for free trial verification) and immediately stop this issue--and that wouldn't cause the side effect of maxing out any low-limit or debit cards out there.
    – aidanh010
    Dec 23 at 3:20






  • 37




    Are you saying a successful online platform like booking.com is not handling pre-authentication for their paying customers (aka hotels)?
    – eckes
    Dec 23 at 12:13






  • 9




    Actually it seems optional: partnerhelp.booking.com/hc/en-gb/articles/…
    – eckes
    Dec 23 at 12:24






  • 16




    But reading this comment, why on earth would a scammer give you 000 as the CVV? Since it's not checked beyond "000 looks suspicious", why not use 472 as the CVV or any one of the other 999 possible numbers?
    – gnasher729
    2 days ago






  • 16




    IMO, buggy validation like if (!(int(cvv) && checkCvv(cvv))) { return "It's not valid CVV" } is a much more likely explanation why this got rejected rather than being a deliberate security design decision.
    – Lie Ryan
    2 days ago














  • 36




    Why on earth do hotels not pre-authorize the credit card? They could do as little as $1 (as is used for free trial verification) and immediately stop this issue--and that wouldn't cause the side effect of maxing out any low-limit or debit cards out there.
    – aidanh010
    Dec 23 at 3:20






  • 37




    Are you saying a successful online platform like booking.com is not handling pre-authentication for their paying customers (aka hotels)?
    – eckes
    Dec 23 at 12:13






  • 9




    Actually it seems optional: partnerhelp.booking.com/hc/en-gb/articles/…
    – eckes
    Dec 23 at 12:24






  • 16




    But reading this comment, why on earth would a scammer give you 000 as the CVV? Since it's not checked beyond "000 looks suspicious", why not use 472 as the CVV or any one of the other 999 possible numbers?
    – gnasher729
    2 days ago






  • 16




    IMO, buggy validation like if (!(int(cvv) && checkCvv(cvv))) { return "It's not valid CVV" } is a much more likely explanation why this got rejected rather than being a deliberate security design decision.
    – Lie Ryan
    2 days ago








36




36




Why on earth do hotels not pre-authorize the credit card? They could do as little as $1 (as is used for free trial verification) and immediately stop this issue--and that wouldn't cause the side effect of maxing out any low-limit or debit cards out there.
– aidanh010
Dec 23 at 3:20




Why on earth do hotels not pre-authorize the credit card? They could do as little as $1 (as is used for free trial verification) and immediately stop this issue--and that wouldn't cause the side effect of maxing out any low-limit or debit cards out there.
– aidanh010
Dec 23 at 3:20




37




37




Are you saying a successful online platform like booking.com is not handling pre-authentication for their paying customers (aka hotels)?
– eckes
Dec 23 at 12:13




Are you saying a successful online platform like booking.com is not handling pre-authentication for their paying customers (aka hotels)?
– eckes
Dec 23 at 12:13




9




9




Actually it seems optional: partnerhelp.booking.com/hc/en-gb/articles/…
– eckes
Dec 23 at 12:24




Actually it seems optional: partnerhelp.booking.com/hc/en-gb/articles/…
– eckes
Dec 23 at 12:24




16




16




But reading this comment, why on earth would a scammer give you 000 as the CVV? Since it's not checked beyond "000 looks suspicious", why not use 472 as the CVV or any one of the other 999 possible numbers?
– gnasher729
2 days ago




But reading this comment, why on earth would a scammer give you 000 as the CVV? Since it's not checked beyond "000 looks suspicious", why not use 472 as the CVV or any one of the other 999 possible numbers?
– gnasher729
2 days ago




16




16




IMO, buggy validation like if (!(int(cvv) && checkCvv(cvv))) { return "It's not valid CVV" } is a much more likely explanation why this got rejected rather than being a deliberate security design decision.
– Lie Ryan
2 days ago




IMO, buggy validation like if (!(int(cvv) && checkCvv(cvv))) { return "It's not valid CVV" } is a much more likely explanation why this got rejected rather than being a deliberate security design decision.
– Lie Ryan
2 days ago













74














The only weak argument I can think of to reject such a CVV would be that if someone were trying to brute-force your 3-digit code, they might start with 000 first (but would they also reject 001?).




From practical point of view, how reasonable it is to decline "000" as insecure?




It's not really reasonable. Either you can charge the card with the provided CVC/CVV code or you can't. There's no good reason to reject this code, since it is valid, and you can't really be sure if a credit card's codes are valid until you actually try to charge it.



Sadly, poorly-designed input validation is all too common. Some developers have a tendency to just assume certain values are invalid without checking the spec, or not properly unit test their input validations.



Some examples include:




  • IP address 1.1.1.1

  • Version checking bugs like "10" < "9" if only the first character in the string is checking

  • Names with non-alpha character (like the apostrophe in my name)


It's also not uncommon that people in customer service will respond to your bug reports with something along the lines of "that's not a bug, it's a feature" without ever even consulting the developers.






share|improve this answer

















  • 91




    var cvv = parseInt(form.cvv); if(!cvv) markInvalid()
    – Mike Caron
    Dec 23 at 0:47






  • 3




    The 1.1.1.1 thing is even worse, because the people knew that it was an IP address and decided they would unilaterally decide for the NIC that it would remain unused forever.
    – aidanh010
    Dec 23 at 3:18






  • 3




    @MikeCaron Sadly, I could see even myself making this mistake and not catching it until a support call came in... but is that the actual JS code from Booking.com?
    – Chris Cirefice
    Dec 23 at 10:23






  • 12




    You can add email aliases (address+alias@example.com) to your examples list, very annoying when someone decides to be extra safe without a valid reason
    – Felipe Pereira
    Dec 23 at 13:15






  • 4




    @gnasher729 it's also the reason why there wasn't any windows 9. Too many programs check if the OS is windows 95 or 98 by checking if "Windows 9" is in the OS' name.
    – Eric Duminil
    2 days ago
















74














The only weak argument I can think of to reject such a CVV would be that if someone were trying to brute-force your 3-digit code, they might start with 000 first (but would they also reject 001?).




From practical point of view, how reasonable it is to decline "000" as insecure?




It's not really reasonable. Either you can charge the card with the provided CVC/CVV code or you can't. There's no good reason to reject this code, since it is valid, and you can't really be sure if a credit card's codes are valid until you actually try to charge it.



Sadly, poorly-designed input validation is all too common. Some developers have a tendency to just assume certain values are invalid without checking the spec, or not properly unit test their input validations.



Some examples include:




  • IP address 1.1.1.1

  • Version checking bugs like "10" < "9" if only the first character in the string is checking

  • Names with non-alpha character (like the apostrophe in my name)


It's also not uncommon that people in customer service will respond to your bug reports with something along the lines of "that's not a bug, it's a feature" without ever even consulting the developers.






share|improve this answer

















  • 91




    var cvv = parseInt(form.cvv); if(!cvv) markInvalid()
    – Mike Caron
    Dec 23 at 0:47






  • 3




    The 1.1.1.1 thing is even worse, because the people knew that it was an IP address and decided they would unilaterally decide for the NIC that it would remain unused forever.
    – aidanh010
    Dec 23 at 3:18






  • 3




    @MikeCaron Sadly, I could see even myself making this mistake and not catching it until a support call came in... but is that the actual JS code from Booking.com?
    – Chris Cirefice
    Dec 23 at 10:23






  • 12




    You can add email aliases (address+alias@example.com) to your examples list, very annoying when someone decides to be extra safe without a valid reason
    – Felipe Pereira
    Dec 23 at 13:15






  • 4




    @gnasher729 it's also the reason why there wasn't any windows 9. Too many programs check if the OS is windows 95 or 98 by checking if "Windows 9" is in the OS' name.
    – Eric Duminil
    2 days ago














74












74








74






The only weak argument I can think of to reject such a CVV would be that if someone were trying to brute-force your 3-digit code, they might start with 000 first (but would they also reject 001?).




From practical point of view, how reasonable it is to decline "000" as insecure?




It's not really reasonable. Either you can charge the card with the provided CVC/CVV code or you can't. There's no good reason to reject this code, since it is valid, and you can't really be sure if a credit card's codes are valid until you actually try to charge it.



Sadly, poorly-designed input validation is all too common. Some developers have a tendency to just assume certain values are invalid without checking the spec, or not properly unit test their input validations.



Some examples include:




  • IP address 1.1.1.1

  • Version checking bugs like "10" < "9" if only the first character in the string is checking

  • Names with non-alpha character (like the apostrophe in my name)


It's also not uncommon that people in customer service will respond to your bug reports with something along the lines of "that's not a bug, it's a feature" without ever even consulting the developers.






share|improve this answer












The only weak argument I can think of to reject such a CVV would be that if someone were trying to brute-force your 3-digit code, they might start with 000 first (but would they also reject 001?).




From practical point of view, how reasonable it is to decline "000" as insecure?




It's not really reasonable. Either you can charge the card with the provided CVC/CVV code or you can't. There's no good reason to reject this code, since it is valid, and you can't really be sure if a credit card's codes are valid until you actually try to charge it.



Sadly, poorly-designed input validation is all too common. Some developers have a tendency to just assume certain values are invalid without checking the spec, or not properly unit test their input validations.



Some examples include:




  • IP address 1.1.1.1

  • Version checking bugs like "10" < "9" if only the first character in the string is checking

  • Names with non-alpha character (like the apostrophe in my name)


It's also not uncommon that people in customer service will respond to your bug reports with something along the lines of "that's not a bug, it's a feature" without ever even consulting the developers.







share|improve this answer












share|improve this answer



share|improve this answer










answered Dec 22 at 21:57









Alexander O'Mara

7,16142734




7,16142734








  • 91




    var cvv = parseInt(form.cvv); if(!cvv) markInvalid()
    – Mike Caron
    Dec 23 at 0:47






  • 3




    The 1.1.1.1 thing is even worse, because the people knew that it was an IP address and decided they would unilaterally decide for the NIC that it would remain unused forever.
    – aidanh010
    Dec 23 at 3:18






  • 3




    @MikeCaron Sadly, I could see even myself making this mistake and not catching it until a support call came in... but is that the actual JS code from Booking.com?
    – Chris Cirefice
    Dec 23 at 10:23






  • 12




    You can add email aliases (address+alias@example.com) to your examples list, very annoying when someone decides to be extra safe without a valid reason
    – Felipe Pereira
    Dec 23 at 13:15






  • 4




    @gnasher729 it's also the reason why there wasn't any windows 9. Too many programs check if the OS is windows 95 or 98 by checking if "Windows 9" is in the OS' name.
    – Eric Duminil
    2 days ago














  • 91




    var cvv = parseInt(form.cvv); if(!cvv) markInvalid()
    – Mike Caron
    Dec 23 at 0:47






  • 3




    The 1.1.1.1 thing is even worse, because the people knew that it was an IP address and decided they would unilaterally decide for the NIC that it would remain unused forever.
    – aidanh010
    Dec 23 at 3:18






  • 3




    @MikeCaron Sadly, I could see even myself making this mistake and not catching it until a support call came in... but is that the actual JS code from Booking.com?
    – Chris Cirefice
    Dec 23 at 10:23






  • 12




    You can add email aliases (address+alias@example.com) to your examples list, very annoying when someone decides to be extra safe without a valid reason
    – Felipe Pereira
    Dec 23 at 13:15






  • 4




    @gnasher729 it's also the reason why there wasn't any windows 9. Too many programs check if the OS is windows 95 or 98 by checking if "Windows 9" is in the OS' name.
    – Eric Duminil
    2 days ago








91




91




var cvv = parseInt(form.cvv); if(!cvv) markInvalid()
– Mike Caron
Dec 23 at 0:47




var cvv = parseInt(form.cvv); if(!cvv) markInvalid()
– Mike Caron
Dec 23 at 0:47




3




3




The 1.1.1.1 thing is even worse, because the people knew that it was an IP address and decided they would unilaterally decide for the NIC that it would remain unused forever.
– aidanh010
Dec 23 at 3:18




The 1.1.1.1 thing is even worse, because the people knew that it was an IP address and decided they would unilaterally decide for the NIC that it would remain unused forever.
– aidanh010
Dec 23 at 3:18




3




3




@MikeCaron Sadly, I could see even myself making this mistake and not catching it until a support call came in... but is that the actual JS code from Booking.com?
– Chris Cirefice
Dec 23 at 10:23




@MikeCaron Sadly, I could see even myself making this mistake and not catching it until a support call came in... but is that the actual JS code from Booking.com?
– Chris Cirefice
Dec 23 at 10:23




12




12




You can add email aliases (address+alias@example.com) to your examples list, very annoying when someone decides to be extra safe without a valid reason
– Felipe Pereira
Dec 23 at 13:15




You can add email aliases (address+alias@example.com) to your examples list, very annoying when someone decides to be extra safe without a valid reason
– Felipe Pereira
Dec 23 at 13:15




4




4




@gnasher729 it's also the reason why there wasn't any windows 9. Too many programs check if the OS is windows 95 or 98 by checking if "Windows 9" is in the OS' name.
– Eric Duminil
2 days ago




@gnasher729 it's also the reason why there wasn't any windows 9. Too many programs check if the OS is windows 95 or 98 by checking if "Windows 9" is in the OS' name.
– Eric Duminil
2 days ago











30














This is a frame challenge of the company's claims. A random number in the range 000-999 is more secure than 001-998, rejecting values weakens it.



It's a software bug. They can't admit it.



Just one example: say, somewhere in the stack, they use a language with untyped variables (i.e. Where the same variable can hold 123.45, "late for dinner", a 0-character string, an "undefined" token, etc). It's commonplace to write this:



if ($CVC) # is CVC field present?



In an untyped language, a blank string evaluates to 0 (false) as the programmer intended, but so does 000! There are better ways to do that.



In this case, we know the problem is not in the public-facing web UI you use, but in the back-end platform that both of you share. The agent should open a bug on it in the ticketing system.



So why did they claim what they said? Because normal businesses are very reluctant to admit this kind of structural error that makes them look incompetent. But they also cannot send you off with an "I don't know", as that has the same effect. So they need to say something to you right now that feels sellable to them.



Obviously it is wrong; as proven by all the other people you do business with who have no problem with it. But try it yourself; try a competing booking platform and see how it goes.






share|improve this answer



















  • 9




    The string 000 doesn't evaluate false in Perl, Python or JavaScript.
    – Blrfl
    2 days ago






  • 10




    Well, in JavaScript, if you compare "000" to false ("000" == false) with just 2 equals signs, it will evaluate to true.
    – Stefnotch
    2 days ago






  • 3




    It's more likely a case of what Mike Caron says: if(!to_number(input)) reject(). The number zero is falsy in both Javascript and PHP.
    – John Dvorak
    2 days ago








  • 1




    @Birfl without knowing which language is used, this could absolutely be a valid answer - especially considering JavaScript is wonky like this. Look at someone who's last name is literally "Null" wired.com/2015/11/null
    – WernerCD
    2 days ago






  • 3




    @Blrfl I think the main point is that there are possibilities on how a modern web stack could EASILY get broke on edge cases - purposely or accidentally. There is code on the back end, middle end, front end, etc that could ALL easily break on untested edge cases. JavaScript being the easiest culprit to point fingers at - but as my example about Mr. Null (his actual name) shows, it's hard to point fingers at JS when it could be any step. (I would say "you got bs'd" is a bad part of the answer... but the rest is valid)
    – WernerCD
    2 days ago
















30














This is a frame challenge of the company's claims. A random number in the range 000-999 is more secure than 001-998, rejecting values weakens it.



It's a software bug. They can't admit it.



Just one example: say, somewhere in the stack, they use a language with untyped variables (i.e. Where the same variable can hold 123.45, "late for dinner", a 0-character string, an "undefined" token, etc). It's commonplace to write this:



if ($CVC) # is CVC field present?



In an untyped language, a blank string evaluates to 0 (false) as the programmer intended, but so does 000! There are better ways to do that.



In this case, we know the problem is not in the public-facing web UI you use, but in the back-end platform that both of you share. The agent should open a bug on it in the ticketing system.



So why did they claim what they said? Because normal businesses are very reluctant to admit this kind of structural error that makes them look incompetent. But they also cannot send you off with an "I don't know", as that has the same effect. So they need to say something to you right now that feels sellable to them.



Obviously it is wrong; as proven by all the other people you do business with who have no problem with it. But try it yourself; try a competing booking platform and see how it goes.






share|improve this answer



















  • 9




    The string 000 doesn't evaluate false in Perl, Python or JavaScript.
    – Blrfl
    2 days ago






  • 10




    Well, in JavaScript, if you compare "000" to false ("000" == false) with just 2 equals signs, it will evaluate to true.
    – Stefnotch
    2 days ago






  • 3




    It's more likely a case of what Mike Caron says: if(!to_number(input)) reject(). The number zero is falsy in both Javascript and PHP.
    – John Dvorak
    2 days ago








  • 1




    @Birfl without knowing which language is used, this could absolutely be a valid answer - especially considering JavaScript is wonky like this. Look at someone who's last name is literally "Null" wired.com/2015/11/null
    – WernerCD
    2 days ago






  • 3




    @Blrfl I think the main point is that there are possibilities on how a modern web stack could EASILY get broke on edge cases - purposely or accidentally. There is code on the back end, middle end, front end, etc that could ALL easily break on untested edge cases. JavaScript being the easiest culprit to point fingers at - but as my example about Mr. Null (his actual name) shows, it's hard to point fingers at JS when it could be any step. (I would say "you got bs'd" is a bad part of the answer... but the rest is valid)
    – WernerCD
    2 days ago














30












30








30






This is a frame challenge of the company's claims. A random number in the range 000-999 is more secure than 001-998, rejecting values weakens it.



It's a software bug. They can't admit it.



Just one example: say, somewhere in the stack, they use a language with untyped variables (i.e. Where the same variable can hold 123.45, "late for dinner", a 0-character string, an "undefined" token, etc). It's commonplace to write this:



if ($CVC) # is CVC field present?



In an untyped language, a blank string evaluates to 0 (false) as the programmer intended, but so does 000! There are better ways to do that.



In this case, we know the problem is not in the public-facing web UI you use, but in the back-end platform that both of you share. The agent should open a bug on it in the ticketing system.



So why did they claim what they said? Because normal businesses are very reluctant to admit this kind of structural error that makes them look incompetent. But they also cannot send you off with an "I don't know", as that has the same effect. So they need to say something to you right now that feels sellable to them.



Obviously it is wrong; as proven by all the other people you do business with who have no problem with it. But try it yourself; try a competing booking platform and see how it goes.






share|improve this answer














This is a frame challenge of the company's claims. A random number in the range 000-999 is more secure than 001-998, rejecting values weakens it.



It's a software bug. They can't admit it.



Just one example: say, somewhere in the stack, they use a language with untyped variables (i.e. Where the same variable can hold 123.45, "late for dinner", a 0-character string, an "undefined" token, etc). It's commonplace to write this:



if ($CVC) # is CVC field present?



In an untyped language, a blank string evaluates to 0 (false) as the programmer intended, but so does 000! There are better ways to do that.



In this case, we know the problem is not in the public-facing web UI you use, but in the back-end platform that both of you share. The agent should open a bug on it in the ticketing system.



So why did they claim what they said? Because normal businesses are very reluctant to admit this kind of structural error that makes them look incompetent. But they also cannot send you off with an "I don't know", as that has the same effect. So they need to say something to you right now that feels sellable to them.



Obviously it is wrong; as proven by all the other people you do business with who have no problem with it. But try it yourself; try a competing booking platform and see how it goes.







share|improve this answer














share|improve this answer



share|improve this answer








edited yesterday

























answered 2 days ago









Harper

1,274412




1,274412








  • 9




    The string 000 doesn't evaluate false in Perl, Python or JavaScript.
    – Blrfl
    2 days ago






  • 10




    Well, in JavaScript, if you compare "000" to false ("000" == false) with just 2 equals signs, it will evaluate to true.
    – Stefnotch
    2 days ago






  • 3




    It's more likely a case of what Mike Caron says: if(!to_number(input)) reject(). The number zero is falsy in both Javascript and PHP.
    – John Dvorak
    2 days ago








  • 1




    @Birfl without knowing which language is used, this could absolutely be a valid answer - especially considering JavaScript is wonky like this. Look at someone who's last name is literally "Null" wired.com/2015/11/null
    – WernerCD
    2 days ago






  • 3




    @Blrfl I think the main point is that there are possibilities on how a modern web stack could EASILY get broke on edge cases - purposely or accidentally. There is code on the back end, middle end, front end, etc that could ALL easily break on untested edge cases. JavaScript being the easiest culprit to point fingers at - but as my example about Mr. Null (his actual name) shows, it's hard to point fingers at JS when it could be any step. (I would say "you got bs'd" is a bad part of the answer... but the rest is valid)
    – WernerCD
    2 days ago














  • 9




    The string 000 doesn't evaluate false in Perl, Python or JavaScript.
    – Blrfl
    2 days ago






  • 10




    Well, in JavaScript, if you compare "000" to false ("000" == false) with just 2 equals signs, it will evaluate to true.
    – Stefnotch
    2 days ago






  • 3




    It's more likely a case of what Mike Caron says: if(!to_number(input)) reject(). The number zero is falsy in both Javascript and PHP.
    – John Dvorak
    2 days ago








  • 1




    @Birfl without knowing which language is used, this could absolutely be a valid answer - especially considering JavaScript is wonky like this. Look at someone who's last name is literally "Null" wired.com/2015/11/null
    – WernerCD
    2 days ago






  • 3




    @Blrfl I think the main point is that there are possibilities on how a modern web stack could EASILY get broke on edge cases - purposely or accidentally. There is code on the back end, middle end, front end, etc that could ALL easily break on untested edge cases. JavaScript being the easiest culprit to point fingers at - but as my example about Mr. Null (his actual name) shows, it's hard to point fingers at JS when it could be any step. (I would say "you got bs'd" is a bad part of the answer... but the rest is valid)
    – WernerCD
    2 days ago








9




9




The string 000 doesn't evaluate false in Perl, Python or JavaScript.
– Blrfl
2 days ago




The string 000 doesn't evaluate false in Perl, Python or JavaScript.
– Blrfl
2 days ago




10




10




Well, in JavaScript, if you compare "000" to false ("000" == false) with just 2 equals signs, it will evaluate to true.
– Stefnotch
2 days ago




Well, in JavaScript, if you compare "000" to false ("000" == false) with just 2 equals signs, it will evaluate to true.
– Stefnotch
2 days ago




3




3




It's more likely a case of what Mike Caron says: if(!to_number(input)) reject(). The number zero is falsy in both Javascript and PHP.
– John Dvorak
2 days ago






It's more likely a case of what Mike Caron says: if(!to_number(input)) reject(). The number zero is falsy in both Javascript and PHP.
– John Dvorak
2 days ago






1




1




@Birfl without knowing which language is used, this could absolutely be a valid answer - especially considering JavaScript is wonky like this. Look at someone who's last name is literally "Null" wired.com/2015/11/null
– WernerCD
2 days ago




@Birfl without knowing which language is used, this could absolutely be a valid answer - especially considering JavaScript is wonky like this. Look at someone who's last name is literally "Null" wired.com/2015/11/null
– WernerCD
2 days ago




3




3




@Blrfl I think the main point is that there are possibilities on how a modern web stack could EASILY get broke on edge cases - purposely or accidentally. There is code on the back end, middle end, front end, etc that could ALL easily break on untested edge cases. JavaScript being the easiest culprit to point fingers at - but as my example about Mr. Null (his actual name) shows, it's hard to point fingers at JS when it could be any step. (I would say "you got bs'd" is a bad part of the answer... but the rest is valid)
– WernerCD
2 days ago




@Blrfl I think the main point is that there are possibilities on how a modern web stack could EASILY get broke on edge cases - purposely or accidentally. There is code on the back end, middle end, front end, etc that could ALL easily break on untested edge cases. JavaScript being the easiest culprit to point fingers at - but as my example about Mr. Null (his actual name) shows, it's hard to point fingers at JS when it could be any step. (I would say "you got bs'd" is a bad part of the answer... but the rest is valid)
– WernerCD
2 days ago










Vlad Nikiforov is a new contributor. Be nice, and check out our Code of Conduct.










draft saved

draft discarded


















Vlad Nikiforov is a new contributor. Be nice, and check out our Code of Conduct.













Vlad Nikiforov is a new contributor. Be nice, and check out our Code of Conduct.












Vlad Nikiforov is a new contributor. Be nice, and check out our Code of Conduct.
















Thanks for contributing an answer to Information Security Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.





Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


Please pay close attention to the following guidance:


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f200243%2fall-0s-zeros-in-a-bank-cards-cvc-code%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

What visual should I use to simply compare current year value vs last year in Power BI desktop

How to ignore python UserWarning in pytest?

Alexandru Averescu