I once got a debit card with the CVC number 000.
Now, in theory, I know there’s nothing wrong with this. The number was chosen randomly and it being “special” is purely in my head.
In fact, if 000 were excluded from the picking process, there’d be fewer possible CVCs and so overall they’d be less secure.
But, 000 still feels really wrong as a CVC. Was it a bug? Did an entire batch of cards get generated with the same CVC?
Perhaps banks should avoid generating “special” CVCs?
It’s not a completely wild suggestion—banks already avoid picking your birthday for your card’s initial PIN number.
But how many “special” CVCs are there? Each three digit number will be significant to at least one person so let’s assume we only exclude the most recognisable patterns:
- Repeated numbers: 000, 111, etc. (10)
- Small numbers: 001, 002, etc. (9)
- Multiples of a hundred: 100, 200, etc. (9)
- Ascending sequences: 123, 234, etc. (7)
- Descending sequences: 987, 876, etc. (7)
- Culturally significant: 420, 911, etc. (~8?)
That seems quite a lot of patterns but only excludes ~50 of the 1000 total possible CVCs.
By excluding significant CVCs, we’ve only made them 0.5% easier to guess. Seems a reasonable tradeoff to me.