French Banks Offer Credit Card Numbers That Change Every Hour

Slashdot reader schwit1 quotes The Memo: What if the numbers on your card changed every hour so that, even if a fraudster copied them, they'd quickly be out of date? That's exactly what two French banks are starting to do with their new high-tech ebank cards... The three digits on the back of this card will change, every hour, for three years. And after they change, the previous three digits are essentially worthless, and that's a huge blow for criminals... As most fraud happens a few hours or days after your card details are actually taken, this would leave criminals essentially with a bunch of useless numbers.
It's just like credit cards you have now -- other than the tiny digital screen that's embedded into the back of the card.

Magnetic strip?

Do French credit cards still support magnetic strip transactions? Is that invalidated? Every time my card's details have been stolen it's because I used it while travelling in the US (I live in Canada; I travel to the US once, sometimes twice a year; I've had a card stolen three times in the last three years), and someone has tried to withdraw money from an ATM using a strip transaction. These transactions never involve the three numbers on the back.

Will this break regularly scheduled withdrawals for automated billing?

Re:Magnetic strip?

[youn]

europe transitioned to chips a lot earlier than the US. They have even required a pin for transactions for years

Re:Magnetic strip?

[Tx]

Note that it's a French bank. In Europe (at least the UK where I live and the other parts of Europe that I've travelled to), we use chip cards, which means that that is already a solved problem here; cloning the magnetic strip doesn't get you the PIN number, and you can't do anything without that. So you don't need any fancy changing card number to solve that problem, you north-Americans just need to get with the program. As long as you can make transactions with just something as easily cloneable as the magnetic strip, you're going to have that problem.

Re:Magnetic strip?

the changing numbers solve a different problem

using them online when no chip and pin transaction is possible

Re:Magnetic strip?

[gweihir]

Will this break regularly scheduled withdrawals for automated billing?

No. First, in Europe, these are _not_ done via credit-card, but via interbank-transfer. Not everybody is stuck in the banking dark-ages like the US. Second, for credit-card based schemes, you authenticate once and then the bank knows these are legit and it works without further authentication.

Re:Magnetic strip?

This is a French bank we're talking about.

Their civil liberties, in fact, measure up to yours.

The French literally welcomed the US into independence.

Re:Magnetic strip?

[youn]

You do know that bank transfers are not a europe specific thing :)

I just bought something and the payment was divided in 3 equal payments... on multiple occasion, I don't personally want to give my bank information each time I make such a purchase. It creates a more serious problem, as if you give your bank information to each merchant for that kind of transaction then you have in effect recreated the same problem with your bank account.

At least with a credit card number, it is a lot easier to change it and there is an expiration date

Re: Magnetic strip?

Here we go, Americans thinking only they have freedom....

The French have freedom from worrying about healthcare...I. Australia we have freedom from guns, heathcare, three letter gov departments and a whole lot more...

Re:Magnetic strip?

[Dahamma]

The US now uses chip cards as well (though there are some retailers still using swipe, which is now officially retailer's responsibility to pay for fraud in that case) - this has NOTHING TO DO WITH THAT.

It's not really related to online purchases, but since you don't seem to know much about this... chip and pin vs chip and signature comes down to one thing: a 2nd factor authentication. For IN PERSON retail transactions, the "chip" basically means a CC# (which is all the mag stripe really provided) is no longer enough, now the CC# is only accepted from a valid card passing a cryptographic check. That's the first factor: "something you have".

But if your card is stolen, it comes down to the 2nd factor. For chip and pin, that 2nd factor is "something you know". For chip and signature, it's really closer to "something you are" (biometric). Problem is, the "biometric" signature is pretty easily fooled, and the current verification (in theory could be a computer, but in reality is some totally untrained clerk/waiter/etc who has no clue how to validate it) is absurd.

Summary, it, the chip and pin solution is designed to make it genuinely harder to use a stolen CC, and the chip and signature is designed to make it harder to counterfeit a CC - while making sure it's NOT harder to use it. Basically, the US solution is designed to make sure the banks are covered and the consumers won't stop using credit cards - while not providing any added benefit to CONSUMERS who had their card stolen.

That gets us to online purchases. First, fairly obviously, both chip and pin and chip and signature fail here. CVV was a minor attmept to fix this, but (1) it does nothing to prevent physical credit card theft since it's PRINTED ON THE CARD (useless 2 factor) and (2) it's not actually required by many credit card processing services so there's always a way to get around it.

You'd think given the size of this industry the various actors involved (VISA, MC, banks, retailers, etc) would be smart enough to know all of this and find a good solution? Well, yes, of course they are, and have put much more thought into it than my simplistic summary. But the key point is they don't WANT to fix it, since it turns out they realized any current fixes that would mostly solve the problem would also inconvenience customers and retailers/POS just enough that it might bring revenue gains below fraud losses. Plus, fraud is tax deductible. And, customers and retailers aren't always well informed, so hey, some of the time they just get screwed and lose without even reporting the fraud. All good for the banks and CC companies!

Re:Magnetic strip?

[Dahamma]

Not everybody is stuck in the banking dark-ages like the US

That's silly, it has NOTHING to do with antiquated technology, it has to do with history and cultural differences.

I live in the US and have all of my automated withdrawls from my checking account, both methods have been offered for many years. But as I said using CC for recurring payments is a cultural thing - credit cards have a much longer and more prominent history in the US, so people are more comfortable using them than in Europe. Many recurring services in Europe offer CC payments, the fact that people don't use them in that case is the CONSUMER choice, not a technological one.

Second, for credit-card based schemes, you authenticate once and then the bank knows these are legit and it works without further authentication.

If you are talking about US-based credit card recurring payments (assumed since you just claimed Europe doesn't use that) then totally untrue. You have never worked in this field, I assume... One of the big pains-in-the-ass of scheduled payments and pre-orders fulfilled later, etc, is that often the card of record expires and the transaction can't be processed. (There are also systems in place to update card info to a new number, but only if it's verified and the retailer properly supports it). But in any case, credit card transaction processing is a multistep process, and an authentication step is performed every time a new transaction is posted.

Re: Magnetic strip?

Funny, I was traveling in the US and my credit card numbers were used in Canada to charge a $900 auto repair. The fraud department called because I nearly simultaneously charged a meal in Everett, Washington several hundred miles away. The card company told the repair shop to stall, saying it was because it was a foreign card. Police arrested him while he waited. That's my only fraudulent use from stolen numbers.

Re:Magnetic strip?

[GuB-42]

What's up with this "freedom" propaganda in the US?
In most of the freedom indices, the US is unremarkable compared to other western countries. It is not bad, but among these countries, only the US seem to brag about it so much. I suppose it is some kind of political strategy to justify anything.

Re:Magnetic strip?

[Enigma2175]

This is a variable CVV. Its utility is to make it difficult to do a card not present transaction (generally an online purchase) without the physical card. You complain that it doesn't address physical card theft, but is most places that isn't a problem. The bigger problem is somebody stealing a bajillion credit card numbers from Target or a server who copies card numbers, expirations and CVVs from every card for a few months then uses the gathered data to either clone those cards or use them online. This scheme seems to address that issue as long as the card processors force all their customers to validate CVVs.

Re:Magnetic strip?

[kitezh]

... you US-Americans just need to get with the program...

FTFY

We've had chip and PIN in Canada for years now, too. It's just the USA that hasn't caught up with the rest of the world.

Re:Magnetic strip?

[ShooterNeo]

You know, when I see this argument, there's a critical flaw in it. Yes, 2 factor is generally better than 1- factor, and so forth.

However, all factors are not equal. "Something you know" is the worst case because humans have limited memory so there will always be easy ways to steal anything a user knows. This is why passwords are so shitty. "Something you are"(fingerprint, iris scanners) unfortunately devolves back to "something you know" in that it's a fixed biometric signature that you can spoof.

Something you have, if it's a chip or other method that uses a secret OTP or private key, is by far the strongest. There's no fixed code you can steal of any sort. Different every time. Yes, someone can steal the physical card - but that still reduces fraud enormously because if a card is a missing, the victim can report it and cause it to be invalidated. It's imperfect - you are correct that chip and pin is better than chip and signature - but it's still a huge reduction in fraud. It also makes it much easier to catch the thief - if someone you know the name of steals your credit card, you can give their name to the police. The police can obtain security tapes, and if the person on camera resembles the person who's name you gave, boom, they got them.

That's a crime that is vastly more likely to be solved than "someone I never saw or met stole my card # somehow and used it in India"

Re:Magnetic strip?

[Dahamma]

Clearly enforcing end-to-end cryptographic security is the beset solution, but as has already been state several times the credit card companies, banks, and point of sale retailers just don't WANT that.

You and I both know - and this isn't state of the art, it's trivial - how this whole system could be made 100x more secure, I'm sure. But the point is it's not about security it's about cost of fraud vs cost of convenience. That's it. And unfortunately it's not the cost of convenience of consumers DEFRAUDED, it's cost of convenience of consumers putting a balance on their card...

Re:Magnetic strip?

[arth1]

You do know that bank transfers are not a europe specific thing :)

I just bought something and the payment was divided in 3 equal payments... on multiple occasion, I don't personally want to give my bank information each time I make such a purchase. It creates a more serious problem, as if you give your bank information to each merchant for that kind of transaction then you have in effect recreated the same problem with your bank account.

The big difference is that bank transfers in Europe are payer initiated, while in the US, they are payee initiated.
In Europe, there is generally no problems giving out your bank account details, because all you can do with that information is to send payments to the account.

Re:Magnetic strip?

[ShooterNeo]

How does end to end cryptographic security relate to this in any way?

For "Something you know" security - end to end encryption does nothing to stop a hidden camera or hidden electronic device that can detect the actual buttons pressed on the keypad.

For "something you are" security - a tampered with biometric sensor can have it's readings copied, for example you can tamper with a fingerprint scanner so the sensor copies any prints it detects to another embedded device that stores a copy of the print images. This is a little harder because then the thieves have to make a replica that will fool a scanner (some of the better ones have capacitance and heat sensors so it's harder to fool with a fake rubber fingerprint) but still doable.

For 'something you have' - if what you "have" is a fixed magnetic strip, that's easy to steal and copy. If it's a chip with a secret internal private key or OTP, forget it. The thief is going to have to steal the physical card.

In NONE of these cases does end to end encryption do shit for you.

Re:Magnetic strip?

... you north-Americans just need to get with the program.

NAWBO is impeding our progress.

Re:Magnetic strip?

[gweihir]

It is a "big lie" to keep the population docile: Tell them things are much, much better in the US than the rest of the world (which is not true by any halfway sane metric) and they will shut up in fear. Seems to be working well.

Re:Magnetic strip?

[gweihir]

Well, theoretically, you can withdraw money with that, but the account owner can just contest this and then you have to prove you were entitled to that withdrawal and have to pay a rather large fine if you cannot. You also only get the money after a 60 days (I think) waiting period, so this is completely unusable for fraudulent withdrawals.

Re:Magnetic strip?

[gweihir]

You have a "checking account"? Nice. These went out of fashion about 15 years ago here. I stand by my statement: Banking dark-ages.

Re: Magnetic strip?

[orlanz]

Yes, in the US we can have multiple accounts under the same customer. Savings, and Checking are the primary. The later can be exposed with limited funds at risk to third parties and the former can actually hold your monies that aren't invested somewhere. You can choose to have both or just one. And your written checks (most government services or equivalent do not accept C/DC without fees) come out of checking.

I don't understand why this is considered the "dark ages".

Re: Magnetic strip?

[orlanz]

Visited Canada recently. People are awesome, weather was great, wonderful city, meh food...

But what did bother me was the payment system. I understand that you all have pin and chip or whatever. But God every place we went kept giving us the swiper so that we can swipe and enter the pin. We didn't have pins of course. Its almost as slow as paying by cash.

And as for security... Those swipers can just as easily be key loggers.

Also, my dad had his CC copied 2x in his life. Once in New Jersey and once in Canada. But I won't hold it against Canada because I been there 2x and so far so good... But Jersey got me too.

Re:Magnetic strip?

[arth1]

Well, theoretically, you can withdraw money with that but the account owner can just contest this and then you have to prove you were entitled to that withdrawal and have to pay a rather large fine if you cannot.

Only in a payee initiated system is that possible. in a payer initiated systems, only the account holder can initiate a transfer. There's no being "entitled to" withdraw. If your name isn't on the account, you're not entitled.
Transfers are usually immediate and not reversible. If you misspell the recipient account number (including control digit), you have to appeal to the recipient to transfer the money back to you, or appeal to the courts to make that happen. There's no reversing charges, because you were never charged - you transferred.

Caveat: It's been a couple of decades since I worked for a European bank, but I believe that in general, this is still true. (The UK banking system excluded, as it does things its own archaic way as always, with accounts held by branches, and back office transfers having to occur before the customer transaction.)

Re: Magnetic strip?

The later can be exposed with limited funds at risk to third parties

There is no special risk associated with any type of bank account over here. I mean, sure, there's some risk (bank going belly up, your credentials (username, OTP and sometimes a password. Username+password might get you logged in and you might see the balance if you are lucky, but anything that matters needs the OTP) get stolen etc.), but we definitely don't need multiple accounts to protect the money from fraudulent bank transfers.

And as for government services, usually you get an invoice and you pay it with a bank transfer.

Re: Magnetic strip?

They "would of" said so?

Go back to school, you illiterate piece of shit.

Re: Magnetic strip?

It's the "check" part. I have not seen a regular check in 10 years in Europe. I think you can still make them somehow, but they are clearly going the way of extinction. You would never be able to pay a government service with a check.

If you take a step back, I think you can see why - they are cumbersome and generally too open for abuse.

Re:Magnetic strip?

The big difference is that bank transfers in Europe are payer initiated, while in the US, they are payee initiated.

I don't know about the rest of Europe, but certainly in the UK we have both payer and payee initiated transactions.

The latter are called "direct debits" and have to meet some quite strict criteria. They're commonly used to pay bills which might very each month. The payee notifies the payer of the amount in advance, and then debits it from the payer's account.

The big safeguard with them is that if the payer disagrees with a debit, all he has to do is inform his bank and the bank must immediately put the money back in his account. It is then the bank's problem to go and get the money back from the payee. The banks therefore have a very strong incentive not to give the facility to organisations in whom they don't have total trust.

I've done it a few times, and you do sometimes have to explain the rules to lowly bank employees, but it's always worked.

Re: Magnetic strip?

Fwiw, in the last few years the uniform EU payment system was started that allowed a form of payee charging. Basically they can announce the future charge (at least 2 weeks iirc) and if you don't object it will go through.

Cancelling is a click of a button and reverse charging can be done up to a year later iirc.

Re:Magnetic strip?

[Gussington]

I've had a card stolen three times in the last three years), and someone has tried to withdraw money from an ATM using a strip transaction.These transactions never involve the three number on the back.

The CVC/CVV (the number on the back) is only used in Card Not Present (CNP) transactions.
If you are performing a card transaction, then you also need the PIN. How did they get yours?

Will this break regularly scheduled withdrawals for automated billing?

The purpose of CVC/CVV is an initial check if the card is fraudulent. If it passes the once, you no longer need to recheck for recurring billing.

Re:Magnetic strip?

[Carewolf]

That gets us to online purchases. First, fairly obviously, both chip and pin and chip and signature fail here. CVV was a minor attmept to fix this, but (1) it does nothing to prevent physical credit card theft since it's PRINTED ON THE CARD (useless 2 factor) and (2) it's not actually required by many credit card processing services so there's always a way to get around it.

It is required by ALL credit card processing services, at least in Europe. Many also have additional steps like sending extra security digits to your phone.

Re:Magnetic strip?

[Gussington]

cloning the magnetic strip doesn't get you the PIN number,

The PIN is not stored on the card with either Stripe or Chip.

Re:Magnetic strip?

[Carewolf]

Transfers are usually immediate and not reversible. If you misspell the recipient account number (including control digit), you have to appeal to the recipient to transfer the money back to you, or appeal to the courts to make that happen.

That is not true, they are always reversible. If you report the error to your bank within 24hours, it is trivially reversible, after that you may need to document it was an error or theft or whatever.

Re:Magnetic strip?

[Gussington]

No. First, in Europe, these are _not_ done via credit-card, but via interbank-transfer. Not everybody is stuck in the banking dark-ages like the US.

Interbank transfers for simple billing seems pretty dark-ages too. You Americans and Europeans need to both catch up.

Re:Magnetic strip?

[Gussington]

But in any case, credit card transaction processing is a multistep process, and an authentication step is performed every time a new transaction is posted.

Here in Australia the authentication step is purely to validate the card for CNP transactions. This only happens once the first time for recurring payments so is not needed for following payments between the same merchant and payer.

Re: Magnetic strip?

[Gussington]

Yes, in the US we can have multiple accounts under the same customer. Savings, and Checking are the primary. The later can be exposed with limited funds at risk to third parties and the former can actually hold your monies that aren't invested somewhere. You can choose to have both or just one. And your written checks (most government services or equivalent do not accept C/DC without fees) come out of checking.

I don't understand why this is considered the "dark ages".

Ok where I live, we just have electronic accounts and 99% of transactions (the other 1% are drugs/prostitute related) are electronic with appropriate digital technology as safeguards. The whole idea of a paper check is so dark ages it's laughable. It's the equivalent of a fax, or a telegram.
Do you also use a fax machine instead of email?

Re: Magnetic strip?

Almost all POS terminals accept near-field payment as well (at least by card, using phone it's still not anywhere near as prevalent to where say, south korea was ten years ago).

Re:Magnetic strip?

[AmiMoJo]

The UK has largely moved away from the branch model now. The UK also allows some limited payee initiated transfers, in the form of Direct Debits. They are good for paying bills and the like, you agree to let the payee set the amount every time (to cover things like phone bills that can vary) and you have to right to cancel or reverse any payment without question.

Re:Magnetic strip?

[mjwx]

Summary, it, the chip and pin solution is designed to make it genuinely harder to use a stolen CC, and the chip and signature is designed to make it harder to counterfeit a CC - while making sure it's NOT harder to use it. Basically, the US solution is designed to make sure the banks are covered and the consumers won't stop using credit cards - while not providing any added benefit to CONSUMERS who had their card stolen.

EMV (Chip and Pin) was designed to stop card cloning, which is has been largely successful for. The EMV spec was written in 1994 when purchasing things over the internet was relatively uncommon.

The problem is that criminals have moved from card cloning to online transaction which EMV has nothing to do with, this does not make EMV bad or ineffective, EMV is more or less physical protection which doesn't help now that electronic purchases are commonplace.

The problem the banks have is that any measures they have to improve security would decrease usage as they would be more painful than buying stuff with cash, direct deposit or using a different payment provider. Right now it's cheaper to keep writing off credit card losses than it would be to lose a portion of the fees they get from credit cards (erm... most people don't know this but the merchant has to pay a percentage of the purchase price in order to accept credit card payments, so everyone pays credit card fees regardless of if the card is "free", this is a huge money spinner for banks).

There are lots of ways to make credit cards secure, however they all require introducing a second factor of authentication that will make people throw the cards into the "too hard" basket as all of these methods rely on treating any information printed on the card (or gleaned from it electronically) completely untrustworthy.

Re:Magnetic strip?

[AmiMoJo]

Chip and PIN was designed to shift some of the burden of fraud onto the consumer. When your card is stolen the banks interrogates you, looking for ways to avoid reversing the charges. These can include things like a weak PIN number, admitting you told someone your PIN number, using the same PIN number for multiple cards, not concealing your PIN adequately when using the keypad etc.

In the early days they banks refused to even entertain the idea that transactions authorised by PIN number could be fraudulent. The regulator had to lay the smackdown and force them to pay up.

UK banks are pretty scummy. In the last few years they have had to repay tens of billions of pounds to consumers for mis-sold credit card insurance.

Re: Magnetic strip?

[AmiMoJo]

The UK has a simpler system. You have one account, and the only way companies can transfer money out of it is via a Direct Debit. You have to agree to set one up in writing, and you can cancel it at any time, and you can immediately reverse any transaction without question at any time.

It's easier than balancing money between accounts, making sure you have enough on the primary to cover debits etc. Companies tend not to abuse it either, because when debits get reversed it costs them money so there is little incentive to do so.

Re:Magnetic strip?

[flabman]

Chip and PIN transactions are definitely possible online. My bank issued me with a small hand-held card reader. In order to validate an online transaction I insert my card into it, type the PIN, followed by one or more challenges (such as the amount and possibly the account number of the payee). The card reader then gives me a number to key into the website as proof that I have the card and know the PIN. This is fully integrated into online payment handlers' systems such as Ogone, Sofort and others.

Re:Magnetic strip?

[Shinobi]

Chip and Pin works online too, if the banks and vendors use proper systems. Let's just say Steam, Blizzard and other US vendors don't support it...

I'm in Sweden, and my bank has issued a small, hand-held device with various features, either login for the bank, signing payment order, or payment order. I make an order at a site and initiate the checkout procedure. Vendor site or my bank presents me with a string of numbers. I insert my card into the device, select the appropriate option, enter the number string into the device, hit ok, enter my PIN, then I get a control code in return, which I enter into the vendor site to confirm the payment.

Re:Magnetic strip?

[Oswald+McWeany]

I live in the US, and it's funny, many Americans really do think they have more freedoms and liberty, etc., than anyone else. It's this self-propagating myth that they have. Don't get me wrong, I like it here, it's a very nice place to live, but there are a lot of delusions.

The country with incarceration rates so high that 50% of the world's prisoners are American- and they call themselves the land of the free.

Re:Magnetic strip?

[Oswald+McWeany]

Almost no one uses cheques in the US anymore either. It's usually only little old-grannies that don't have enough coins in their purse to pay with pennies for a $45 purchase.

Re:Magnetic strip?

[edtice1559]

This is essentially the same solution without the need to have a device. Granted it's not exactly the same in that you're using a rolling code instead of a PIN but it's more convenient as you don't have to have a separate device and the online merchant doesn't have to have special software to support it.

Re:Magnetic strip?

[edtice1559]

Exactly, retail fraud (stealing a card) is such small potatoes that the financial institutions aren't too worried about it. Ship a new card and write off the loss. Not that they don't want to minimize this but it's small potatoes compared to wholesale card number theft that can run in the tens or even hundreds of millions.

Re:Magnetic strip?

How can a bank blame a 'weak' PIN on the customer, even if there is such a thing as one four digit number being weaker than another? If the bank considers it weak, they should not have issued it.

Re: Magnetic strip?

[orlanz]

Replying to myself so that I can address all of the above.

1) I have gone through about 35 checks in the last 17 years. They are rare, yes, but still used here and there. The most recent one was to buy a used vehicle for $6k. The private party didn't want to deal with banks for one transaction. So he took my check to a local bank branch and got his cash. Prior to that, was to submit my passport renewal application via mail.

2) We have a LOT of local governments here in the US. Some are the size of 10 people for small towns. We also have a lot of small businesses and home owners' associations. Some don't want the overhead cost of credit/debit cards, or setting up ACH/Draft for ONE payment a year. But I don't want to give any excuses, we got bigger government entities that also won't accept ACH, cash, or credit but will accept forms of checks. Not to mention all the passport renewal, visa, consulate, etc centers only accept a check with your mailed in submission (note: centers are about 2 hours flight for most of the US).

So checks are old and I rarely use them, but it nice to still have the facility for that 0.1%. I don't consider the system to be in the dark ages. Just respectful of the fact that not every single entity wants to be plugged in the the electronic super highway.

3) It doesn't make sense to expose your entire cash account to payees. We have electronic draft, recurring payments, and electronic salary deposits. I can give my checking account to my credit cards, mortgage, brokerage account, water bill, company, suppliers, etc. And use it for checks. Each can make a mistake in over drafting, or over paying (knock on wood,it has happened twice in the last 10 years). If cash left the account, it takes a bit of work to get it back. A phone call, talking to a machine + a PERSON. Normally my account wouldn't be made whole for 1-2 weeks!

So I keep my cash in a separate account and only maintain via recurring transfers about $Xk in my checking. So on any given month, only about $Xk is at risk of accidental transfer out. Its all automated so not actually effort to maintain multiple accounts. It helps with budgeting, because it tells me clearly if I am within my monthly $Xk budget by looking at ONE account. Too much variance and I can easily narrow down what caused it. When I notice that the savings account is well over rainy day fund, I transfer to health, retirement, broker, or bonds.

Re:Magnetic strip?

[Gonoff]

In Europe, there is generally no problems giving out your bank account details, because all you can do with that information is to send payments to the account.

Have you heard of Jeremy Clarkson? A few years ago, he said this on TV. Then to prove his confidence, he gave his account number and sort code.

Someone then caused his bank to pay a sum to charity to prove the point. It is not as secure as you think.

Re:Magnetic strip?

[flabman]

Yes, it's more convenient to just be able to read the 3-digit code from the card without the need for an additional device. But it's less secure than using a card reader because (1) the 3-digit code is a lot shorter than the 8 digits the card reader I described generates, (2) it still does not protect against card theft, since anyone who has the card also has the 3-digit code, and (3) it does not validate the specific transaction, it only demonstrates that the card is in possession of the person who's trying to make payment (modulo no. 1 above) at about the time the transaction is attempted.

Re:Magnetic strip?

[TheRaven64]

France transitioned a lot earlier. Everyone else transitioned about 10 years ago, because the patents had just expired and no one wanted to pay licensing fees to a French company before then. The US moved recently, because the US has an archaic banking system.

Re:Magnetic strip?

[arth1]

Have you heard of Jeremy Clarkson? A few years ago, he said this on TV. Then to prove his confidence, he gave his account number and sort code.

Someone then caused his bank to pay a sum to charity to prove the point. It is not as secure as you think.

That's the British branch-based banking system (you can tell from it having a "sort code"), which is different - neither fish nor fowl. The British Postal Giro works like a real giro at the hub, but the endpoints are individual bank branches, which may be payee initiated.

In the parts of Europe hooked up to a common giro system (since the 60s if I remember correctly), companies and individuals publish their bank accounts - it's how people pay them, through direct deposits - credit, not debit.

One of my bank account numbers has been published with shareware since the late 80s, with no problems. (I'm not repeating it here, not because I don't want it published, but because a quick google would then point people at the code of of my youth. Shame is the deterrent, not fear.)

Re:Magnetic strip?

[coinreturn]

What's up with this "freedom" propaganda in the US? In most of the freedom indices, the US is unremarkable compared to other western countries. It is not bad, but among these countries, only the US seem to brag about it so much. I suppose it is some kind of political strategy to justify anything.

Just like in any other country, there are fools who believe the propaganda the government pushes.

Re:Magnetic strip?

[Pig+Hogger]

Basically, a lot like North Korea

Re:Magnetic strip?

[Pig+Hogger]

You do know that bank transfers are not a europe specific thing

Yes, but in Europe, it’s not an expensive, cabalistic song and dance like it is in North America.

Re: Magnetic strip?

[Pig+Hogger]

Just respectful of the fact that not every single entity wants to be plugged in the the electronic super highway.

Dodos don’t deserve any respect.

Re: Magnetic strip?

[mjr167]

I recently re-financed and had to fax the paperwork to the bank. Because email is insecure but fax is somehow magically secure and private.

Re:Magnetic strip?

[Khashishi]

while in the US, they are payee initiated.

... something I've never, ever understood. Why is the credit card protocol in US so absurd?

Re:Magnetic strip?

[rpstrong]

Chip and PIN was designed to shift some of the burden of fraud onto the consumer.

Is this specific to the UK? I ask because in the US, chip and signature shifts the burden from the banks to the merchants - the consumer is unaffected. And where we do use PINs (ATM/debit cards). the burden is substantially on the provider.

I did once have an ATM card compromised (probably skimmed). Someone withdrew $800 from my account in two 'normal' ATM transactions (card swiped, PIN entered). Within a few days of reporting it, I had a provisional credit for the full amount. ['Provisional' meant that the bank had six months to uncover evidence of fraud on my part.] My bank is to be credited for promptness here, but the basic provisions are a matter of law - the US consumer credit laws are very pro-consumer. I'm sure the same protections would/will translate to chip and PIN.

Re: Magnetic strip?

[tepples]

Do you also use a fax machine instead of email?

I had to fax pay stubs to my home state when I applied for health insurance. I guess courts are more familiar with signing a document and then faxing it than with using PGP or S/MIME to sign an email.

Re:Magnetic strip?

I can think of a few things:

Freedom of speech/press: Truth is an absolute defense to a defamation claim in the USA. And "hate speech" is a social taboo, but not illegal. It's illegal to express certain political opinions in many European countries. American pornographers certainly face more restrictions, but political speech is really what freedom of speech is about.
Firearms: Well, duh.
Religion: Some European countries still have established churches, actually supported by a part of your taxes. In America it can be hard to even get government money to a charity or school buses to schools that are affiliated with a church.

Re: Magnetic strip?

[gweihir]

Ah, sorry. "Checks" went out of fashion here about 15 years ago. You can still use them, but there is a significant fee on that (like $10 or so per instance). Everybody is obliged to accept bank transfers without fee and they are basically free and next-day.

Re:Magnetic strip?

[gweihir]

Mostly correct. But take into account that basically all regular payments and quite a few others are payee-initiated. The case where you accidentally transfer money to the wrong target has become rare, and rarer still with checksums in the IBAN and a library function for targets in most e-banking software. There are also additional measures. Where I live, the name and address of the target account holder has to match, or the target bank will fail the transfer. And on large or suspicious transfers, they can and usually do ask for confirmation.

As long as you read your statement carefully each month, and are somewhat careful when filling out bank transfer orders, the system works fine.

Re:Magnetic strip?

[gweihir]

Unfortunately, not always after a longer time. I think you have 3 days or so for a regular cancel, but, depending on country, after that the target bank may pay out the money and in some countries that means you have to get it back from the person that owns the target account. If they are known, that works as well (people are _not_ allowed to spend money they get by a bank transfer out of the blue), but some countries are shoddy with verifying the identity of customers and in e-fraud-cases (and hacked online-banking) people have transferred money, withdrawn it after 3 days and then vanished. If it is not a large sum, then that money is likely gone. On a large sum, the target bank can be obliged to refund the money, because if their failure to identify the customer properly. You may have to sue them though.

But the bottom line is that if you made an honest mistake, you will likely get the money back. If you were defrauded, that is not assured.

Re:Magnetic strip?

[gweihir]

Indeed. I think in NK they tell them that the rest of the world is starving and living in concentration camps, etc. The technique of the "Big Lie" works pretty well once some border-conditions are met.

Re:Magnetic strip?

[gweihir]

When you take into account that a bank transfer costs next to nothing, and all other forms of payment cost more, I do not think you have a point.

Re: Magnetic strip?

[Gussington]

Do you also use a fax machine instead of email?

I had to fax pay stubs to my home state when I applied for health insurance. I guess courts are more familiar with signing a document and then faxing it than with using PGP or S/MIME to sign an email.

As I said, dark ages. Where I live almost everything is electronic. In the rare case that a signature is required, then only a real in-person signature in ink will suffice. A fax of a signature is not a valid signature.

Re:Magnetic strip?

[Gussington]

When you take into account that a bank transfer costs next to nothing, and all other forms of payment cost more, I do not think you have a point.

Cost more, because it does more. That is pretty much how the world works yeah?

Re: Magnetic strip?

I can tell you that definitely NOT all payment service providers care about CVV and yes I'm talking about their live environment, not a test environment. Some completely ignore it. It's mandatory to send for some but they never check the value. Most I know do require AND check it but definitely not all.

Re: Magnetic strip?

Because not all banks issue the PIN, except for the initial one. My bank in Canada let's me choose my PIN for example. My bank in Germany didn't let me choose but started not changing the PIN when cards expired.

Re:Magnetic strip?

Freedom of speech/press: Truth is an absolute defense to a defamation claim in the USA.

As it is in most European countries. The UK is the only exception I am aware of.

And "hate speech" is a social taboo, but not illegal. It's illegal to express certain political opinions in many European countries. American pornographers certainly face more restrictions, but political speech is really what freedom of speech is about.

I do not agree that hate speech is a taboo in the US. It happens a lot and I think it is one of the main causes of all the racially motivated violence in the US. However, the US has legal restrictions of freedom of speech that are far more troubling. There is an entire branch of government that is not only operating secretly, but much of what it does cannot be discussed and those who try to inform the public have to flee the country or face prosecution. Moreover, taboos, the pervasiveness of religion, the narrowness of the political spectrum and the national superiority complex limit the public discourse in the US much more than in other Western countries.

Firearms: Well, duh.

With regard to firearms, I value the freedom from being shot much higher than the freedom to shoot someone. I would like everyone to be as free as is possible withouth limiting the freedom and safety of others. Allowing everyone to carry firearms all the time is not compatible with that requirement. It serves no purpose and it causes many thousands of deaths and injuries every year.

Religion: Some European countries still have established churches, actually supported by a part of your taxes.

This is simply not true. Some countries indeed have an established church, but that is only in name. The only consequence is that the king is a member. The established church does not have any privileges that other religious organisations do not have. No church is paid for by taxes of non-members, except in the sense that churches are often tax exempt. There are a few countries where churches can levy taxes on the income of their members, however. This is an additional tax on top of government-levied taxes. It is not paid by anyone who is not a member of that church.

Do children in American schools still have to pledge their alliance to a flag under an imaginary creature?

Re:Magnetic strip?

[gweihir]

Ah, no? Use the function you need (transfer the money), pass on any extras that are not needed and that cost extra money?

Re:Magnetic strip?

[lsatenstein]

Note that it's a French bank. In Europe (at least the UK where I live and the other parts of Europe that I've travelled to), we use chip cards, which means that that is already a solved problem here; cloning the magnetic strip doesn't get you the PIN number, and you can't do anything without that. So you don't need any fancy changing card number to solve that problem, you north-Americans just need to get with the program. As long as you can make transactions with just something as easily cloneable as the magnetic strip, you're going to have that problem.

Canadian institutions have been using chip technology cards since 2010. Debit cards have the magstripe for those mom and pop stores. Still its safe because the pin is compulsory/obligatory.

Re:Magnetic strip?

[Dahamma]

That would be awesome if every online consumer could have their own secure card reader but there are several major issues with that:
  1) that's a HUGE expense for all credit card users worldwide
  2) it's an even HUGER inconvenience - which I should probably have listed as #1 since that's all the big banks (sorry Sweden) care about
  3) a card reader connected to a PC is a huge hacking vector - if someone came up with "perfect security" that wouldn't matter but no one has yet...

Re:Magnetic strip?

[Dahamma]

I'm not sure what you are going for here, but your "argument" isn't adding anything. You focused on a trivially unlikely part of my OP and didn't even quote it correctly.

"End-to-end cryptographic security" != "end to end encryption" - you changed that phrasing yourself. E2E security means everything in the process by definition, OBVIOUSLY.

But that's just addressing the totally fucking irrelevant part of your any my posts. Almost nothing to do with the real point. Assuming you write code for banks and are defending the horrible practices they just put in place this year!?

Re:Magnetic strip?

[Dahamma]

I have personally experienced that it's NOT required by ALL, so your assertion of ALL is 100% INCORRECT.

Re: Magnetic strip?

[Dahamma]

Irrelevant. If a bank has a definition of "weak" they should be expected to refuse it. If they allow you to choose it then it's not your problem.

Re: Magnetic strip?

[Dahamma]

It's basically the same here (I have used maybe 4-5 checks in the past few years) but it cost me NOTHING EXTRA. Some people use more - many more - but it costs them NOTHING EXTRA.

So how does not charging an extra fee for the occasional physical check make the system I use "the Dark Ages"? Seems more like your system gives you no respect for the money you have deposited in your bank that they are investing in their own ventures without any significant gain for you. I bet you think your system is somehow different from "pure Capitalism", huh? How quaint.

Re:Magnetic strip?

[Shinobi]

To answer each in turn:
1: The devices are part of standard account package.
2: The inconvenience of the sloppy security of US bank practices is greater
3: The card reader is not connected to the PC when doing any of the things I mentioned. Only if you choose to use any cert-based method do you need to plug it in, and that's entirely optional.

Re:Magnetic strip?

[Herve5]

I have this too (in France, with Credit Cooperatif). The 'small card reader" is in fact enormous (worth 10 cards piled up, plus larger and longer).
With another french bank (the post office), we receive an SMS with a code one must enter on their site to validate the transaction. Weightless... as long as you have a phone (granted, this is very often).
But the rolling number on the card itself is definitely lighter.

Re:Magnetic strip?

[Dahamma]

1: The devices are part of standard account package.

YOUR bank's package, but no the package of probably a billion other credit card users.

2: The inconvenience of the sloppy security of US bank practices is greater

No, it's clearly not. I'm not defending the security in any way, I'm just pointing out the FACT that banks sacrifice security for convenience, and they end up knowingly eating the CC fraud costs. They won't change that practice until it's financially worthwhile for THEM.

3: The card reader is not connected to the PC when doing any of the things I mentioned. Only if you choose to use any cert-based method do you need to plug it in, and that's entirely optional.

I just re-read your comment, and WOW, inconvenience is an understatement. When I want to order something on Amazon I click one button, walk away, and it generally arrives the next day. See #2 as to why neither the banks nor Amazon, etc want that to change...

Re:Magnetic strip?

[Shinobi]

1: All banks in Sweden, and many banks in europe have this as part of basic services. Others use SMS as part of the authentication chain. The SMS checksums are common in south america too. The US and Canada really do stand out in these sloppy security practices.

2: Yes, it clearly is. Due to the way the US system is setup, Blizzard, Steam etc are all serious credit card exposure risks, to the degree that I use one-time CC numbers for purchases through them.However, with the systems used here in europe, that risk is massively reduced. So, US banks choose to expose their customers to unnecessary CC fraud risk.

3: If 20-30 seconds extra time to give you massively increased security is such an inconvenience, measures like these would not have become so popular in europe, south america and asia. Hell, banks should love it because it'd reduce charge-back fraud too.

Re:Magnetic strip?

[Gussington]

Ah, no? Use the function you need (transfer the money), pass on any extras that are not needed and that cost extra money?

You might be happy to wait until the next day for your money, then hope the money arrives, but some transactions need it now (eg paying for a taxi), and some people like the extra fraud protection that Credit Card services offer (mine even gives me free travel insurance). This convenience, like every other convenience comes with a fee and most people are happy to accept this.

Re:Magnetic strip?

[Dahamma]

If 20-30 seconds extra time to give you massively increased security is such an inconvenience, measures like these would not have become so popular in europe, south america and asia. Hell, banks should love it because it'd reduce charge-back fraud too.

This isn't just my statement of personal preference - it's MASSIVE amounts of data proving that is true. It's a marketing and e-commerce fact that the drop off funnel of a mere 30 seconds is huge. Losses from this seemingly tiny "inconvenience" utterly dwarfs any fraud. That's the WHOLE POINT OF THIS DISCUSSION!

You are trying to compare the banking practices of a country with a population the size of the metro area I live in with an entire country that has a GDP larger than all of Europe. And I'm not bragging about that consumer power, in many ways there is a cultural element that may be resisting good ideas. But in the end you don't think VISA has more actuaries and statisticians than almost any other company on the planet? They know exactly what inconveniences the US market will bear, and are willing to eat fraud to preserve top line revenue...

Re:Magnetic strip?

[Shinobi]

First of all, there's actually no such data regarding checkout. The data is regarding ease of browsing and ease of GETTING to the checkout.

As I clearly stated, it's not just Sweden. In fact, most of the world has introduced more secure but slightly more inconvenient payment methods. In fact, VISA, which you mention, is one of the developers of, and proponents of these methods, since they are more secure.

The way to do it

[Okian+Warrior]

This seems like a misguided solution to the problem. If someone steals the card, then this feature won't help.

Bruce Schneier pointed out the real solution years ago. If your card has some processing power and a display (which this solution has), just add a keypad (similar to a calculator in credit-card size).

The keypad is for a pin. The owner keys in the pin, the card generates a one-time-use credit card number, and the waiter/salesman can take the card to the back and swipe it or whatever. When the card is lost, the thieves won't know the pin. If the number is copied, it can't be used beyond the first sale.

You can even use this on a computer peripheral. The software on the card is fixed and can't be hacked.

Multiple accounts can be stored on one card, so you only need one card instead of multiple credit cards in your wallet.

Of course, the thieves can kidnap the owner, but that's not the problem this addresses.

A smart card with pin on the card prevents all kinds of copying, skimming, lost cards, even online accounts.

Since we're switching to smart cards, I don't know why we simply haven't switched to the final solution.

Re:The way to do it

Because unless Oberthur Technologies, Gemalto or G&D are the ones issuing the cards, they aren't interested in rolling out the real solutions, just continuous upgrades they can bill the bank whom ultimately bills you the customer.

Re:The way to do it

That's Chip+PIN, if done correctly. In the EU, you can get a small card reader with keypad and display that generates a TAN which is only valid for the amount and recipient that has been entered into the reader and authorized with the PIN. The bare bones version requires that the data is entered via the keypad. A more comfortable version reads the transaction details from a screen and only uses the keypad for the PIN.

Re:The way to do it

[wagnerrp]

Are there any online stores that currently support local chip readers on a customer's computer?

Re:The way to do it

Ohh I like that idea.

Re:The way to do it

Are there any online stores that currently support local chip readers on a customer's computer?

When I make a payments online, the website redirects me to a webpage from my bank and I have to use a chip reader said bank gave me. Coincidentially I just made such a payment literally a minute ago ordering some DnD books from our local variant of Amazon.

Re:The way to do it

[unrtst]

That's Chip+PIN, if done correctly.

Nope. I appreciate that chip+pin is relatively secure, but it's not the same as what the GP pointed out.
With chip+pin, you must enter your pin on hardware that someone else owns.
Entering the pin on the card would be more secure and keep more of your info private.

Also, chip+pin does nothing to help with online sales, or any sales where they simply choose not to use a chip+pin transaction. Someone can copy down your card number and expiration date and make transactions. If you had to enter a pin on the card just to get it to display the (temporary) card number, that would make that scenario impossible.

Re:The way to do it

[TroII]

This seems like a misguided solution to the problem. If someone steals the card, then this feature won't help.

I've had credit cards compromised 3 times over the years but it's never been because the physical card was stolen. Is that really a common problem in the grand scheme of things? From an American perspective, most ID theft tends to happen when some merchant is breached and thousands or millions of stored numbers+CVV get leaked. This approach makes those leaks useless. Sure, some people will still lose their wallet or get their purse stolen, but that's small potatoes in terms of the fraud that goes on every day.

Re:The way to do it

[orogorhotmail.com]

-> Are you being ironic? That s how almost how the european credit cards works since 2 decades, actually it is much more powerfull that what you describe.

Bruce Schneier pointed out the real solution years ago. If your card has some processing power and a display (which this solution has), just add a keypad (similar to a calculator in credit-card size).
->When you insert your card into a terminal, that what you get, a keypad plus a screen

The keypad is for a pin. The owner keys in the pin, the card generates a one-time-use credit card number,
->CC cards generate unique transaction id already
  and the waiter/salesman can take the card to the back and swipe it or whatever. When the card is lost, the thieves won't know the pin. If the number is copied, it can't be used beyond the first sale.
->You actually don't give your card to the waiter, waiters have a wireless terminal they give you, it kinda goes faster

You can even use this on a computer peripheral.
->with the cc actually you can, it s kind of computer in itself. If you could hack a CC protocol, we'have a lot of other problems

The software on the card is fixed and can't be hacked.
-> that's the case

Multiple accounts can be stored on one card, so you only need one card instead of multiple credit cards in your wallet.
->thats the case, but banks dont like to share so issued cards only allow yoi to choose from accounts from your issuing bank

Of course, the thieves can kidnap the owner, but that's not the problem this addresses.
->either do EU cc cards. ( for stolen cards, nowadays for internet transaction your bank text you a temporary code to input in addition to your card number).
->Contactless payement added few years ago is a convenience which would allow to steal 45€max

A smart card with pin on the card prevents all kinds of copying, skimming, lost cards, even online accounts.
->EU CC cards as well, as a bonus they do actually exists

Since we're switching to smart cards, I don't know why we simply haven't switched to the final solution.
-> neither do i

Re:The way to do it

[whopub]

I've been using a service called MBnet in portugal. It basically generates a virtual CC number you can use (once or up to a limit amount you pick) like it was a VISA CC number. It's perfect. I haven't used my credit card number directly online since Paypal came up, and I have used paypal only on very special occasions, 3 or 4 times in may more years, since I use MBnet. The advantage of MBnet is that I don't have to worry about paying the credit card expenses to avoid interest rates. It allows me to use the CC like a debit card, online, without ever owing anything.

Re:The way to do it

->When you insert your card into a terminal, that what you get, a keypad plus a screen

That keypad might be compromised. You have no way of knowing that the vendor-supplied terminal won't simply log the pin for later use. The keypad should be user-supplied, and the only thing that should ever given to vendors is something that can only be used once. Anything less is security theatre.

Re:The way to do it

[newcastlejon]

Also, chip+pin does nothing to help with online sales, or any sales where they simply choose not to use a chip+pin transaction. Someone can copy down your card number and expiration date and make transactions.

If you RTFS* you'd see that the card number isn't what changes, it's the CVV2 code on the back of the card. For a long time you've needed these three digits for any "customer not present" transactions (phone or online orders), so just writing down the card number isn't nearly as big a risk as it was in the past.

What this new card does makes it very difficult to do are CNP transactions without having the card physically present; scammers could copy the details but they'd only be good for an hour at most, and most merchants would be wary of dispatching goods to somewhere other than the billing address at least for the first time they're provided with that card's details.

*Easily forgiven when the headline gets it wrong too.

Re:The way to do it

[Kjella]

I've had credit cards compromised 3 times over the years but it's never been because the physical card was stolen. Is that really a common problem in the grand scheme of things? From an American perspective, most ID theft tends to happen when some merchant is breached and thousands or millions of stored numbers+CVV get leaked. This approach makes those leaks useless.

It also makes the purpose of the stored info useless, since it's either recurring services or to make checkout easier. I find it odd that they'd need to store the original input though, they should pass that to VISA and get a sort of authorization token, which would only be valid for their merchant account. That way you can hack eBay's database but unless you're eBay you can't charge anyone. Then you'd have to capture card info live the first time it's entered.

Re:The way to do it

Every time my credit card is charged, I get instant notification on my phone. I can also deactivate and reactivate the card from the app at any time, so if someone made an illegal charge on it, I would know and could shut it down right away.

Re:The way to do it

With the system I described, you use your own reader. It's like entering the pin on the card, just that the card and the interface are separate, but both under your control. The card reader generates a TAN, which can safely be entered into a potentially compromised system (like the internet), because it can only be used to authorize that particular transaction. Consider the TAN your temporary card number, except it's safer than that, because it's tied to a particular transaction.

Re: The way to do it

It doesn't really matter. If the merchant advises the transaction was secure, the bank will authorise it. You don't need to have the customer input the PIN, you just need your software to report that they did.

Re:The way to do it

[menkhaura]

My bank here in Brazil (Banco do Brasil) offers a similar service, but only for *credit* cards. I love it, and it is secure too: the CC number generated is shown half on your computer, half on your registered cellphone (SMS). After the number of transactions you specify, up to the limit amount you pick, and until the expire date you choose, that virtual credit card is'nt valid anymore.

Re: The way to do it

How long before banks run out of card numbers...?

Out of the fourteen digits, one is the checksum, the first four are the bank number, that leaves nine digits which isn't all that much if new ones are co scantly being generated...

Re:The way to do it

[dweller_below]

I think the most important key to solving the current problems with credit cards is to finally accept that a single approach will not work well for many use cases.

I am looking for something that gives ME (the owner of the account/money) a number of solutions. I need the following:

• * Options to securely manage my underlying account over the internet. I can understand why some options aren't default, but my bank doesn't seem to even know that problems exist. I would like to protect my connections with overbuilt encryption. Or choose to require refused connections unless it is the latest, strongest encryption. Or reject weak ciphers and key sizes. Or require multi-factor authentication. Or require a range of source IP addresses. Or require a single, secure, pre-distributed OS (distributed on a cheap, reliable USB stick.). Currently, they don't allow me to require any of these.
• * I want my bank to enable single, on-time, cheap, secure, online transactions. It is crazy that my bank continues to pretend that it is not connected to the internet. Or that online commerce can only exist by using ancient, insecure, expensive, slow 19th century methods. Online purchasing should be more (not less) secure than "chip and pin", because we have much greater capability to confirm the identity of the participants and the nature of the transaction. It can also be much quicker and cheaper. Having Apple, Google, or Paypal add another non-transparent layer between me, my bank, my vendor and his bank just seems insane.
• * I want my bank to enable ongoing, cheap, secure, ongoing static payments to pay bills. Currently, I don't allow automatic payments of my bills because Comcast (and others) think they should be able to spontaneously increase their charges. I want to set up a "Only this much, this often, to this entity" payment. Then, if somebody want's to charge more, we re-negotiate with full knowledge of the change.
• * Chip and Pin seems to be an acceptable compromise for the current transition to payment via trusted device. I need to figure out what device method I can trust. So far, no help from my bank on that front either.

Is Paypal capable and trusted enough to be used as a bank?

Re:The way to do it

[jittles]

Are there any online stores that currently support local chip readers on a customer's computer?

I know that FirstData was working with some company out of Venezuela to do this for online transactions. I am not sure the name of the company, but the idea was that it was cheaper to issue chip readers to people at home than it was to deal with the rampant credit card fraud that exists there at the moment.

Re: The way to do it

They get reused eventually, which is fine, as expiration and security codes will be different each time.

Re:The way to do it

That is for bank cards, not credit cards.

Re:The way to do it

[ruir]

Not ideia why the parent post was modded down. Here in Portugal MB.net really does work. The weak point of the solution is that the access to the MB.Net itself, is rather weak. I understand targeting the lower common denominator, however not having a 2FA at this point of the game, and having a user *and* a pin does not make any sense.

Re:The way to do it

Bruce Schneier pointed out the real solution years ago. If your card has some processing power and a display (which this solution has), just add a keypad (similar to a calculator in credit-card size).

The keypad is for a pin. The owner keys in the pin, the card generates a one-time-use credit card number, and the waiter/salesman can take the card to the back and swipe it or whatever. When the card is lost, the thieves won't know the pin. If the number is copied, it can't be used beyond the first sale.

Which NFC smartphone payments are closest to actually implementing (Apple Pay, and I assume the android equivalent works similarly).

Re:The way to do it

My bank (in Sweden) allow me to generate a "new" electronic creditcard. New number, new cc, select when the card expires and amount of money on the card. Great for online purchases, set the amount on the card to match the thing you are buying and make the card expire in one month.

Also works really well for sites that requires a subscription, set the expire date and amount to the number of months you want the subscription. No need to remember to cancel it ;)

Re:The way to do it

[Gussington]

Bruce Schneier pointed out the real solution years ago. If your card has some processing power and a display (which this solution has), just add a keypad (similar to a calculator in credit-card size)....

...Since we're switching to smart cards, I don't know why we simply haven't switched to the final solution.

This seems pretty cave man to me, since we already have such a device called a cell phone in our pockets which does all this, and guess what, my bank already has apps that do all this right now today.
So yeah, catch up would ya!

Re:The way to do it

[tepples]

A bootstrap issue:

the CC number generated is shown half on your computer, half on your registered cellphone (SMS).

Then how do you pay your cellphone bill?

Re:The way to do it

[tepples]

I guess it's a matter of how much your carrier charges you per year for the privilege of being able to connect your cell phone to its network.

Re:The way to do it

[menkhaura]

I pay my regular bills using the bank's website, not the credit card. These "virtual CC numbers" are useful for when you don't want to hand out your CC details to some random Internet shop. Even though they say they never store our credit card information, I don't quite believe it, so I feel safer that way.

Re:The way to do it

[Gussington]

You mean like how how I have to pay for the privilege of running water and electricity?
Your cave might not have these things, but I assure you the rest of us are happy to pay for such luxuries...

Re:The way to do it

[Some_Llama]

so.. a smart phone?

privacy.com does better

[junk]

I have no affiliation to privacy.com other than being a user.

I've been using privacy.com to generate randomized credit card numbers for a while now. It's the same type of thing we had in the 90s with certain credit card companies but better. I have static cards with monthly limits for recurring charges, static cards with max per transaction limits for online merchants I frequent and one time use burner cards for just about everything else. I can see all declined transactions per card, which lets me track it down to a merchant. It's the same thing I do for email (per account email addresses for spam tracking) but better because I don't have to manage it myself.

Re:privacy.com does better

[ModernGeek]

/r/hailcorporate .. wait, wrong site

Re:privacy.com does better

[junk]

Pick your poison. Trust your bank or trust a private business. Banks can be "too big to fail" but companies go bankrupt all the time. Who do you think has more incentive to do a better job?

steal what's verfied

[sittingnut]

instead of being a "huge blow" this might help the criminals, since something algorithmically predictive that depends on other permanent numbers or id info, must be verified,

Re:steal what's verfied

[jittles]

instead of being a "huge blow" this might help the criminals, since something algorithmically predictive that depends on other permanent numbers or id info, must be verified,

Chip cards already generate a new CVV each time a transaction is run. All this does it let you do the same thing in the Card Not Present world

Virtual cards ?

[daedric]

A system was developed some time ago to generate a virtual card, tied to your debit/credit with a short(er) plafond and validity. Also, it is limited to one entity, the first one that actually used the card. It has worked perfectly so far, although certain companies start to get suspicious about the constant adding/removing of cards, like PayPal. Regarding this number changing method, how are the new number generated? How does the bank know that numbers are valid ?

Re:Virtual cards ?

2FA technology has been in play for years, interesting application to credit cards but probably not going to catch on. Just doing a 2FA service for credit cards would probably work better.

Re:Virtual cards ?

[ShaunC]

Regarding this number changing method, how are the new number generated? How does the bank know that numbers are valid ?

I presume it works just like a SecurID or other access control dongle. Your card is seeded with a value known to the bank. The card plugs that seed and the current time into an algorithm that generates the number. When you go to make a purchase, the bank runs the same calculation and looks to see if the numbers match.

Re: Virtual cards ?

[daedric]

Makes sense. Considering the method, how dificult would it be to guess/find the seed?

Re: Virtual cards ?

[ShooterNeo]

It can be made impossible if the seed is complex enough. What you're saying is, "I know what a number in a sequence is, every hour. I know the algorithm the sequence uses, I just don't know the seed. How many numbers in series do I need to see to calculate the seed".

If they did it right, you need more than 26,280 numbers to determine the seed. But honestly, if you think about it, if a thief steals your card and starts watching the numbers flick by. As long as it takes more than a few numbers to determine the seed, that's plenty. After all, the whole reason to figure out the seed by crook is so you can then return a card to someone and clone their card and they won't report it stolen. If this takes more than a few hours, best case, the person is going to notice and report it.

Re:Virtual cards ?

[tijgertje]

Like most banks in Europa allready have?
If I make an online purchase with my CC I always have to confirm it with the cardreader (2FA).
Only Eve Online (online game) does not get those checks any more because I pay them every month with the CC

Yes, but...

[Overzeetop]

Most Americans would just write the pin on their card so that they wouldn't forget it.

Re:Yes, but...

No, most of them wouldn't. You're entirely ignorant of how the rest of the world works which is ok, but try not to showcase it like a worthless twat.

Re:Yes, but...

right next to the "verified by visa" password, of course.

Re: Yes, but...

I used to work I retail. I never, not once, ever saw a pin written on a card and about 90% of the transactions I dealt with were card.

Useless numbers?

The three digits on the back of this card will change, every hour, for three years.

Three digits = 000 to 999, or 1000 possible numbers.

Three years = 1095 days * 24 hours = 26280 changes.

That means those numbers will repeat 26.28 times and will be far from "totally useless". A broken 12-hours clock is right twice a day and those broken numbers will be right 26 times in those three years.

Re: Useless numbers?

26 / 26280 = 0.00098934551

Seems pretty useless to me with those odds.

Re: Useless numbers?

In the US, maybe. But you forget most other countries use metric time, which has many more available hours.

Re: Useless numbers?

I came up with 3.14159

Re: Useless numbers?

WTF, dude. The chance is one in a thousand, exactly.

Re: Useless numbers?

26.28 / 26280 = 0.001, or one thousandth.

Re:Useless numbers?

[ShaunC]

A broken 12-hours clock is right twice a day and those broken numbers will be right 26 times in those three years.

Unless you're attempting to use a stolen card every hour for 3 years, you'd have to get really fucking lucky to run your charge at the correct time. And attempting to charge a card every hour is going to get the card flagged for fraud long before your blind squirrel finds his nut.

Re:Useless numbers?

[aaarrrgggh]

Less possibilities than that, since the third number would need to account for parity.

Re: Useless numbers?

[fred911]

An I use an SAE adjustable wrench, can't seem to find a metric adjustable in the US. Know where I can buy one?

Re: Useless numbers?

[Bengie]

1/1000 chance seems low until you have 1mil numbers. Then you have 1,000 cards that work during that one hour. Of course you won't know which ones until you "try" them, however that works.

Re:Useless numbers?

[Lehk228]

it effectively makes stealing cards+cvv no more valuable than cards with no cvv

Trying to look safe for online purchases?

[SolemnLord]

The only time I even think about the three digits on the back of my card is when I'm buying something from an online storefront. Paypal is becoming an increasingly-available option that puts an extra layer between the store and my card numbers. Apple Pay is an option now as well, and I wouldn't be surprised if Android Pay follows suit (if it hasn't already!).

That's a lot of middlemen taking a share of the payments pie, and all of them are offering more security and peace-of-mind than a physical piece of plastic. Makes sense to try and gain a bit more trust.

Re:Trying to look safe for online purchases?

[slashrio]

PayPal has some ugly features that made me decide not to use it.

Re: Trying to look safe for online purchases?

Yeah, the fact they're not regulated.

The fact they can freeze your accounts on a whim.

The fact they can blacklist you if you don't play the game according to their rules.

Sorry, you can't PAY me to use PayPal.

not sure how they handle recurrent payments

[youn]

if the card is essentially useless... then recurrent payments will be a pain

Re:not sure how they handle recurrent payments

This is Europe, where direct debits and standing orders are how one usually makes recurrent payments (DD for amounts that change, like utility or phone bills and SO for fixed payments like rent or child support). Continuous Payment Authority, which is what you're talking about, is far less common here.

With a direct debit (I think they call it autopay in the US) a merchant presents you with a bill periodically, then after a mandated wait (usually around two weeks) the money is taken directly from your account and is sent to the merchant. With CPA, you're essentially giving the merchant permission to charge your card periodically without you needing to provide them with the card number each time. Very similar for all practical purposes but quite different in how the transaction is processed. There are fewer safeguards for the account holder with CPA, which may be why it's not very common here.

Re:not sure how they handle recurrent payments

[swb]

Call me a conspiracy nut, but I think that's why US card issuers don't change card numbers regularly -- they've been lobbied by their actual customers, merchants, to only change card numbers if absolutely necessary to stop ongoing fraud.

Merchants love recurring charges. I'd wager for many businesses some non-trivial amount of their revenue comes from *unwanted* recurring charges that people just never canceled the service. Maybe they see the $9.95 and think "fuck, I have to cancel that" but don't and then forget about it until they see it again 3 months later.

I think credit card issuers *should* change your card number every year. It would have a slightly PITA quality to if you had a ton of automatic charges, but it would also mean the number would expire sooner rather than later and increase the chances that if the number were harvested somehow it wouldn't have a long life.

I'm sure VISA/MC/AMEX have min-maxed this idea to death and figured out that it would cost THEM more than it would gain THEM, even if it did reduce the level of fraud, but issuing banks would have more support work, more mailing costs, and the merchants don't want it because they want to keep enjoying free revenue.

Re:not sure how they handle recurrent payments

Ah, yeah, most people have no idea how credit cards actually work.

Key thing to know is that there's two separate steps, only one of which is necessary to get your money

1. Authorization: This step is where all the fancy modern security is concentrated. The goal in the Authorization step is to prove that the cardholder really wanted to make payment, to this merchant. Merchants really want this, because it allows them to possibly win in a dispute (without authorization the card holder will win any dispute) and because at this step they get a positive indication of ability to pay.

2. Settlement. This step moves the money. There is no security here, it's basically on the honour system. The goal is only to identify the cardholder and merchant so that funds can be moved from the cardholder's bank to the merchant's bank. If Settlement is never attempted for an Authorization you aren't out one single penny, although it can be a bit annoying if you have a tight credit limit on a card, as authorizations may count towards the limit for a period of time even if they're never settled.

This split means you absolutely MUST read all your credit card bills. Any items you don't recognise / remember, dispute them, because nobody else is watching your back, your bank will happily accept a settlement that has no authorization, they expect YOU to tell them if that's wrong. Fraud is very high, but they don't care because the cost of fixing all this would be higher, and they can pass the fraud costs on as fees.

Anyway, with regard to this French thing, the Authorization will only happen once, and then all subsequent Settlements come through for the same card number (the card number doesn't change, just the CVV) so that's fine.

In fact, even if the card number changes, it's not necessarily a problem. Let me tell you a real story, which is how I came to learn about Authorization and Settlement (I mean, it's also because I'm a nerd, but that goes without saying). One Monday I went grocery shopping, must have dropped my credit card on the way out of the store juggling all the bags. On Tuesday I realised the card wasn't back in my wallet. I called my bank, and went back to the store, they hadn't seen the card (and if they'd seen it of course they would have destroyed it). The bank asked me about my last transaction I said it was the grocery store, they had no matching transaction. I was worried about stiffing the store for their money, but the bank told me not to worry & cancelled the card, told me to expect a new one in a few days. On Thursday the grocery store successfully settled my grocery bill using the old card. I rang the bank. Oh said the bank - was that a fraudulent transaction? No, but I'm just worried that it got paid on the cancelled card. Oh that's fine says the bank, happens all the time. Don't worry about it.

Re:not sure how they handle recurrent payments

The trick that makes Direct Debit viable in Europe is a strongly enforced consumer right to undo Direct Debit transactions for basically any reason. Every paper form saying you want to set up a DD includes a tear-off-and-keep summary of those rights even. Suppose you just realised the electric company has billed you for the house next door's power not yours for six months, even though they run a god-damn halogen flood lit heated outdoor pool. You're out $2000 on bills you never ought to have got but were automatically paid by direct debit. You call up the bank, say "Undo these debits and cancel the authorisation" and they don't say "You need to talk to your electric company" or ask you for proof it's not right - they just unwind them and the electric company is stuck with the problem, which puts you in the driving seat.

And yes I've really done that, though it was water not electricity, and I never paid them one shiny penny until they got their act together, in the end they wrote of 12 whole months of bills because they couldn't prove who owed what, and I wasn't paying without proof.

Re:not sure how they handle recurrent payments

[ShaunC]

I think credit card issuers *should* change your card number every year. It would have a slightly PITA quality to if you had a ton of automatic charges, but it would also mean the number would expire sooner rather than later and increase the chances that if the number were harvested somehow it wouldn't have a long life.

FYI, VISA offers merchants a service called VISA Account Updater where if your credit card number changes, VISA will happily sell your new number to any merchant who had your old one. Just great, huh? It used to be if you were dealing with a hostile merchant who refused to stop billing you (think AOL for example), your "nuclear option" was to have your card number changed. Now even that won't work if you use a VISA card, because VISA themselves will sell you out.

Re:not sure how they handle recurrent payments

[swb]

I guess I'll have to take my lumps and alternate between Visa and Amex.

Re:not sure how they handle recurrent payments

Recurrent payments with a credit card?

Re:not sure how they handle recurrent payments

[Gussington]

Only if you don't know how recurring card payments work, which clearly you don't.

Re:not sure how they handle recurrent payments

[Registered+Coward+v2]

if the card is essentially useless... then recurrent payments will be a pain

Not really. My recurring payments, except for a few trivial ones,are direct debits from my bank account rather than charged to a credit card. While Credit card securing payments are easy to set p, US banks can handle direct debit with no problem.

Re:not sure how they handle recurrent payments

[Actually,+I+do+RTFA]

your "nuclear option" was to have your card number changed

Or call VISA and tell them those charges are no longer authorized

Re:not sure how they handle recurrent payments

[Khashishi]

Why don't you enlighten us then?

Re:not sure how they handle recurrent payments

[Gussington]

Why don't you enlighten us then?

Card Not Present (CNP) transactions ( ie online or over the phone) use the CVC/CVV to allow the merchant some level of validation that the card is a real card. But if you steal a card and use it before the owner cancels it, it is still a valid card as far as the merchant is concerned.
Under this new system, the CVC/CVV changes every hour, and is not kept on the card, so if you steal a card and happen to know the CVC/CVV, then after 60 minutes it is useless to the thief.
Where recurring payments are different is that the CVC/CVV is only used the first time in order to validate the card. So if I have an existing recurring payment where the CVC/CVV has already been checked, and then my card is stolen, the only fraudulent transactions will be within the first 60 minutes, after that the card is still usable, hence any recurring payments will be valid.
The stolen card is only useless to the crook. To anyone with the number and a valid CVC/CVV is it still usable, so recurring payments will still work (since after the first payment, they only use card number and expiry, not the CVC/CVV).

Credit card numbers

I have nothing to say

Controlled payment number

Effectively been done before but wasn't popular "discontinued, citing lack of use by customers"
https://en.wikipedia.org/wiki/Controlled_payment_number

Breakage

My cards seem to crack in half at the chip every few months, I'd hate to think how often this will break.

Interesting idea though.

Re: Breakage

We don't care about your problems with crack.

Re:Breakage

[Oswald+McWeany]

Stop using your credit card to break into locked rooms.

Sure fire method

I have a sure fire method, short of not having a credit card. I keep my card maxed out. Steal my number? Good luck charging anything with it.

It's worked for years!

Re:Sure fire method

[slashrio]

The amount of interest you must be paying every month is quite a high fee for that additional security.

Re:Sure fire method

[PPH]

I keep my card maxed out.

Me too. I'm waiting for the central banks to implement negative interest rates. I'm gonna be rich!

Hmm, Amazon!!

Amazon doesn't ask for that code on the back.

Re: Hmm, Amazon!!

They don't ask for any payment. Their products are free.

Why Not Something Like RSA SecurID Software Token?

[theodp]

RSA SecurID Software Tokens: Make strong authentication a convenient part of doing business. Deploy RSA software tokens on mobile devicesâ"smartphones, tablets, and PCsâ" and transform them into intelligent security tokens.

3 digits change every hour

[BringsApples]

3 digits only provide 1,000 different numbers. After 41 days, they'd be out of numbers. What am I missing?

Re: 3 digits change every hour

A clue, for one.

Re:3 digits change every hour

You need to know which of the 1000 numbers was applicable to the 1 hour slot you made the transaction.

That the number was 876 on hour 1 of day one and hour 3 of day four doesn't matter so long as what number visible on each hour is not predictable by the bad guys.

This is similar to securid tokens used for two factor authentication, they change more rapidly but the same principle applies, you need to know the right number at the right time in order to believe you have access to the token.

Re:3 digits change every hour

[SolemnLord]

A one hour window every 41 days isn't very practical for card thieves when there's much easier options available. Assuming that one hour window isn't a predictable one (which is a big assumption depending on how it cycles the numbers), reusing the numbers shouldn't hurt.

Re:3 digits change every hour

The 3 digits change according to a formula shared between a card and the bank, like with a security token device. The numbers aren't used up. The trick is someone has to know what number a given card will generate at a given time. Without this knowledge, it's impossible to know which of 1000 validation codes is the correct one for a given online transaction.

Re:3 digits change every hour

After 41 days the numbers must repeat - but not necessarily in the same order.

Re:3 digits change every hour

[gr8dude]

i.e. you have one hour to test 1000 variations of this number. By distributing the "test load" across a thousand online stores, each of those sites will "think" it is the first incorrect attempt to enter the digits, thus have no reason to flag it as suspicious.

  This can be easily automated, therefore it can be done on a large scale.

Re:3 digits change every hour

Seriously? Each site may think it's the first incorrect attempt, but the card processor sure wont.

Re:3 digits change every hour

[jittles]

i.e. you have one hour to test 1000 variations of this number. By distributing the "test load" across a thousand online stores, each of those sites will "think" it is the first incorrect attempt to enter the digits, thus have no reason to flag it as suspicious.

This can be easily automated, therefore it can be done on a large scale.

Except that each of those one thousand online stores would have to hit the issuing bank to validate the CVV which will, obviously, see a very suspicious trend taking place.

Must be for online use

[volts]

This doesn't make much sense for retail, as the CCV isn't used or recorded; the user enters a PIN at the point of sale. But, the CCV could be recorded and fraudulently reused by any online retailer or man-in-the-middle. Randomly changing CCV's would limit the damage.

Re:Must be for online use

[jittles]

This doesn't make much sense for retail, as the CCV isn't used or recorded; the user enters a PIN at the point of sale. But, the CCV could be recorded and fraudulently reused by any online retailer or man-in-the-middle. Randomly changing CCV's would limit the damage.

The CVV is recorded and used in an EMV transaction. In fact, the CVV for each EMV transaction is unique for the transaction parameters - amount, time of transaction, etc. They're just using the same sort of algorithm to generate a CVV that is unique for each Card Not Present transaction the customer wishes to complete.

Re:Must be for online use

[gustygolf]

For online use, there's a bigger flaw:

Many merchants only charge when they are ready to send the goods. If your order takes, say, a few days to fulfil, you'll get a denied transaction because the CVV has changed.

I suppose in these cases the merchant typically asks for valid credit card information again though, so it's not really more than a bit of a pain.

Re:Why Not Something Like RSA SecurID Software Tok

Isn't this essentially what this is doing, just embedding that in a credit card.

Good idea

[gweihir]

Now, next step is to do what a full authentication token does (like SecureID): 6 digits and they change every minute. At that point, offline-fraud will basically vanish. Online fraud (man-in-the middle manipulates your purchases) will still be an issue though. For that more sophisticated tokens will be required. They are available and work well, but the banks shy away from the around $20 they cost.

Re:Good idea

[ShaunC]

Rotating every minute is probably too fast for this purpose. Consider your average consumer poking around online, it might take them more than a minute just to type in their card information, then they see that "Continue Shopping" button and realize they want to add something else to their cart. Next thing you know, 10 or 15 minutes have elapsed between the time they entered their card info and the time they click "Checkout." The card issuers are loath to introduce any frustration into the purchase process. An hour window seems like a good compromise.

Re:Why Not Something Like RSA SecurID Software Tok

[theodp]

Software token would eliminate the need for special card, but would probably be clunkier. Wonder if Apple Pay will eventually incorporate something like this, which seems like it could eliminate need for a card entirely - online or offline.

Re:Why Not Something Like RSA SecurID Software Tok

[swb]

Why not just make the fucking card an RSA token?

They could have done a million things to improve credit card security, but fraud is down their list of things to worry about. The credit card system (VISA/MC/AMEX, banks, etc) is designed to promote easy transactions, not security.

VISA just gets paid, they don't have any real liability. Issuing banks eat some fraud but they charge a lot of it back to merchants and make them carry the burden. And consumers eat some of it, though most of the time they can dispute credit charges with all the usual disclaimers about if they notice it, etc.

Fraud is only a problem to the credit card system when it represents an existential risk to the system. Other than that, as long as somebody else pays, there's a tolerable limit they just don't care about.

More security means, ultimately, fewer charges, and when you're getting paid a percentage of the charges, including fraudulent ones, you benefit most by reducing the transaction friction.

Returns?

[HockeyPuck]

How do returns work whereby the merchant wants to see the original CC number?

Re:Returns?

[ShooterNeo]

Well, first of all, those returns are generally done via person, which means you'd use the chip feature of the card.

Second, obviously the credit card issuer would authorize canceling a transaction or a credit but not a debit without the CV2 number. You didn't read the article, in actuality the credit card still has a number, it's the authentication code on the back that changes.

Re:Returns?

[HockeyPuck]

If the credit card changes every hour, how do you recall the previous X number of numbers..

Re:Returns?

[ShooterNeo]

It doesn't change. Only the code at the back. RTFA.

Re:Returns?

[Registered+Coward+v2]

If the credit card changes every hour, how do you recall the previous X number of numbers..

The CCV changes, not the CC number; but even if the CC number changes the issuers knows what your past numbers were and simply credits your account accordingly. I've had that happen when a card was reissued and I returned something purchased with a previously issued card. And before folks start talking about the large amounts of numbers they'd need to keep track off if they changed the card number, all they really need to do is check if a given number was valid at a given time; they could randomly reuse the number since it is only valid for an hour. There is no need for the number to be unique, only different from the previous hour and not follow a predictable pattern. That way, even if someone knew XYZ was a valid number for an account they wouldn't know when it was valid, making it useless; and if they kept trying in hopes of catching it when it was valid the issuer would easily detect the attempted fraud and simply cancel the card.

The math does not support this operation

In order to provide a new number every hour for 3 years you'll need at least 5 digits to change given that there are 26280 hours in 3 years. Using only 3 digits buys you 41 days.

Re:The math does not support this operation

New does not mean unique.

Reoccurring payments.

Well, that would hose putting something like Netflix on one of these cards. And try returning a defective product.

Re:Reoccurring payments.

You can't pay Netflix with a credit card. Like most subscription services, they only accept direct debit.

Re:Why Not Something Like RSA SecurID Software Tok

[jittles]

Software token would eliminate the need for special card, but would probably be clunkier. Wonder if Apple Pay will eventually incorporate something like this, which seems like it could eliminate need for a card entirely - online or offline.

ApplePay already uses a token. You put in your card number and, when it generates a payload to send up to the processor, it generates a token. If you use NFC ApplePay, it also uses a token but it doesn'tt generate it per transaction, only per device.

Preorders are gonna be rough.

[dlingman]

One of the nice things about preordering items, say from Amazon, is that you don't actually have your card charged until the time the item is ready to ship. So much for that under this system.

Re:Preorders are gonna be rough.

[iTrawl]

When it comes to online transactions (i.e. the POS terminal talks to the bank there and then) I think that's not how it works. When you pre-order they authorise your card and keep a hold of it - they may reserve one unit of currency. Once they're ready to fulfil your order they execute the authority they obtained when you pre-ordered. If they decide to cancel then they relinquish the authority and that's the end of that.

For offline transactions (e.g. filling forms with your card details, imprint machines)... the idea is to stop having them. Charities in the UK would have to change their mail-in forms and send people to the Internet, but I have no problem with that. Cheques are gone and so should this be.

my yubikey

[KingBenny]

changes every time, not every hour, despite that i still can't use to lock / unlock packed files, login to windows or linux or
well since mtgox i havent actually used one, they cracked that problem pretty fast ... go bust and run off with the money
point being : my yubikey changes everytime and is said to be as far as i know quite hard to hack in the middle, then again i have been living under a rock for years now so i dont know if that actually still applies

How about single-use credit card numbers?

[Tony+Isaac]

https://www.bankofamerica.com/...

The card number does not change

It's not the card number that is changing, it is the CVV2 value on the back.

The CVV2 is not readable by the magstripe (only the CVV is on the stripe, not the CVV2) so this value could not be obtained through a card skimmer, only by either getting physical sight of the card or by maybe compromising an online merchant at the time of transaction (CVV2 is not permitted to be stored after the authorisation). It is also different to the code using during EMV.

The three digits on the back of this card will change, every hour, for three years. And after they change, the previous three digits are essentially worthless,

But there are 8760 hours per year, so 26,280 combinations needed for 3 years. Good luck doing that in 3 digits without repeating any. Also needs to cope with delays requests, so a new code would would have to be valid immediatley but no invalidate the previous code for right away. What about batch authorisations which are done overnight?

How long till someone cracks the chip on the card and reverse engineers the algorithm so as to be able to predict the codes...

RSA reborn?

This reminds me of RSA tokens. Yeah it's secure. Until someone leaks or can copy the algorithm (or just gets a CC and reverse engineers it) then you have 'fake security' and a bunch of Visa Note 7's that explode in peoples pockets or something similar. If the algorithm could be changed by each back during each .. presumably 3 year issuing period it might make them a little more viable in the long term.

Re:RSA reborn?

[ebvwfbw]

Not how RSA works. You can have the algorithm. You'll need the salt, certificate and time.
I think that's how it will all go eventually. Everything will be based on a certificate.

Re:Why Not Something Like RSA SecurID Software Tok

[Registered+Coward+v2]

More security means, ultimately, fewer charges, and when you're getting paid a percentage of the charges, including fraudulent ones, you benefit most by reducing the transaction friction.

Exactly. As long as the cost of fraud is low enough that the cost to eliminate exceeds its costs there is no incentive to completely eliminate it. If there is a low cost way to reduce it that doesn't make using the card too difficult than it will be implemented, but as you point out CC's are a volume business and that shapes how they are implemented.

Yubikey

Sounds like what Yubikey should have been.*

*Yes, it does more than 2FA.

Yup, basically that

[DrYak]

Yup, this is basically some sort of "Yubikey for credit cards".

Some Swiss Banks have also experimented with "Yubikey for PKI cards",
i.e.: the card itself has some minimal hardware (LCD screen and keypad) so you can use to sign transactions (like e-banking)
- without pluging it in a PKI-card reader
- without needed a smartphone with compatible NFC wireless reader.

EMV Payment Tokenisation Specification

Regarding this number changing method, how are the new number generated? How does the bank know that numbers are valid ?

I presume it works just like a SecurID or other access control dongle. Your card is seeded with a value known to the bank. The card plugs that seed and the current time into an algorithm that generates the number. When you go to make a purchase, the bank runs the same calculation and looks to see if the numbers match.

Actually it probably work on the EMV Payment Tokenisation Specification, which generates CC numbers as-needed and links them to the account behind the scenes:

* http://www.emvco.com/specifications.aspx?id=263

That specification is what Apple Pay uses.

Could stop legit user, too

[coinreturn]

What if the number changes right after you entered it for an online transaction? Denied!

Re:Could stop legit user, too

[Khashishi]

Then you just try again. No big deal.

They can do one better

[iTrawl]

I would like to suggest that the CVV2 be removed from the card entirely and moved to a smartphone app. Something akin to Google Authenticator: scan a QR code in your online banking site to initialise the app, then get CVV2 codes on demand.

Now... there are 1000 combinations for CVV2. Generating one per hour, with zero overlap during a cycle, gives you about 41.6 days before codes are reused. In three years the codes would have been recycled 26 times, and be 1/3 into the 27th cycle. I hope the order of each cycle will be different from all the others.

So, your country will take refugees & illegals

So, your country will take refugees & illegals?

I'm sick and tired of people mouthing off about how bad the US is while relying on our military protection and encouraging us to let in all those millions of illegals and keep them.

If it is so bad here, and so wonderful there, why aren't the illegals pouring into those countries?

Re:So, your country will take refugees & illeg

I am so sick and tired of a country waging war, causing havoc and sponsoring and training terrorists around the globe and then not taking up any of the refugees, but claiming to 'protect' the countries that do take up the victims.

It's bad enough that the US itself has become such a shithole, but I am really pissed off about all the shit they pull of in the rest of the world and even more so about the fact that they are burdening other countries with the consequences.

Necessity vs. luxury

[tepples]

You mean like how how I have to pay for the privilege of running water and electricity?

A utility can be either a necessity or a luxury, and this changes from year to year and from market to market. You can tell that a utility is a necessity in any of several ways. For example, a utility is a necessity if the state subsidizes its provision, whether at the federal or several-states level. It's also a necessity if the state requires individuals to purchase the utility, such as city sit/lie laws or the individual mandate in the Affordable Care Act, or enacts a building code placing an unfunded mandate on a home builder or landlord to make the utility available.

In U.S. culture, as far as I can tell, running water and electricity are necessities, and SMS and cellular Internet are luxuries. Even home Internet is a luxury, compared to public library Internet which is a necessity.

Your cave might not have these things, but I assure you the rest of us are happy to pay for such luxuries...

Some people feel the need to borrow money "to pay for such luxuries." Others disagree, such as followers of Dave Ramsey's method, recommending that people cancel all luxury utilities rather than borrowing any money.

Re:Necessity vs. luxury

[Gussington]

For example, a utility is a necessity if the state subsidizes its provision, whether at the federal or several-states level...

Wibble wibble... You choose to have water, electricity, heating, a garage, a car, a TV, a bank account, and most people choose to have a cell phone because they think the benefit is worth the cost. The argument that banks shouldn't offer more convenient services via a mobile channel because the government hasn't deemed mobile networks a critical public service is a bit moronic.
You can live in your cave, but some of us enjoy the benefits of new technology.

Re:Necessity vs. luxury

[tepples]

You choose to have water, electricity, heating, a garage, a car, a TV, a bank account

For the first three, the state has made the choice for me: it will take the owner of the property into custody if the owner does not provide them for residents. I can provide code citations if you wish. As for some of the others: I don't own a car, instead using a bicycle or the city bus. And I don't pay for TV, though my roommate does because she's addicted to audiovisually presented 24-hour political news and opinion.

The argument that banks shouldn't offer more convenient services via a mobile channel because the government hasn't deemed mobile networks a critical public service is a bit moronic.

That's not quite the argument I had in mind. Forgive me for moving the goalposts if this isn't exactly the claim, but I was under the impression that the argument was as follows:

Banks shouldn't suddenly take away services that they had previously provided if an account holder doesn't subscribe to an otherwise unrelated luxury service provided by a third party. For example, if a bank had recently offered check depositing at its ATMs, the bank shouldn't suddenly discontinue ATM depositing in favor of requiring all account holders to purchase a smartphone with a rear-facing camera and an Apple or Google OS and subscribe to cellular Internet on this phone in order to continue to make after-hours deposits. Likewise, if a bank had recently offered limited-use numbers for card-not-present purchases to PC-using shoppers through the web, it shouldn't suddenly discontinue the service in favor of requiring use of both a PC with web access and a smartphone with an Apple or Google OS and SMS service to obtain pieces of the limited-use number.

Re:Necessity vs. luxury

[Gussington]

As for some of the others: I don't own a car, instead using a bicycle or the city bus. And I don't pay for TV, though my roommate does because she's addicted to audiovisually presented 24-hour political news and opinion.

And that's your choice. As is most other who choose to own a TV because they believe the cost/benefit is worth it.

Banks shouldn't suddenly take away services that they had previously provided...

Of course they can. I know it's cool to hate banks, but financial services are a business. And if they want to be leading edge and only offer services that are current technology then why is that a problem? If you want to start a bank that only offers 1980's technology then do that and see how it works out.
Just like I no longer need a horse and cart, I no longer need a checking account. That is my choice and I choose to use banking service that align with my needs.