French Banks Offer Credit Card Numbers That Change Every Hour

Slashdot reader schwit1 quotes The Memo: What if the numbers on your card changed every hour so that, even if a fraudster copied them, they'd quickly be out of date? That's exactly what two French banks are starting to do with their new high-tech ebank cards... The three digits on the back of this card will change, every hour, for three years. And after they change, the previous three digits are essentially worthless, and that's a huge blow for criminals... As most fraud happens a few hours or days after your card details are actually taken, this would leave criminals essentially with a bunch of useless numbers.
It's just like credit cards you have now -- other than the tiny digital screen that's embedded into the back of the card.

Magnetic strip?

Do French credit cards still support magnetic strip transactions? Is that invalidated? Every time my card's details have been stolen it's because I used it while travelling in the US (I live in Canada; I travel to the US once, sometimes twice a year; I've had a card stolen three times in the last three years), and someone has tried to withdraw money from an ATM using a strip transaction. These transactions never involve the three numbers on the back.

Will this break regularly scheduled withdrawals for automated billing?

Re:Magnetic strip?

[Dahamma]

The US now uses chip cards as well (though there are some retailers still using swipe, which is now officially retailer's responsibility to pay for fraud in that case) - this has NOTHING TO DO WITH THAT.

It's not really related to online purchases, but since you don't seem to know much about this... chip and pin vs chip and signature comes down to one thing: a 2nd factor authentication. For IN PERSON retail transactions, the "chip" basically means a CC# (which is all the mag stripe really provided) is no longer enough, now the CC# is only accepted from a valid card passing a cryptographic check. That's the first factor: "something you have".

But if your card is stolen, it comes down to the 2nd factor. For chip and pin, that 2nd factor is "something you know". For chip and signature, it's really closer to "something you are" (biometric). Problem is, the "biometric" signature is pretty easily fooled, and the current verification (in theory could be a computer, but in reality is some totally untrained clerk/waiter/etc who has no clue how to validate it) is absurd.

Summary, it, the chip and pin solution is designed to make it genuinely harder to use a stolen CC, and the chip and signature is designed to make it harder to counterfeit a CC - while making sure it's NOT harder to use it. Basically, the US solution is designed to make sure the banks are covered and the consumers won't stop using credit cards - while not providing any added benefit to CONSUMERS who had their card stolen.

That gets us to online purchases. First, fairly obviously, both chip and pin and chip and signature fail here. CVV was a minor attmept to fix this, but (1) it does nothing to prevent physical credit card theft since it's PRINTED ON THE CARD (useless 2 factor) and (2) it's not actually required by many credit card processing services so there's always a way to get around it.

You'd think given the size of this industry the various actors involved (VISA, MC, banks, retailers, etc) would be smart enough to know all of this and find a good solution? Well, yes, of course they are, and have put much more thought into it than my simplistic summary. But the key point is they don't WANT to fix it, since it turns out they realized any current fixes that would mostly solve the problem would also inconvenience customers and retailers/POS just enough that it might bring revenue gains below fraud losses. Plus, fraud is tax deductible. And, customers and retailers aren't always well informed, so hey, some of the time they just get screwed and lose without even reporting the fraud. All good for the banks and CC companies!

Re:Magnetic strip?

[arth1]

You do know that bank transfers are not a europe specific thing :)

I just bought something and the payment was divided in 3 equal payments... on multiple occasion, I don't personally want to give my bank information each time I make such a purchase. It creates a more serious problem, as if you give your bank information to each merchant for that kind of transaction then you have in effect recreated the same problem with your bank account.

The big difference is that bank transfers in Europe are payer initiated, while in the US, they are payee initiated.
In Europe, there is generally no problems giving out your bank account details, because all you can do with that information is to send payments to the account.

Re:Magnetic strip?

[arth1]

Have you heard of Jeremy Clarkson? A few years ago, he said this on TV. Then to prove his confidence, he gave his account number and sort code.

Someone then caused his bank to pay a sum to charity to prove the point. It is not as secure as you think.

That's the British branch-based banking system (you can tell from it having a "sort code"), which is different - neither fish nor fowl. The British Postal Giro works like a real giro at the hub, but the endpoints are individual bank branches, which may be payee initiated.

In the parts of Europe hooked up to a common giro system (since the 60s if I remember correctly), companies and individuals publish their bank accounts - it's how people pay them, through direct deposits - credit, not debit.

One of my bank account numbers has been published with shareware since the late 80s, with no problems. (I'm not repeating it here, not because I don't want it published, but because a quick google would then point people at the code of of my youth. Shame is the deterrent, not fear.)

privacy.com does better

[junk]

I have no affiliation to privacy.com other than being a user.

I've been using privacy.com to generate randomized credit card numbers for a while now. It's the same type of thing we had in the 90s with certain credit card companies but better. I have static cards with monthly limits for recurring charges, static cards with max per transaction limits for online merchants I frequent and one time use burner cards for just about everything else. I can see all declined transactions per card, which lets me track it down to a merchant. It's the same thing I do for email (per account email addresses for spam tracking) but better because I don't have to manage it myself.

Virtual cards ?

[daedric]

A system was developed some time ago to generate a virtual card, tied to your debit/credit with a short(er) plafond and validity. Also, it is limited to one entity, the first one that actually used the card. It has worked perfectly so far, although certain companies start to get suspicious about the constant adding/removing of cards, like PayPal. Regarding this number changing method, how are the new number generated? How does the bank know that numbers are valid ?

Must be for online use

[volts]

This doesn't make much sense for retail, as the CCV isn't used or recorded; the user enters a PIN at the point of sale. But, the CCV could be recorded and fraudulently reused by any online retailer or man-in-the-middle. Randomly changing CCV's would limit the damage.