French Banks Offer Credit Card Numbers That Change Every Hour

Slashdot reader schwit1 quotes The Memo: What if the numbers on your card changed every hour so that, even if a fraudster copied them, they'd quickly be out of date? That's exactly what two French banks are starting to do with their new high-tech ebank cards... The three digits on the back of this card will change, every hour, for three years. And after they change, the previous three digits are essentially worthless, and that's a huge blow for criminals... As most fraud happens a few hours or days after your card details are actually taken, this would leave criminals essentially with a bunch of useless numbers.
It's just like credit cards you have now -- other than the tiny digital screen that's embedded into the back of the card.

Magnetic strip?

Do French credit cards still support magnetic strip transactions? Is that invalidated? Every time my card's details have been stolen it's because I used it while travelling in the US (I live in Canada; I travel to the US once, sometimes twice a year; I've had a card stolen three times in the last three years), and someone has tried to withdraw money from an ATM using a strip transaction. These transactions never involve the three numbers on the back.

Will this break regularly scheduled withdrawals for automated billing?

Re:Magnetic strip?

[Tx]

Note that it's a French bank. In Europe (at least the UK where I live and the other parts of Europe that I've travelled to), we use chip cards, which means that that is already a solved problem here; cloning the magnetic strip doesn't get you the PIN number, and you can't do anything without that. So you don't need any fancy changing card number to solve that problem, you north-Americans just need to get with the program. As long as you can make transactions with just something as easily cloneable as the magnetic strip, you're going to have that problem.

Re:Magnetic strip?

the changing numbers solve a different problem

using them online when no chip and pin transaction is possible

Re:Magnetic strip?

[gweihir]

Will this break regularly scheduled withdrawals for automated billing?

No. First, in Europe, these are _not_ done via credit-card, but via interbank-transfer. Not everybody is stuck in the banking dark-ages like the US. Second, for credit-card based schemes, you authenticate once and then the bank knows these are legit and it works without further authentication.

Re:Magnetic strip?

[Dahamma]

The US now uses chip cards as well (though there are some retailers still using swipe, which is now officially retailer's responsibility to pay for fraud in that case) - this has NOTHING TO DO WITH THAT.

It's not really related to online purchases, but since you don't seem to know much about this... chip and pin vs chip and signature comes down to one thing: a 2nd factor authentication. For IN PERSON retail transactions, the "chip" basically means a CC# (which is all the mag stripe really provided) is no longer enough, now the CC# is only accepted from a valid card passing a cryptographic check. That's the first factor: "something you have".

But if your card is stolen, it comes down to the 2nd factor. For chip and pin, that 2nd factor is "something you know". For chip and signature, it's really closer to "something you are" (biometric). Problem is, the "biometric" signature is pretty easily fooled, and the current verification (in theory could be a computer, but in reality is some totally untrained clerk/waiter/etc who has no clue how to validate it) is absurd.

Summary, it, the chip and pin solution is designed to make it genuinely harder to use a stolen CC, and the chip and signature is designed to make it harder to counterfeit a CC - while making sure it's NOT harder to use it. Basically, the US solution is designed to make sure the banks are covered and the consumers won't stop using credit cards - while not providing any added benefit to CONSUMERS who had their card stolen.

That gets us to online purchases. First, fairly obviously, both chip and pin and chip and signature fail here. CVV was a minor attmept to fix this, but (1) it does nothing to prevent physical credit card theft since it's PRINTED ON THE CARD (useless 2 factor) and (2) it's not actually required by many credit card processing services so there's always a way to get around it.

You'd think given the size of this industry the various actors involved (VISA, MC, banks, retailers, etc) would be smart enough to know all of this and find a good solution? Well, yes, of course they are, and have put much more thought into it than my simplistic summary. But the key point is they don't WANT to fix it, since it turns out they realized any current fixes that would mostly solve the problem would also inconvenience customers and retailers/POS just enough that it might bring revenue gains below fraud losses. Plus, fraud is tax deductible. And, customers and retailers aren't always well informed, so hey, some of the time they just get screwed and lose without even reporting the fraud. All good for the banks and CC companies!

Re:Magnetic strip?

[GuB-42]

What's up with this "freedom" propaganda in the US?
In most of the freedom indices, the US is unremarkable compared to other western countries. It is not bad, but among these countries, only the US seem to brag about it so much. I suppose it is some kind of political strategy to justify anything.

Re:Magnetic strip?

[arth1]

You do know that bank transfers are not a europe specific thing :)

I just bought something and the payment was divided in 3 equal payments... on multiple occasion, I don't personally want to give my bank information each time I make such a purchase. It creates a more serious problem, as if you give your bank information to each merchant for that kind of transaction then you have in effect recreated the same problem with your bank account.

The big difference is that bank transfers in Europe are payer initiated, while in the US, they are payee initiated.
In Europe, there is generally no problems giving out your bank account details, because all you can do with that information is to send payments to the account.

Re:Magnetic strip?

[gweihir]

It is a "big lie" to keep the population docile: Tell them things are much, much better in the US than the rest of the world (which is not true by any halfway sane metric) and they will shut up in fear. Seems to be working well.

Re: Magnetic strip?

[orlanz]

Yes, in the US we can have multiple accounts under the same customer. Savings, and Checking are the primary. The later can be exposed with limited funds at risk to third parties and the former can actually hold your monies that aren't invested somewhere. You can choose to have both or just one. And your written checks (most government services or equivalent do not accept C/DC without fees) come out of checking.

I don't understand why this is considered the "dark ages".

Re:Magnetic strip?

[arth1]

Well, theoretically, you can withdraw money with that but the account owner can just contest this and then you have to prove you were entitled to that withdrawal and have to pay a rather large fine if you cannot.

Only in a payee initiated system is that possible. in a payer initiated systems, only the account holder can initiate a transfer. There's no being "entitled to" withdraw. If your name isn't on the account, you're not entitled.
Transfers are usually immediate and not reversible. If you misspell the recipient account number (including control digit), you have to appeal to the recipient to transfer the money back to you, or appeal to the courts to make that happen. There's no reversing charges, because you were never charged - you transferred.

Caveat: It's been a couple of decades since I worked for a European bank, but I believe that in general, this is still true. (The UK banking system excluded, as it does things its own archaic way as always, with accounts held by branches, and back office transfers having to occur before the customer transaction.)

Re:Magnetic strip?

[Carewolf]

Transfers are usually immediate and not reversible. If you misspell the recipient account number (including control digit), you have to appeal to the recipient to transfer the money back to you, or appeal to the courts to make that happen.

That is not true, they are always reversible. If you report the error to your bank within 24hours, it is trivially reversible, after that you may need to document it was an error or theft or whatever.

Re: Magnetic strip?

[Gussington]

Yes, in the US we can have multiple accounts under the same customer. Savings, and Checking are the primary. The later can be exposed with limited funds at risk to third parties and the former can actually hold your monies that aren't invested somewhere. You can choose to have both or just one. And your written checks (most government services or equivalent do not accept C/DC without fees) come out of checking.

I don't understand why this is considered the "dark ages".

Ok where I live, we just have electronic accounts and 99% of transactions (the other 1% are drugs/prostitute related) are electronic with appropriate digital technology as safeguards. The whole idea of a paper check is so dark ages it's laughable. It's the equivalent of a fax, or a telegram.
Do you also use a fax machine instead of email?

Re:Magnetic strip?

[AmiMoJo]

The UK has largely moved away from the branch model now. The UK also allows some limited payee initiated transfers, in the form of Direct Debits. They are good for paying bills and the like, you agree to let the payee set the amount every time (to cover things like phone bills that can vary) and you have to right to cancel or reverse any payment without question.

Re:Magnetic strip?

[flabman]

Chip and PIN transactions are definitely possible online. My bank issued me with a small hand-held card reader. In order to validate an online transaction I insert my card into it, type the PIN, followed by one or more challenges (such as the amount and possibly the account number of the payee). The card reader then gives me a number to key into the website as proof that I have the card and know the PIN. This is fully integrated into online payment handlers' systems such as Ogone, Sofort and others.

Re:Magnetic strip?

[Shinobi]

Chip and Pin works online too, if the banks and vendors use proper systems. Let's just say Steam, Blizzard and other US vendors don't support it...

I'm in Sweden, and my bank has issued a small, hand-held device with various features, either login for the bank, signing payment order, or payment order. I make an order at a site and initiate the checkout procedure. Vendor site or my bank presents me with a string of numbers. I insert my card into the device, select the appropriate option, enter the number string into the device, hit ok, enter my PIN, then I get a control code in return, which I enter into the vendor site to confirm the payment.

Re:Magnetic strip?

[TheRaven64]

France transitioned a lot earlier. Everyone else transitioned about 10 years ago, because the patents had just expired and no one wanted to pay licensing fees to a French company before then. The US moved recently, because the US has an archaic banking system.

Re:Magnetic strip?

[arth1]

Have you heard of Jeremy Clarkson? A few years ago, he said this on TV. Then to prove his confidence, he gave his account number and sort code.

Someone then caused his bank to pay a sum to charity to prove the point. It is not as secure as you think.

That's the British branch-based banking system (you can tell from it having a "sort code"), which is different - neither fish nor fowl. The British Postal Giro works like a real giro at the hub, but the endpoints are individual bank branches, which may be payee initiated.

In the parts of Europe hooked up to a common giro system (since the 60s if I remember correctly), companies and individuals publish their bank accounts - it's how people pay them, through direct deposits - credit, not debit.

One of my bank account numbers has been published with shareware since the late 80s, with no problems. (I'm not repeating it here, not because I don't want it published, but because a quick google would then point people at the code of of my youth. Shame is the deterrent, not fear.)

The way to do it

[Okian+Warrior]

This seems like a misguided solution to the problem. If someone steals the card, then this feature won't help.

Bruce Schneier pointed out the real solution years ago. If your card has some processing power and a display (which this solution has), just add a keypad (similar to a calculator in credit-card size).

The keypad is for a pin. The owner keys in the pin, the card generates a one-time-use credit card number, and the waiter/salesman can take the card to the back and swipe it or whatever. When the card is lost, the thieves won't know the pin. If the number is copied, it can't be used beyond the first sale.

You can even use this on a computer peripheral. The software on the card is fixed and can't be hacked.

Multiple accounts can be stored on one card, so you only need one card instead of multiple credit cards in your wallet.

Of course, the thieves can kidnap the owner, but that's not the problem this addresses.

A smart card with pin on the card prevents all kinds of copying, skimming, lost cards, even online accounts.

Since we're switching to smart cards, I don't know why we simply haven't switched to the final solution.

Re:The way to do it

[whopub]

I've been using a service called MBnet in portugal. It basically generates a virtual CC number you can use (once or up to a limit amount you pick) like it was a VISA CC number. It's perfect. I haven't used my credit card number directly online since Paypal came up, and I have used paypal only on very special occasions, 3 or 4 times in may more years, since I use MBnet. The advantage of MBnet is that I don't have to worry about paying the credit card expenses to avoid interest rates. It allows me to use the CC like a debit card, online, without ever owing anything.

Re:The way to do it

[newcastlejon]

Also, chip+pin does nothing to help with online sales, or any sales where they simply choose not to use a chip+pin transaction. Someone can copy down your card number and expiration date and make transactions.

If you RTFS* you'd see that the card number isn't what changes, it's the CVV2 code on the back of the card. For a long time you've needed these three digits for any "customer not present" transactions (phone or online orders), so just writing down the card number isn't nearly as big a risk as it was in the past.

What this new card does makes it very difficult to do are CNP transactions without having the card physically present; scammers could copy the details but they'd only be good for an hour at most, and most merchants would be wary of dispatching goods to somewhere other than the billing address at least for the first time they're provided with that card's details.

*Easily forgiven when the headline gets it wrong too.

Re:The way to do it

[menkhaura]

My bank here in Brazil (Banco do Brasil) offers a similar service, but only for *credit* cards. I love it, and it is secure too: the CC number generated is shown half on your computer, half on your registered cellphone (SMS). After the number of transactions you specify, up to the limit amount you pick, and until the expire date you choose, that virtual credit card is'nt valid anymore.

privacy.com does better

[junk]

I have no affiliation to privacy.com other than being a user.

I've been using privacy.com to generate randomized credit card numbers for a while now. It's the same type of thing we had in the 90s with certain credit card companies but better. I have static cards with monthly limits for recurring charges, static cards with max per transaction limits for online merchants I frequent and one time use burner cards for just about everything else. I can see all declined transactions per card, which lets me track it down to a merchant. It's the same thing I do for email (per account email addresses for spam tracking) but better because I don't have to manage it myself.

steal what's verfied

[sittingnut]

instead of being a "huge blow" this might help the criminals, since something algorithmically predictive that depends on other permanent numbers or id info, must be verified,

Virtual cards ?

[daedric]

A system was developed some time ago to generate a virtual card, tied to your debit/credit with a short(er) plafond and validity. Also, it is limited to one entity, the first one that actually used the card. It has worked perfectly so far, although certain companies start to get suspicious about the constant adding/removing of cards, like PayPal. Regarding this number changing method, how are the new number generated? How does the bank know that numbers are valid ?

Re:Virtual cards ?

[ShaunC]

Regarding this number changing method, how are the new number generated? How does the bank know that numbers are valid ?

I presume it works just like a SecurID or other access control dongle. Your card is seeded with a value known to the bank. The card plugs that seed and the current time into an algorithm that generates the number. When you go to make a purchase, the bank runs the same calculation and looks to see if the numbers match.

not sure how they handle recurrent payments

[youn]

if the card is essentially useless... then recurrent payments will be a pain

Re:not sure how they handle recurrent payments

[swb]

Call me a conspiracy nut, but I think that's why US card issuers don't change card numbers regularly -- they've been lobbied by their actual customers, merchants, to only change card numbers if absolutely necessary to stop ongoing fraud.

Merchants love recurring charges. I'd wager for many businesses some non-trivial amount of their revenue comes from *unwanted* recurring charges that people just never canceled the service. Maybe they see the $9.95 and think "fuck, I have to cancel that" but don't and then forget about it until they see it again 3 months later.

I think credit card issuers *should* change your card number every year. It would have a slightly PITA quality to if you had a ton of automatic charges, but it would also mean the number would expire sooner rather than later and increase the chances that if the number were harvested somehow it wouldn't have a long life.

I'm sure VISA/MC/AMEX have min-maxed this idea to death and figured out that it would cost THEM more than it would gain THEM, even if it did reduce the level of fraud, but issuing banks would have more support work, more mailing costs, and the merchants don't want it because they want to keep enjoying free revenue.

Re:not sure how they handle recurrent payments

[ShaunC]

I think credit card issuers *should* change your card number every year. It would have a slightly PITA quality to if you had a ton of automatic charges, but it would also mean the number would expire sooner rather than later and increase the chances that if the number were harvested somehow it wouldn't have a long life.

FYI, VISA offers merchants a service called VISA Account Updater where if your credit card number changes, VISA will happily sell your new number to any merchant who had your old one. Just great, huh? It used to be if you were dealing with a hostile merchant who refused to stop billing you (think AOL for example), your "nuclear option" was to have your card number changed. Now even that won't work if you use a VISA card, because VISA themselves will sell you out.

Must be for online use

[volts]

This doesn't make much sense for retail, as the CCV isn't used or recorded; the user enters a PIN at the point of sale. But, the CCV could be recorded and fraudulently reused by any online retailer or man-in-the-middle. Randomly changing CCV's would limit the damage.

Re:Trying to look safe for online purchases?

[slashrio]

PayPal has some ugly features that made me decide not to use it.