Slashdot Mirror
High-Tech Card Rolled Out By French Banks Replaces CSC Number Every Sixty Minutes To Prevent Fraud (popularmechanics.com)
French digital security firm Oberthur Technologies has come up with a method for making stolen cards useless after an hour. Called the Motion Code, the card replaces the fixed, three-digit Card Security Code (CSC) that sits next to your signature with a miniature display that shows a new number every 60 minutes. From a PopularScience report:In order to combat the rise of online credit card theft, several French banks are partnering with security company Oberthur Technologies to create a credit card with a security code that is constantly changing so that within an hour, a stolen number will be useless. Online credit card fraud is a rapidly growing problem. Thieves can steal your credit card info in a number of ways, such as hacking various consumer websites, or phishing, where they trick you into handing over your information yourself. Once they have your credit card numbers, thieves can go on a spending spree until you or your bank notice, and by the time that happens you can wind up with thousands of dollars in debt. Many banks try and combat this problem by flagging suspicious transactions, but this is an imperfect system that can miss real fraud and accidentally catch legitimate use. Now, two French banks, Societe Generale and Groupe BPCE, are introducing a new system to prevent fraud.
I've never had to provide the CSC number for any in-person purchase. Any time my CC number has been snagged and used somewhere, it's been used at a physical location and not online. This doesn't really put a stop to that, unfortunately.
I'd love a CC that changed the actual card number after every purchase or swipe. :P They'd run out of numbers pretty fast though. They'd need a new scheme.
Am I crazy, or does slashdot not have the barest level of editorial oversight or quality control? (Mind you, both situations are not mutually exclusive)
Next up.... IPv6 for credit cards.
Seems like a lot of numbers, but when each institution is limited to specific six digit prefixes and they all have to conform to the Luhn algo to create a check digit, it's less than you might think.
The party of stupid and the party of evil get together and do something both stupid and evil, then call it bipartisan.
High tech dupe replaces Slashdot front page article with these news every day.
I'm a dreamer, the world is my playpen. But hey, I'm a serious person, I can't dream all the time.
"it will be useless in less than an hour, preventing nearly all fraudulent transactions."
So how do you not prevent desired recurring transactions?
This seems like the wrong way to solve this.
https://tech.slashdot.org/stor...
Slashdot memory leak detected...
Core dumped.
... it doesn't prevent dupes on Slashdot.
TFA — correctly — says, that "stealing" the card's number is useless (as if, interestingly, information can be stolen at all). The write-up is factually wrong — these new cards remain just as useful to the thieves as the old ones were.
Perhaps more importantly, how strong is the algorithm used to generate these numbers? If it proves easy to predict — and history is littered with examples of fine security principles defeated by lousy implementations — the problem of it being possible to use a card without holding it in one's hands is not really solved...
In Soviet Washington the swamp drains you.
You are correct---but you may be crazy. These are not necessarily mutually exclusive concepts.
Rolls out the same story every 6 minutes.
When the algorithm is discovered or god forbid the manufacturer devises a way to attack the tokens in parallel for exploitation, what good will the rotating numbers be?
Select from tblFriends where interesting >= 4;
My bank has configurable notifications where I can set the dollar level at which an email and/or text is sent to me when a transaction occurs on my bank account card or credit card. Now this might be an issue if I'm traveling and don't have good cell coverage or a cheap roaming plan, but most of the time its fine for what I need.
The previous article referred to the cards resetting the code every hour. This one is different because it says the cards reset the code every 60 minutes.
Clearly not a duplicate.
"That's the way to do it" - Punch
Amazon does not want yours...
And it's still 1 in a 1000 PER ATTEMPT, which if you have millions of card numbers and more than one attempt...
And this works how...
don't be a fag about it
An RSA token.... Yea team!
For the next trick, why don't you come up with a round device called wheel...
This I've never understood... Seems that it would be incredibly easy to produce a credit card with enough smarts to make it nearly impossible to forge. This is one such idea (having a rolling code displayed which only the CC company knows the sequence) is part of this. Allowing this code to be obtained electronically though the "chip readers" is the next. However, what's missing in all these schemes is some kind of biometrics or password....
Good security requires, something you have (the credit card), Something you know, and something you ARE... Short of having all three, you really don't have a lot of security. All this little "invention" does is prove you HAVE the card, which doesn't do much for you if the card is stolen.
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
And yet, most of Slashdot disagrees, that information can be stolen: you still have your copy of that file you accuse me of "stealing", don't you?
I too find the argument ridiculous, but it is so wide-spread, I mock it at any opportunity.
In Soviet Washington the swamp drains you.
Totally different. If you're a slashdot editor.
Is it just my observation, or are there way too many stupid people in the world?
This would never work in the US. As others have stated, the CVV number that you see is different than the one in the stripe. Since the advent of chip-and-pin finally starting to trickle into the US market, it has become less common, a lot of vendors still don't process transactions until the evening. For instance, when a restaurant uses your card, they may not go back and process your tip until the end of the day. In countries that have fully embraced chip-and-pin, transactions must be done at time of sale, so this type of dynamic pin can be utilized.
To be workable in the current US market, the bank would have to track the last several CVV patterns for a 24 hour period, however, if that is indeed what they are doing, they are effectively creating (60 / 3) * 24 = 480 valid pins in a sliding 24 hour window. That is far worse than a single pin. In fact, early implementations of chip-and-pin were vulnerable to these kind of problems due to the need to support long periods of time for transaction processing.
Bottom line: We can do a lot to fix fraud if the US would ever fully embrace chip-and-pin.
Technology can't fix fraud.
If it could we would have no fraud. Instead we have more fraud. Fraud is a matter of social engineering, poor legislature, but most of all its profitable for everyone except the victim. Victims will be the little guy, who can't possibly battle the obfuscation of credit repair and our incompetent injustice system (courts) fail to function. Banks and retailers shrug their shoulders and then cater to their bigger new customer base: the nouveau riche criminals.
UNTIL WE PUT THE BURDEN OF FRAUD ON THE BANKS WHO TRANSACT EVERYTHING IT WILL NEVER STOP.
Back in the "old" days of Wells Fargo, stealing the loot was called BANK ROBBERY. Now they call it identity theft. That is why Wells Fargo made millions of FAKE new accounts to plunder. THEY GET PAID EVEN WHEN ITS FRAUD. WAKE UP FOLKS. WE NEED NEW RULES NOT TECHNOLOGY TO FIX THIS.
I apologize for shouting, but everyone is clueless. Banks and insurance companies need to go extinct before society can truly prosper. Its feudalism, plain and simple and we need to get over it. Maybe after the next mass extinction.
A random time sensitive number is definitely part of the solution. But they need to also allow cardholders to control card use to a finer degree. For example transactions should be tied to a physical location (the gas station where you swipe the card, the store where you use it, etc) to allow cardholders to geofence their purchases, such as requiring call/text verification for purchases outside of their city/country/etc.
A website won't have the 3 digit code unless they are allowed to save it in France for some reason.
If it is phished, they just have to shop faster. Same if intercepted somehow.
Useless to sell the info I suppose..rather it's useless to BUY the info...it won't stop them from selling it I guess ;)
The point of chip-and-pin is to enhance security by requiring something you have (card with a chip) and something you know (PIN) to process a transaction.
The CVV number is a poor attempt to secure the "something you have" part of the equation. Early implimentations were just printed on the opposite side of the card, so someone taking a photo of or copying the card couldn't make a fraudulent charge (because they only had one side of the card). The changing CVV code in TFA is a bit better in that even if you get a photo of the code on the back of the card, it is only valid for an hour. A chip is the ultimate solution - you cannot process a transaction unless you have the physical chip. The only reason to use the changing code in TFA is for online/telephone transactions which can't accept a chip, so has to be done the old way by relaying numbers.
So this has nothing to do with the PIN - the "something you know" half of the security equation. Putting the PIN on the card, even in the form of a number which changes every hour, would defeat the whole purpose of using a PIN for security since it would no longer be something you know that a thief does not.
And the U.S. doesn't even use chip-and-pin. It uses chip-and-sign. A weaker form of security the card companies foisted on the country so they could keep merchants paying for fraud. With chip-and-pin, either the customer gave away the card and PIN and so is liable for the purchase, or the card company screwed up authentication and is liable for the purchase. The merchant is absolved of responsibility for fraud in all cases. But the current credit card company empire is built upon forcing the merchants to pay for fraud, so they watered it down to chip-and-sign. The merchant has to verify the customer's signature matches that on the card. If there's a fraudulent purchase and the signatures don't match, the merchant has to pay for the fraud.
Huh? Unless I missed a change in my terms of service, unless I personally authorized the transaction and the card was present and the correct PIN was used - I'd owe nothing. Sucks to be the merchant, if they took an invalid card.
BTW, merchants are forbidden by the card issuers from storing the security code, making it impossible (ha, ha) for hackers to gain that data except by handling your card or intercepting an online purchase transaction data flow.
So a hacker can still spend for an hour! That's what they do now! This seems a useless solution.
A better solution already exists. My CitiCard comes with VANs (Virtual Account Numbers), where I can generate new card numbers + code with a limit on dollars and time (2 to 12 months expiry date).
If I want to do an online transaction for $99 at a merchant, I just generate a new VAN for $99 (or $100 to account for pre-auth by some merchants) and an expiry date 2 months out, and use it.
No other merchant would get approval with subsequent transactions using that number, nor any transaction over the limit I set.
The card expires automatically in 2 months unless I close it sooner.
It is the greatest thing in online credit card solutions I have yet seen.
Now, my 'real' card number was stolen recently and a fake was created and used a few states away; where it was fortunately flagged and I was notified and the card cancelled.
This 'changing code' thing might have prevented even this type of hack. That is, until someone figures out (or otherwise steals) the algorithm!
Self-importance and self-indulgence is the root of ALL evil.
It takes power to run a random number generator to produce these CV2 codes.
And a clock to tell when to do the next one. What kind of battery is in the card? And how do you recharge it?
Current chip & pin cards can draw power from the reader. CV2 is mostly useful for online or telephone transactions, where there is no external power supply for the card. ... at a safe distance -- Joe Martin
--
I believe a man should follow his dreams
Impressive that you can have such an active computer as a smear of paint on a card! But these people are commenting on PIN technology? It is more interesting to discuss if it will not wear away with use... my cards all end up dimmed down and unreadable. Are you sure it is not just an animated pic?