Slashdot Mirror
High-Tech Card Rolled Out By French Banks Replaces CSC Number Every Sixty Minutes To Prevent Fraud (popularmechanics.com)
French digital security firm Oberthur Technologies has come up with a method for making stolen cards useless after an hour. Called the Motion Code, the card replaces the fixed, three-digit Card Security Code (CSC) that sits next to your signature with a miniature display that shows a new number every 60 minutes. From a PopularScience report:In order to combat the rise of online credit card theft, several French banks are partnering with security company Oberthur Technologies to create a credit card with a security code that is constantly changing so that within an hour, a stolen number will be useless. Online credit card fraud is a rapidly growing problem. Thieves can steal your credit card info in a number of ways, such as hacking various consumer websites, or phishing, where they trick you into handing over your information yourself. Once they have your credit card numbers, thieves can go on a spending spree until you or your bank notice, and by the time that happens you can wind up with thousands of dollars in debt. Many banks try and combat this problem by flagging suspicious transactions, but this is an imperfect system that can miss real fraud and accidentally catch legitimate use. Now, two French banks, Societe Generale and Groupe BPCE, are introducing a new system to prevent fraud.
Am I crazy, or does slashdot not have the barest level of editorial oversight or quality control? (Mind you, both situations are not mutually exclusive)
High tech dupe replaces Slashdot front page article with these news every day.
I'm a dreamer, the world is my playpen. But hey, I'm a serious person, I can't dream all the time.
TFA — correctly — says, that "stealing" the card's number is useless (as if, interestingly, information can be stolen at all). The write-up is factually wrong — these new cards remain just as useful to the thieves as the old ones were.
Perhaps more importantly, how strong is the algorithm used to generate these numbers? If it proves easy to predict — and history is littered with examples of fine security principles defeated by lousy implementations — the problem of it being possible to use a card without holding it in one's hands is not really solved...
In Soviet Washington the swamp drains you.
You are correct---but you may be crazy. These are not necessarily mutually exclusive concepts.
The previous article referred to the cards resetting the code every hour. This one is different because it says the cards reset the code every 60 minutes.
Clearly not a duplicate.
"That's the way to do it" - Punch
In other news, Slashdot has announced technology that duplicates posts every 60 minutes, to maintain site-traffic.
If it weren't for deadlines, nothing would be late.
Not just recurring - how about an online order that won't ship (and, by most laws, can't be billed) for 6 weeks, or even a day? The number was valid when you placed the order, but not when it ships...
If the Random Number Generator algorithm is revealed you still won't know what the next number will be based on one code. Even if you know the algorithm and knew that the code was "123" 1 hour ago, you won't know how-many iterations there have been to know what is next. Not without knowing the exact date the chip starting ticking.
Even if you did. 99% of would-be thieves wouldn't know.
"That's the way to do it" - Punch
Generally:
a) You place the order with the rotating CSC
b) A hold is placed on your account for the amount of the purchase and an opaque transaction ID is returned to the merchant
c) When the merchant fulfills the order, the opaque transaction ID returned in step (b) is used to change the "hold" into an actual transfer of money from cardholder to merchant.
That's how it works today with static CVV/CVV2 numbers, anyway.
This would never work in the US. As others have stated, the CVV number that you see is different than the one in the stripe. Since the advent of chip-and-pin finally starting to trickle into the US market, it has become less common, a lot of vendors still don't process transactions until the evening. For instance, when a restaurant uses your card, they may not go back and process your tip until the end of the day. In countries that have fully embraced chip-and-pin, transactions must be done at time of sale, so this type of dynamic pin can be utilized.
To be workable in the current US market, the bank would have to track the last several CVV patterns for a 24 hour period, however, if that is indeed what they are doing, they are effectively creating (60 / 3) * 24 = 480 valid pins in a sliding 24 hour window. That is far worse than a single pin. In fact, early implementations of chip-and-pin were vulnerable to these kind of problems due to the need to support long periods of time for transaction processing.
Bottom line: We can do a lot to fix fraud if the US would ever fully embrace chip-and-pin.