Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security

High-Tech Card Rolled Out By French Banks Replaces CSC Number Every Sixty Minutes To Prevent Fraud (popularmechanics.com) 76

French digital security firm Oberthur Technologies has come up with a method for making stolen cards useless after an hour. Called the Motion Code, the card replaces the fixed, three-digit Card Security Code (CSC) that sits next to your signature with a miniature display that shows a new number every 60 minutes. From a PopularScience report:In order to combat the rise of online credit card theft, several French banks are partnering with security company Oberthur Technologies to create a credit card with a security code that is constantly changing so that within an hour, a stolen number will be useless. Online credit card fraud is a rapidly growing problem. Thieves can steal your credit card info in a number of ways, such as hacking various consumer websites, or phishing, where they trick you into handing over your information yourself. Once they have your credit card numbers, thieves can go on a spending spree until you or your bank notice, and by the time that happens you can wind up with thousands of dollars in debt. Many banks try and combat this problem by flagging suspicious transactions, but this is an imperfect system that can miss real fraud and accidentally catch legitimate use. Now, two French banks, Societe Generale and Groupe BPCE, are introducing a new system to prevent fraud.
This discussion has been archived. No new comments can be posted.

High-Tech Card Rolled Out By French Banks Replaces CSC Number Every Sixty Minutes To Prevent Fraud

Comments Filter:
  • I've never had to provide the CSC number for any in-person purchase. Any time my CC number has been snagged and used somewhere, it's been used at a physical location and not online. This doesn't really put a stop to that, unfortunately.

    I'd love a CC that changed the actual card number after every purchase or swipe. :P They'd run out of numbers pretty fast though. They'd need a new scheme.

    • by Esteanil ( 710082 ) on Tuesday October 04, 2016 @01:06PM (#53012225) Homepage Journal

      High tech dupe replaces Slashdot front page article with these news every day.

    • EMV chip cards will eliminate card present counterfeit fraud. This change will lead criminals online, where EMV will have no impact. Assuming this enhancement works as advertised, it will pinch off card not present counterfeit fraud as well.

      Then, the last remaining broad security hole will be lost and stolen credit card fraud. Solving this will require two-factor identification for each purchase. At that point, the US will have to switch to chip and PIN alike the rest of the world, and the credit card may h

    • by PCM2 ( 4486 )

      I've never had to provide the CSC number for any in-person purchase. Any time my CC number has been snagged and used somewhere, it's been used at a physical location and not online. This doesn't really put a stop to that, unfortunately.

      Nope, but chip cards will (once the damn CC companies get around to approving any of the terminal installs, that is).

  • Am I crazy, or does slashdot not have the barest level of editorial oversight or quality control? (Mind you, both situations are not mutually exclusive)
  • Next up.... IPv6 for credit cards.

    Seems like a lot of numbers, but when each institution is limited to specific six digit prefixes and they all have to conform to the Luhn algo to create a check digit, it's less than you might think.

    • by Anonymous Coward
      It's not the 16 digit number that changes, it's the 3 digit code on the back, sometimes called a signature code. And it's ok to have numbers repeat, as long as they do not predictably repeat.
    • by cdrudge ( 68377 )

      It's not the main (usually) 16 digit card number. It's the 3 digit code on the back of the card. Your risk goes up slightly that a unknowingly compromised card might be usable at some point again in the future, about once every 21 days, but it's more convenient than having to replace the card once all 1000 digits have been used.

  • "it will be useless in less than an hour, preventing nearly all fraudulent transactions."
    So how do you not prevent desired recurring transactions?
    This seems like the wrong way to solve this.

    • Re:recurring? (Score:5, Interesting)

      by WoodstockJeff ( 568111 ) on Tuesday October 04, 2016 @01:21PM (#53012375) Homepage

      Not just recurring - how about an online order that won't ship (and, by most laws, can't be billed) for 6 weeks, or even a day? The number was valid when you placed the order, but not when it ships...

      • Re: (Score:3, Informative)

        by Anonymous Coward

        Generally:

        a) You place the order with the rotating CSC
        b) A hold is placed on your account for the amount of the purchase and an opaque transaction ID is returned to the merchant
        c) When the merchant fulfills the order, the opaque transaction ID returned in step (b) is used to change the "hold" into an actual transfer of money from cardholder to merchant.

        That's how it works today with static CVV/CVV2 numbers, anyway.

      • Not just recurring - how about an online order that won't ship (and, by most laws, can't be billed) for 6 weeks, or even a day? The number was valid when you placed the order, but not when it ships...

        They can do like many hotels do.
        Place a reservation+pad against your credit line. Then when you check out
        the charge is processed and any pad returned.

        Business travelers especially new kids discover that their card is denied
        for dinner across town because the hotel assumed you would eat in and
        drink from the mini-bar. The pad/reserve can be 3x or more the room rate
        and contain padding for damages (spring break).

        Recurring is still an issue.

      • These transactions are authorised at the time the order is placed. Delaying the charges are irrelevant once authorisation has taken place.

    • I really really really wish my credit card company addressed this problem specifically with unique number generation.

      I'm tired of having to update my Netflix every time my card number gets hacked. Let me send out a new number and track it on the website for my card. Then when one number gets compromised through a hack or physically or cloned I just burn that number.

      In this case let my physical card number have a rotating auth code/or use an authenticator app and then my subscriptions can all be on unique

      • I'm tired of having to update my Netflix every time my card number gets hacked

        You might need to start buying things from more trustworthy places. This shouldn't happen very often at all.

        For one, credit card numbers are not stored by PCI-compliant web sites. Even when you "save" your card, it's just generating a token for re-use by only that merchant.

        For retailers, you have to compromise the hardware on-site. Unless you shop at Target or Home Depot, you probably won't have this happen to you either outside of shops that aren't trustworthy in the first place.

  • https://tech.slashdot.org/stor... [slashdot.org]

    Slashdot memory leak detected...
    Core dumped.

  • ... it doesn't prevent dupes on Slashdot. [slashdot.org]

  • First of all, an obviously incorrect statement in the write-up:

    a method for making stolen cards useless

    TFA — correctly — says, that "stealing" the card's number is useless (as if, interestingly, information can be stolen at all). The write-up is factually wrong — these new cards remain just as useful to the thieves as the old ones were.

    Perhaps more importantly, how strong is the algorithm used to generate these numbers? If it proves easy to predict — and history is littered with examples of fine security principles defeated by lousy implementations — the problem of it being possible to use a card without holding it in one's hands is not really solved...

  • Rolls out the same story every 6 minutes.

  • When the algorithm is discovered or god forbid the manufacturer devises a way to attack the tokens in parallel for exploitation, what good will the rotating numbers be?
    • If the Random Number Generator algorithm is revealed you still won't know what the next number will be based on one code. Even if you know the algorithm and knew that the code was "123" 1 hour ago, you won't know how-many iterations there have been to know what is next. Not without knowing the exact date the chip starting ticking.

      Even if you did. 99% of would-be thieves wouldn't know.

      • Well, I wish that were the case, but once the seeds and the algorithm to RSA SecurID was discovered, it did leave the platform open to vulnerability and it wasn't cheap to fix. So yes, that can be a viable threat to that authentication model.
  • My bank has configurable notifications where I can set the dollar level at which an email and/or text is sent to me when a transaction occurs on my bank account card or credit card. Now this might be an issue if I'm traveling and don't have good cell coverage or a cheap roaming plan, but most of the time its fine for what I need.
  • by Oswald McWeany ( 2428506 ) on Tuesday October 04, 2016 @01:15PM (#53012315)

    The previous article referred to the cards resetting the code every hour. This one is different because it says the cards reset the code every 60 minutes.

    Clearly not a duplicate.

  • An RSA token.... Yea team!

    For the next trick, why don't you come up with a round device called wheel...

    This I've never understood... Seems that it would be incredibly easy to produce a credit card with enough smarts to make it nearly impossible to forge. This is one such idea (having a rolling code displayed which only the CC company knows the sequence) is part of this. Allowing this code to be obtained electronically though the "chip readers" is the next. However, what's missing in all these schemes

    • The CVV code on the back of the card is actually different than the code on the magnetic stripe. Which is also different than the one in the chip. And I think the CVV in a chip does vary per transaction; if not that, there's something in there that prevents replay of data captured "on the wire" from an EMV transaction.

      Passwords exist too. They're called PINs. American banks have mostly shied away from going the Chip and PIN route for credit cards like most other countries, but there are a few out there and

    • by ghoul ( 157158 )

      The problem with something you are security is that it changes a non violent crime to a violent crime. Instead of stealing your credit card now thieves will hold you up

    • I thought they used to make credit cards that you can get your picture on? Anyone remember what happened to those?

  • by shellster_dude ( 1261444 ) on Tuesday October 04, 2016 @02:28PM (#53012947)
    This would never work in the US. As others have stated, the CVV number that you see is different than the one in the stripe. Since the advent of chip-and-pin finally starting to trickle into the US market, it has become less common, a lot of vendors still don't process transactions until the evening. For instance, when a restaurant uses your card, they may not go back and process your tip until the end of the day. In countries that have fully embraced chip-and-pin, transactions must be done at time of sale, so this type of dynamic pin can be utilized.

    To be workable in the current US market, the bank would have to track the last several CVV patterns for a 24 hour period, however, if that is indeed what they are doing, they are effectively creating (60 / 3) * 24 = 480 valid pins in a sliding 24 hour window. That is far worse than a single pin. In fact, early implementations of chip-and-pin were vulnerable to these kind of problems due to the need to support long periods of time for transaction processing.

    Bottom line: We can do a lot to fix fraud if the US would ever fully embrace chip-and-pin.
    • by jo7hs2 ( 884069 )
      If only the credit card companies and retailers hadn't had a spat ten years ago or so regarding the fees on debit cards that ran as credit cards, Americans would probably be far more likely to embrace chip-and-PIN rather than just chip. Everyone I've watched use the chip cards seems to have no issue with them and actually laments when they can't use their new chip card as a chip transaction, but I've also talked with friends and family about it and I get the impression from this and reading comments online
      • by Anonymous Coward

        Are you saying that people should be suspicious of Chip-n-pin? First off at least in Europe it was used as a way to sneak in a liability shift from banks to consumers, at which point they simply said that the system was foolproof (even though people could prove false transactions) and saddled any fraudulent charges on the cardholder. It took a lot of proof and public outrage to get them to change. In the US they're using a little different tactic, they're saddling the businesses with any fraudulent charg

    • The point of chip-and-pin is to enhance security by requiring something you have (card with a chip) and something you know (PIN) to process a transaction.

      The CVV number is a poor attempt to secure the "something you have" part of the equation. Early implimentations were just printed on the opposite side of the card, so someone taking a photo of or copying the card couldn't make a fraudulent charge (because they only had one side of the card). The changing CVV code in TFA is a bit better in that even if
    • by omnichad ( 1198475 ) on Tuesday October 04, 2016 @04:02PM (#53013663) Homepage

      a lot of vendors still don't process transactions until the evening.

      The CVV is used at the authorization stage, not the capture stage. They'd already have an authorization - and the CVV would be valid that moment.

      And if the restaurant is PCI compliant, wouldn't it be far better (and less effort / security risk) to store the authorization token than to store the 16-digit card number and CVV anyway?

  • Technology can't fix fraud.

    If it could we would have no fraud. Instead we have more fraud. Fraud is a matter of social engineering, poor legislature, but most of all its profitable for everyone except the victim. Victims will be the little guy, who can't possibly battle the obfuscation of credit repair and our incompetent injustice system (courts) fail to function. Banks and retailers shrug their shoulders and then cater to their bigger new customer base: the nouveau riche criminals.

    UNTIL WE PUT THE BU

  • So a hacker can still spend for an hour! That's what they do now! This seems a useless solution.

    A better solution already exists. My CitiCard comes with VANs (Virtual Account Numbers), where I can generate new card numbers + code with a limit on dollars and time (2 to 12 months expiry date).
    If I want to do an online transaction for $99 at a merchant, I just generate a new VAN for $99 (or $100 to account for pre-auth by some merchants) and an expiry date 2 months out, and use it.
    No other merchant would g
  • It takes power to run a random number generator to produce these CV2 codes.
    And a clock to tell when to do the next one. What kind of battery is in the card? And how do you recharge it?

    Current chip & pin cards can draw power from the reader. CV2 is mostly useful for online or telephone transactions, where there is no external power supply for the card.
    --
    I believe a man should follow his dreams ... at a safe distance -- Joe Martin

Disclaimer: "These opinions are my own, though for a small fee they be yours too." -- Dave Haynie

Working...