Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Businesses Crime EU Security The Almighty Buck Technology

French Banks Offer Credit Card Numbers That Change Every Hour (thememo.com) 222

Slashdot reader schwit1 quotes The Memo: What if the numbers on your card changed every hour so that, even if a fraudster copied them, they'd quickly be out of date? That's exactly what two French banks are starting to do with their new high-tech ebank cards... The three digits on the back of this card will change, every hour, for three years. And after they change, the previous three digits are essentially worthless, and that's a huge blow for criminals... As most fraud happens a few hours or days after your card details are actually taken, this would leave criminals essentially with a bunch of useless numbers.
It's just like credit cards you have now -- other than the tiny digital screen that's embedded into the back of the card.
This discussion has been archived. No new comments can be posted.

French Banks Offer Credit Card Numbers That Change Every Hour

Comments Filter:
  • Magnetic strip? (Score:4, Interesting)

    by Anonymous Coward on Sunday October 02, 2016 @02:40PM (#53000235)

    Do French credit cards still support magnetic strip transactions? Is that invalidated? Every time my card's details have been stolen it's because I used it while travelling in the US (I live in Canada; I travel to the US once, sometimes twice a year; I've had a card stolen three times in the last three years), and someone has tried to withdraw money from an ATM using a strip transaction. These transactions never involve the three numbers on the back.

    Will this break regularly scheduled withdrawals for automated billing?

    • by youn ( 1516637 )

      europe transitioned to chips a lot earlier than the US. They have even required a pin for transactions for years

      • France transitioned a lot earlier. Everyone else transitioned about 10 years ago, because the patents had just expired and no one wanted to pay licensing fees to a French company before then. The US moved recently, because the US has an archaic banking system.
    • Re:Magnetic strip? (Score:4, Informative)

      by Tx ( 96709 ) on Sunday October 02, 2016 @03:09PM (#53000381) Journal

      Note that it's a French bank. In Europe (at least the UK where I live and the other parts of Europe that I've travelled to), we use chip cards, which means that that is already a solved problem here; cloning the magnetic strip doesn't get you the PIN number, and you can't do anything without that. So you don't need any fancy changing card number to solve that problem, you north-Americans just need to get with the program. As long as you can make transactions with just something as easily cloneable as the magnetic strip, you're going to have that problem.

      • Re:Magnetic strip? (Score:5, Informative)

        by Anonymous Coward on Sunday October 02, 2016 @03:14PM (#53000409)

        the changing numbers solve a different problem

        using them online when no chip and pin transaction is possible

        • Chip and PIN transactions are definitely possible online. My bank issued me with a small hand-held card reader. In order to validate an online transaction I insert my card into it, type the PIN, followed by one or more challenges (such as the amount and possibly the account number of the payee). The card reader then gives me a number to key into the website as proof that I have the card and know the PIN. This is fully integrated into online payment handlers' systems such as Ogone, Sofort and others.
          • This is essentially the same solution without the need to have a device. Granted it's not exactly the same in that you're using a rolling code instead of a PIN but it's more convenient as you don't have to have a separate device and the online merchant doesn't have to have special software to support it.
      • Re:Magnetic strip? (Score:5, Interesting)

        by Dahamma ( 304068 ) on Sunday October 02, 2016 @04:51PM (#53000903)

        The US now uses chip cards as well (though there are some retailers still using swipe, which is now officially retailer's responsibility to pay for fraud in that case) - this has NOTHING TO DO WITH THAT.

        It's not really related to online purchases, but since you don't seem to know much about this... chip and pin vs chip and signature comes down to one thing: a 2nd factor authentication. For IN PERSON retail transactions, the "chip" basically means a CC# (which is all the mag stripe really provided) is no longer enough, now the CC# is only accepted from a valid card passing a cryptographic check. That's the first factor: "something you have".

        But if your card is stolen, it comes down to the 2nd factor. For chip and pin, that 2nd factor is "something you know". For chip and signature, it's really closer to "something you are" (biometric). Problem is, the "biometric" signature is pretty easily fooled, and the current verification (in theory could be a computer, but in reality is some totally untrained clerk/waiter/etc who has no clue how to validate it) is absurd.

        Summary, it, the chip and pin solution is designed to make it genuinely harder to use a stolen CC, and the chip and signature is designed to make it harder to counterfeit a CC - while making sure it's NOT harder to use it. Basically, the US solution is designed to make sure the banks are covered and the consumers won't stop using credit cards - while not providing any added benefit to CONSUMERS who had their card stolen.

        That gets us to online purchases. First, fairly obviously, both chip and pin and chip and signature fail here. CVV was a minor attmept to fix this, but (1) it does nothing to prevent physical credit card theft since it's PRINTED ON THE CARD (useless 2 factor) and (2) it's not actually required by many credit card processing services so there's always a way to get around it.

        You'd think given the size of this industry the various actors involved (VISA, MC, banks, retailers, etc) would be smart enough to know all of this and find a good solution? Well, yes, of course they are, and have put much more thought into it than my simplistic summary. But the key point is they don't WANT to fix it, since it turns out they realized any current fixes that would mostly solve the problem would also inconvenience customers and retailers/POS just enough that it might bring revenue gains below fraud losses. Plus, fraud is tax deductible. And, customers and retailers aren't always well informed, so hey, some of the time they just get screwed and lose without even reporting the fraud. All good for the banks and CC companies!

        • This is a variable CVV. Its utility is to make it difficult to do a card not present transaction (generally an online purchase) without the physical card. You complain that it doesn't address physical card theft, but is most places that isn't a problem. The bigger problem is somebody stealing a bajillion credit card numbers from Target or a server who copies card numbers, expirations and CVVs from every card for a few months then uses the gathered data to either clone those cards or use them online. Thi

          • Exactly, retail fraud (stealing a card) is such small potatoes that the financial institutions aren't too worried about it. Ship a new card and write off the loss. Not that they don't want to minimize this but it's small potatoes compared to wholesale card number theft that can run in the tens or even hundreds of millions.
        • You know, when I see this argument, there's a critical flaw in it. Yes, 2 factor is generally better than 1- factor, and so forth.

          However, all factors are not equal. "Something you know" is the worst case because humans have limited memory so there will always be easy ways to steal anything a user knows. This is why passwords are so shitty. "Something you are"(fingerprint, iris scanners) unfortunately devolves back to "something you know" in that it's a fixed biometric signature that you can spoof.

          Somet

          • by Dahamma ( 304068 )

            Clearly enforcing end-to-end cryptographic security is the beset solution, but as has already been state several times the credit card companies, banks, and point of sale retailers just don't WANT that.

            You and I both know - and this isn't state of the art, it's trivial - how this whole system could be made 100x more secure, I'm sure. But the point is it's not about security it's about cost of fraud vs cost of convenience. That's it. And unfortunately it's not the cost of convenience of consumers DEFRAUDE

            • How does end to end cryptographic security relate to this in any way?

              For "Something you know" security - end to end encryption does nothing to stop a hidden camera or hidden electronic device that can detect the actual buttons pressed on the keypad.

              For "something you are" security - a tampered with biometric sensor can have it's readings copied, for example you can tamper with a fingerprint scanner so the sensor copies any prints it detects to another embedded device that stores a copy of the print images.

        • That gets us to online purchases. First, fairly obviously, both chip and pin and chip and signature fail here. CVV was a minor attmept to fix this, but (1) it does nothing to prevent physical credit card theft since it's PRINTED ON THE CARD (useless 2 factor) and (2) it's not actually required by many credit card processing services so there's always a way to get around it.

          It is required by ALL credit card processing services, at least in Europe. Many also have additional steps like sending extra security digits to your phone.

        • by mjwx ( 966435 )

          Summary, it, the chip and pin solution is designed to make it genuinely harder to use a stolen CC, and the chip and signature is designed to make it harder to counterfeit a CC - while making sure it's NOT harder to use it. Basically, the US solution is designed to make sure the banks are covered and the consumers won't stop using credit cards - while not providing any added benefit to CONSUMERS who had their card stolen.

          EMV (Chip and Pin) was designed to stop card cloning, which is has been largely successful for. The EMV spec was written in 1994 when purchasing things over the internet was relatively uncommon.

          The problem is that criminals have moved from card cloning to online transaction which EMV has nothing to do with, this does not make EMV bad or ineffective, EMV is more or less physical protection which doesn't help now that electronic purchases are commonplace.

          The problem the banks have is that any measures

        • by AmiMoJo ( 196126 )

          Chip and PIN was designed to shift some of the burden of fraud onto the consumer. When your card is stolen the banks interrogates you, looking for ways to avoid reversing the charges. These can include things like a weak PIN number, admitting you told someone your PIN number, using the same PIN number for multiple cards, not concealing your PIN adequately when using the keypad etc.

          In the early days they banks refused to even entertain the idea that transactions authorised by PIN number could be fraudulent.

        • by Shinobi ( 19308 )

          Chip and Pin works online too, if the banks and vendors use proper systems. Let's just say Steam, Blizzard and other US vendors don't support it...

          I'm in Sweden, and my bank has issued a small, hand-held device with various features, either login for the bank, signing payment order, or payment order. I make an order at a site and initiate the checkout procedure. Vendor site or my bank presents me with a string of numbers. I insert my card into the device, select the appropriate option, enter the number stri

      • cloning the magnetic strip doesn't get you the PIN number,

        The PIN is not stored on the card with either Stripe or Chip.

    • Re:Magnetic strip? (Score:5, Informative)

      by gweihir ( 88907 ) on Sunday October 02, 2016 @03:50PM (#53000617)

      Will this break regularly scheduled withdrawals for automated billing?

      No. First, in Europe, these are _not_ done via credit-card, but via interbank-transfer. Not everybody is stuck in the banking dark-ages like the US. Second, for credit-card based schemes, you authenticate once and then the bank knows these are legit and it works without further authentication.

      • by youn ( 1516637 )

        You do know that bank transfers are not a europe specific thing :)

        I just bought something and the payment was divided in 3 equal payments... on multiple occasion, I don't personally want to give my bank information each time I make such a purchase. It creates a more serious problem, as if you give your bank information to each merchant for that kind of transaction then you have in effect recreated the same problem with your bank account.

        At least with a credit card number, it is a lot easier to change it and

        • Re:Magnetic strip? (Score:5, Interesting)

          by arth1 ( 260657 ) on Sunday October 02, 2016 @09:04PM (#53001795) Homepage Journal

          You do know that bank transfers are not a europe specific thing :)

          I just bought something and the payment was divided in 3 equal payments... on multiple occasion, I don't personally want to give my bank information each time I make such a purchase. It creates a more serious problem, as if you give your bank information to each merchant for that kind of transaction then you have in effect recreated the same problem with your bank account.

          The big difference is that bank transfers in Europe are payer initiated, while in the US, they are payee initiated.
          In Europe, there is generally no problems giving out your bank account details, because all you can do with that information is to send payments to the account.

          • by gweihir ( 88907 )

            Well, theoretically, you can withdraw money with that, but the account owner can just contest this and then you have to prove you were entitled to that withdrawal and have to pay a rather large fine if you cannot. You also only get the money after a 60 days (I think) waiting period, so this is completely unusable for fraudulent withdrawals.

            • by arth1 ( 260657 )

              Well, theoretically, you can withdraw money with that but the account owner can just contest this and then you have to prove you were entitled to that withdrawal and have to pay a rather large fine if you cannot.

              Only in a payee initiated system is that possible. in a payer initiated systems, only the account holder can initiate a transfer. There's no being "entitled to" withdraw. If your name isn't on the account, you're not entitled.
              Transfers are usually immediate and not reversible. If you misspell the recipient account number (including control digit), you have to appeal to the recipient to transfer the money back to you, or appeal to the courts to make that happen. There's no reversing charges, because you

              • Transfers are usually immediate and not reversible. If you misspell the recipient account number (including control digit), you have to appeal to the recipient to transfer the money back to you, or appeal to the courts to make that happen.

                That is not true, they are always reversible. If you report the error to your bank within 24hours, it is trivially reversible, after that you may need to document it was an error or theft or whatever.

              • Re:Magnetic strip? (Score:5, Insightful)

                by AmiMoJo ( 196126 ) on Monday October 03, 2016 @06:40AM (#53003183) Homepage Journal

                The UK has largely moved away from the branch model now. The UK also allows some limited payee initiated transfers, in the form of Direct Debits. They are good for paying bills and the like, you agree to let the payee set the amount every time (to cover things like phone bills that can vary) and you have to right to cancel or reverse any payment without question.

          • by Gonoff ( 88518 )

            In Europe, there is generally no problems giving out your bank account details, because all you can do with that information is to send payments to the account.

            Have you heard of Jeremy Clarkson? A few years ago, he said this on TV. Then to prove his confidence, he gave his account number and sort code.

            Someone then caused his bank to pay a sum to charity to prove the point. It is not as secure as you think.

            • Re:Magnetic strip? (Score:4, Interesting)

              by arth1 ( 260657 ) on Monday October 03, 2016 @09:32AM (#53004043) Homepage Journal

              Have you heard of Jeremy Clarkson? A few years ago, he said this on TV. Then to prove his confidence, he gave his account number and sort code.

              Someone then caused his bank to pay a sum to charity to prove the point. It is not as secure as you think.

              That's the British branch-based banking system (you can tell from it having a "sort code"), which is different - neither fish nor fowl. The British Postal Giro works like a real giro at the hub, but the endpoints are individual bank branches, which may be payee initiated.

              In the parts of Europe hooked up to a common giro system (since the 60s if I remember correctly), companies and individuals publish their bank accounts - it's how people pay them, through direct deposits - credit, not debit.

              One of my bank account numbers has been published with shareware since the late 80s, with no problems. (I'm not repeating it here, not because I don't want it published, but because a quick google would then point people at the code of of my youth. Shame is the deterrent, not fear.)

      • by Dahamma ( 304068 )

        Not everybody is stuck in the banking dark-ages like the US

        That's silly, it has NOTHING to do with antiquated technology, it has to do with history and cultural differences.

        I live in the US and have all of my automated withdrawls from my checking account, both methods have been offered for many years. But as I said using CC for recurring payments is a cultural thing - credit cards have a much longer and more prominent history in the US, so people are more comfortable using them than in Europe. Many recurring services in Europe offer CC payments, the fact that peop

        • But in any case, credit card transaction processing is a multistep process, and an authentication step is performed every time a new transaction is posted.

          Here in Australia the authentication step is purely to validate the card for CNP transactions. This only happens once the first time for recurring payments so is not needed for following payments between the same merchant and payer.

      • No. First, in Europe, these are _not_ done via credit-card, but via interbank-transfer. Not everybody is stuck in the banking dark-ages like the US.

        Interbank transfers for simple billing seems pretty dark-ages too. You Americans and Europeans need to both catch up.

    • Visited Canada recently. People are awesome, weather was great, wonderful city, meh food...

      But what did bother me was the payment system. I understand that you all have pin and chip or whatever. But God every place we went kept giving us the swiper so that we can swipe and enter the pin. We didn't have pins of course. Its almost as slow as paying by cash.

      And as for security... Those swipers can just as easily be key loggers.

      Also, my dad had his CC copied 2x in his life. Once in New Jersey and once in Canada

    • I've had a card stolen three times in the last three years), and someone has tried to withdraw money from an ATM using a strip transaction.These transactions never involve the three number on the back.

      The CVC/CVV (the number on the back) is only used in Card Not Present (CNP) transactions.
      If you are performing a card transaction, then you also need the PIN. How did they get yours?

      Will this break regularly scheduled withdrawals for automated billing?

      The purpose of CVC/CVV is an initial check if the card is fraudulent. If it passes the once, you no longer need to recheck for recurring billing.

  • The way to do it (Score:5, Insightful)

    by Okian Warrior ( 537106 ) on Sunday October 02, 2016 @02:45PM (#53000257) Homepage Journal

    This seems like a misguided solution to the problem. If someone steals the card, then this feature won't help.

    Bruce Schneier pointed out the real solution years ago. If your card has some processing power and a display (which this solution has), just add a keypad (similar to a calculator in credit-card size).

    The keypad is for a pin. The owner keys in the pin, the card generates a one-time-use credit card number, and the waiter/salesman can take the card to the back and swipe it or whatever. When the card is lost, the thieves won't know the pin. If the number is copied, it can't be used beyond the first sale.

    You can even use this on a computer peripheral. The software on the card is fixed and can't be hacked.

    Multiple accounts can be stored on one card, so you only need one card instead of multiple credit cards in your wallet.

    Of course, the thieves can kidnap the owner, but that's not the problem this addresses.

    A smart card with pin on the card prevents all kinds of copying, skimming, lost cards, even online accounts.

    Since we're switching to smart cards, I don't know why we simply haven't switched to the final solution.

    • Yes, but... (Score:2, Flamebait)

      by Overzeetop ( 214511 )

      Most Americans would just write the pin on their card so that they wouldn't forget it.

    • Are there any online stores that currently support local chip readers on a customer's computer?
      • Are there any online stores that currently support local chip readers on a customer's computer?

        I know that FirstData was working with some company out of Venezuela to do this for online transactions. I am not sure the name of the company, but the idea was that it was cheaper to issue chip readers to people at home than it was to deal with the rampant credit card fraud that exists there at the moment.

    • by TroII ( 4484479 )

      This seems like a misguided solution to the problem. If someone steals the card, then this feature won't help.

      I've had credit cards compromised 3 times over the years but it's never been because the physical card was stolen. Is that really a common problem in the grand scheme of things? From an American perspective, most ID theft tends to happen when some merchant is breached and thousands or millions of stored numbers+CVV get leaked. This approach makes those leaks useless. Sure, some people will still lose their wallet or get their purse stolen, but that's small potatoes in terms of the fraud that goes on every d

      • by Kjella ( 173770 )

        I've had credit cards compromised 3 times over the years but it's never been because the physical card was stolen. Is that really a common problem in the grand scheme of things? From an American perspective, most ID theft tends to happen when some merchant is breached and thousands or millions of stored numbers+CVV get leaked. This approach makes those leaks useless.

        It also makes the purpose of the stored info useless, since it's either recurring services or to make checkout easier. I find it odd that they'd need to store the original input though, they should pass that to VISA and get a sort of authorization token, which would only be valid for their merchant account. That way you can hack eBay's database but unless you're eBay you can't charge anyone. Then you'd have to capture card info live the first time it's entered.

    • by whopub ( 1100981 )

      I've been using a service called MBnet in portugal. It basically generates a virtual CC number you can use (once or up to a limit amount you pick) like it was a VISA CC number. It's perfect. I haven't used my credit card number directly online since Paypal came up, and I have used paypal only on very special occasions, 3 or 4 times in may more years, since I use MBnet. The advantage of MBnet is that I don't have to worry about paying the credit card expenses to avoid interest rates. It allows me to use the

      • My bank here in Brazil (Banco do Brasil) offers a similar service, but only for *credit* cards. I love it, and it is secure too: the CC number generated is shown half on your computer, half on your registered cellphone (SMS). After the number of transactions you specify, up to the limit amount you pick, and until the expire date you choose, that virtual credit card is'nt valid anymore.

      • by ruir ( 2709173 )
        Not ideia why the parent post was modded down. Here in Portugal MB.net really does work. The weak point of the solution is that the access to the MB.Net itself, is rather weak. I understand targeting the lower common denominator, however not having a 2FA at this point of the game, and having a user *and* a pin does not make any sense.
    • I think the most important key to solving the current problems with credit cards is to finally accept that a single approach will not work well for many use cases.

      I am looking for something that gives ME (the owner of the account/money) a number of solutions. I need the following:

      • * Options to securely manage my underlying account over the internet. I can understand why some options aren't default, but my bank doesn't seem to even know that problems exist. I would like to protect my connections with o
    • Bruce Schneier pointed out the real solution years ago. If your card has some processing power and a display (which this solution has), just add a keypad (similar to a calculator in credit-card size)....

      ...Since we're switching to smart cards, I don't know why we simply haven't switched to the final solution.

      This seems pretty cave man to me, since we already have such a device called a cell phone in our pockets which does all this, and guess what, my bank already has apps that do all this right now today.
      So yeah, catch up would ya!

  • by junk ( 33527 ) on Sunday October 02, 2016 @02:48PM (#53000271)

    I have no affiliation to privacy.com other than being a user.

    I've been using privacy.com to generate randomized credit card numbers for a while now. It's the same type of thing we had in the 90s with certain credit card companies but better. I have static cards with monthly limits for recurring charges, static cards with max per transaction limits for online merchants I frequent and one time use burner cards for just about everything else. I can see all declined transactions per card, which lets me track it down to a merchant. It's the same thing I do for email (per account email addresses for spam tracking) but better because I don't have to manage it myself.

  • by sittingnut ( 88521 ) <sittingnut@@@gmail...com> on Sunday October 02, 2016 @02:48PM (#53000275) Homepage

    instead of being a "huge blow" this might help the criminals, since something algorithmically predictive that depends on other permanent numbers or id info, must be verified,

    • instead of being a "huge blow" this might help the criminals, since something algorithmically predictive that depends on other permanent numbers or id info, must be verified,

      Chip cards already generate a new CVV each time a transaction is run. All this does it let you do the same thing in the Card Not Present world

  • Virtual cards ? (Score:3, Interesting)

    by daedric ( 1141659 ) on Sunday October 02, 2016 @02:50PM (#53000287)
    A system was developed some time ago to generate a virtual card, tied to your debit/credit with a short(er) plafond and validity. Also, it is limited to one entity, the first one that actually used the card. It has worked perfectly so far, although certain companies start to get suspicious about the constant adding/removing of cards, like PayPal. Regarding this number changing method, how are the new number generated? How does the bank know that numbers are valid ?
    • Re:Virtual cards ? (Score:4, Informative)

      by ShaunC ( 203807 ) on Sunday October 02, 2016 @03:36PM (#53000525)

      Regarding this number changing method, how are the new number generated? How does the bank know that numbers are valid ?

      I presume it works just like a SecurID [wikipedia.org] or other access control dongle. Your card is seeded with a value known to the bank. The card plugs that seed and the current time into an algorithm that generates the number. When you go to make a purchase, the bank runs the same calculation and looks to see if the numbers match.

  • The only time I even think about the three digits on the back of my card is when I'm buying something from an online storefront. Paypal is becoming an increasingly-available option that puts an extra layer between the store and my card numbers. Apple Pay is an option now as well, and I wouldn't be surprised if Android Pay follows suit (if it hasn't already!).

    That's a lot of middlemen taking a share of the payments pie, and all of them are offering more security and peace-of-mind than a physical piece of p

  • by youn ( 1516637 ) on Sunday October 02, 2016 @03:01PM (#53000343) Homepage

    if the card is essentially useless... then recurrent payments will be a pain

    • by swb ( 14022 )

      Call me a conspiracy nut, but I think that's why US card issuers don't change card numbers regularly -- they've been lobbied by their actual customers, merchants, to only change card numbers if absolutely necessary to stop ongoing fraud.

      Merchants love recurring charges. I'd wager for many businesses some non-trivial amount of their revenue comes from *unwanted* recurring charges that people just never canceled the service. Maybe they see the $9.95 and think "fuck, I have to cancel that" but don't and then

      • by ShaunC ( 203807 )

        I think credit card issuers *should* change your card number every year. It would have a slightly PITA quality to if you had a ton of automatic charges, but it would also mean the number would expire sooner rather than later and increase the chances that if the number were harvested somehow it wouldn't have a long life.

        FYI, VISA offers merchants a service called VISA Account Updater [visadps.com] where if your credit card number changes, VISA will happily sell your new number to any merchant who had your old one. Just great, huh? It used to be if you were dealing with a hostile merchant who refused to stop billing you (think AOL for example), your "nuclear option" was to have your card number changed. Now even that won't work if you use a VISA card, because VISA themselves will sell you out.

    • Only if you don't know how recurring card payments work, which clearly you don't.
    • if the card is essentially useless... then recurrent payments will be a pain

      Not really. My recurring payments, except for a few trivial ones,are direct debits from my bank account rather than charged to a credit card. While Credit card securing payments are easy to set p, US banks can handle direct debit with no problem.

  • RSA SecurID Software Tokens [rsa.com]: Make strong authentication a convenient part of doing business. Deploy RSA software tokens on mobile devicesâ"smartphones, tablets, and PCsâ" and transform them into intelligent security tokens.

    • by swb ( 14022 )

      Why not just make the fucking card an RSA token?

      They could have done a million things to improve credit card security, but fraud is down their list of things to worry about. The credit card system (VISA/MC/AMEX, banks, etc) is designed to promote easy transactions, not security.

      VISA just gets paid, they don't have any real liability. Issuing banks eat some fraud but they charge a lot of it back to merchants and make them carry the burden. And consumers eat some of it, though most of the time they can dis

      • More security means, ultimately, fewer charges, and when you're getting paid a percentage of the charges, including fraudulent ones, you benefit most by reducing the transaction friction.

        Exactly. As long as the cost of fraud is low enough that the cost to eliminate exceeds its costs there is no incentive to completely eliminate it. If there is a low cost way to reduce it that doesn't make using the card too difficult than it will be implemented, but as you point out CC's are a volume business and that shapes how they are implemented.

  • 3 digits only provide 1,000 different numbers. After 41 days, they'd be out of numbers. What am I missing?
    • A one hour window every 41 days isn't very practical for card thieves when there's much easier options available. Assuming that one hour window isn't a predictable one (which is a big assumption depending on how it cycles the numbers), reusing the numbers shouldn't hurt.

      • by gr8dude ( 832945 )

        i.e. you have one hour to test 1000 variations of this number. By distributing the "test load" across a thousand online stores, each of those sites will "think" it is the first incorrect attempt to enter the digits, thus have no reason to flag it as suspicious.

          This can be easily automated, therefore it can be done on a large scale.

        • i.e. you have one hour to test 1000 variations of this number. By distributing the "test load" across a thousand online stores, each of those sites will "think" it is the first incorrect attempt to enter the digits, thus have no reason to flag it as suspicious.

          This can be easily automated, therefore it can be done on a large scale.

          Except that each of those one thousand online stores would have to hit the issuing bank to validate the CVV which will, obviously, see a very suspicious trend taking place.

  • by volts ( 515080 ) on Sunday October 02, 2016 @03:28PM (#53000491) Homepage

    This doesn't make much sense for retail, as the CCV isn't used or recorded; the user enters a PIN at the point of sale. But, the CCV could be recorded and fraudulently reused by any online retailer or man-in-the-middle. Randomly changing CCV's would limit the damage.

    • This doesn't make much sense for retail, as the CCV isn't used or recorded; the user enters a PIN at the point of sale. But, the CCV could be recorded and fraudulently reused by any online retailer or man-in-the-middle. Randomly changing CCV's would limit the damage.

      The CVV is recorded and used in an EMV transaction. In fact, the CVV for each EMV transaction is unique for the transaction parameters - amount, time of transaction, etc. They're just using the same sort of algorithm to generate a CVV that is unique for each Card Not Present transaction the customer wishes to complete.

  • Now, next step is to do what a full authentication token does (like SecureID): 6 digits and they change every minute. At that point, offline-fraud will basically vanish. Online fraud (man-in-the middle manipulates your purchases) will still be an issue though. For that more sophisticated tokens will be required. They are available and work well, but the banks shy away from the around $20 they cost.

    • by ShaunC ( 203807 )

      Rotating every minute is probably too fast for this purpose. Consider your average consumer poking around online, it might take them more than a minute just to type in their card information, then they see that "Continue Shopping" button and realize they want to add something else to their cart. Next thing you know, 10 or 15 minutes have elapsed between the time they entered their card info and the time they click "Checkout." The card issuers are loath to introduce any frustration into the purchase process.

  • How do returns work whereby the merchant wants to see the original CC number?

    • Well, first of all, those returns are generally done via person, which means you'd use the chip feature of the card.

      Second, obviously the credit card issuer would authorize canceling a transaction or a credit but not a debit without the CV2 number. You didn't read the article, in actuality the credit card still has a number, it's the authentication code on the back that changes.

      • If the credit card changes every hour, how do you recall the previous X number of numbers..

        • It doesn't change. Only the code at the back. RTFA.

        • If the credit card changes every hour, how do you recall the previous X number of numbers..

          The CCV changes, not the CC number; but even if the CC number changes the issuers knows what your past numbers were and simply credits your account accordingly. I've had that happen when a card was reissued and I returned something purchased with a previously issued card. And before folks start talking about the large amounts of numbers they'd need to keep track off if they changed the card number, all they really need to do is check if a given number was valid at a given time; they could randomly reuse the

  • One of the nice things about preordering items, say from Amazon, is that you don't actually have your card charged until the time the item is ready to ship. So much for that under this system.

  • What if the number changes right after you entered it for an online transaction? Denied!

Real programmers don't comment their code. It was hard to write, it should be hard to understand.

Working...