SoylentNews is people
SoylentNews
Submitted via IRC for AndyTheAbsurd
Forget fraud, Société Générale and Groupe BPCE's new bank cards are about to change everything about fraud.
Part of the problem is that once your card details are stolen – whether through a phishing attack or by someone copying the digits on the back – fraudsters are free to go on a spending spree until you notice something's up.
They're getting away with millions, and it's a problem affecting over half a million people in the first half of 2016 alone.
Normally by the time you get around to actually cancelling your card, it's all too late. But what if the numbers on your card changed every hour so that, even if a fraudster copied them, they'd quickly be out of date?
That's exactly what two French banks are starting to do with their new high-tech ebank cards.
On the back of each card is a 3 digit security number which you must quote to validate any online or telephone purchase. If this number is compromised then there is nothing to prevent the card being used by anyone else. But on the new card the digits are displayed on a small LCD 7-segment display:
The three digits on the back of this card will change, every hour, for three years. And after they change, the previous three digits are essentially worthless, and that's a huge blow for criminals.
Providing that you still have the card in your possession, then whoever has access to the current security number has less than 1 hour to make use of the card. No details are given on how the card issuer and businesses keep synchronised with the current valid card number.
[Ed's Note: Edited to show LCD display rather than LED. Apologies for my error.]
(Score: 0) by Anonymous Coward on Wednesday October 05 2016, @04:10PM
Isn't this how those Kerberos RSA cards work?
(Score: 2) by bob_super on Wednesday October 05 2016, @04:53PM
I'd say yes, though mine uses 6 digits, and the app version uses 8 digits.
Generating a full 16+3-digits pseudo-random card number would be a lot safer than just the 3-digit code.
(Score: 2) by edIII on Wednesday October 05 2016, @08:17PM
I'd imagine why they don't change the cards like that is due to collisions. How can you be sure with that many transactions that I was truly meant to be billed (and authenticated) at that time? Those 16 digits are effectively the unique customer ID.
We would need to move to 128 bit card numbers to randomly generate them without such a high risk of collisions and ID duplicates. Not to mention, whatever generating those numbers has to be in lock-step with the bank side of things too.
The 3 digits work, as long you as disallow multiple attempts. A lock out after 3 attempts requiring you to wait upwards of 59 minutes to perform your transaction may not be unreasonable to most people.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 2) by bob_super on Wednesday October 05 2016, @09:20PM
If half of the people on the planet have a card, then 19 decimal digits is almost 3 billion combinations each, making collision odds much worse than any lottery.
Given a geo-based authentication system (call before you travel to Nigeria), or adding the expiration date, or a timeout, you'll be in no-low-tech-fraud-land.
The point of the proposal being that current systems do check 19 digits (plus date?), and people are used to typing 19 digits, so while 128 bits would be better, it's also impractical and customer-hostile. Why not 2048 bits? That'd be much safer...
(Score: 2) by edIII on Thursday October 06 2016, @12:11AM
The 128 bits is only to ensure that there are no duplicate IDs at any point in time. 129 bits is overboard, and truthfully, you can reduce the probability of duplicates with less bits than that. We use 128 bits for convenience (a multiple of 8), and the fact the number of unique IDs with it is so huge (38th order) that issuing duplicates is highly unlikely with a good RNG/CSPRNG. 100 bits is still 34th order and not bad either.
You're looking at bits of identifying information over all, but I think you're ignoring how many bits of that are the unique identifier and how many other bits are not identifying at all. With a system dependent upon time, you would need to ensure that no identifying bits are repeated in the same time cycle. Should that occur, for a moment, our two credit cards are the same. Who gets billed for that Swedish Penis Pump again? ;)
Are you sure about those odds? What about the number of selections against 3 billion unique IDs? How did you arrive at 3 billion when 16 digits is 1 trillion? Last time I noticed it, the number of debit card transactions were near 50 billion per year, and that was a few years ago. Switching IDs around as suggested would result in 50 billion selections against 1 trillion combinations (how many of those combinations being eliminated by validation in their numbering system, I dunno). That's not as safe as you would think at that rate, and I think we could have a duplicate well before any one of us wins the lottery (feel free to prove me wrong! :D).
Those 16 digits are identifying bits, and that doesn't make it that easy to randomize against hundreds of millions of identities pushing tens of billions of transactions per year. I'm not confident that we can randomly rotate IDs like that.
As for ease of use, what if the card readers were outfitted with QR codes? Then it's no longer a human friendly and readable identifier at all, but purely designed for machines to use it. While I'm not a fan of NFC technology, moving that cycle to 60 seconds while also moving that ever changing code to NFC would eliminate the usability issues you've pointed out.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 2) by bob_super on Thursday October 06 2016, @12:53AM
Running with your 50B/year, we get essentially 3 Million transactions per half hour (a reasonable renewal rate). The birthday paradox tells us that the odds of colliding a random 19-digit number with 3 million users are ... (checks wikipedia, can't quite feel confident in his math) one in 2.5 million ? Per half hour? not good enough for secure by itself, but a lot less than current fraud, and much easier to prevent with basic "you shouldn't be in Timbuktu and be called Lobsang" checks.
I find your 50 Billion probably a bit low, making it probably a lot worse.
On the other hand, non-US countries tend to use the chip+pin approach. So your random 19-digit number has to match your 4-to-8-digit pin (either at the POS or via secure app, still within the half hour), providing a matter of 2FA while avoiding a full revamp of the CC database system and every website on the planet.
Getting an on-demand CC number for each transaction would be another solution for those with reliable connectivity (keep the card in your pocket unless you're incapable to access), but cell security is so nightmarishly terrible that I won't even tell mine that I know about the existence of banks.