SoylentNews is people
SoylentNews
Submitted via IRC for AndyTheAbsurd
Forget fraud, Société Générale and Groupe BPCE's new bank cards are about to change everything about fraud.
Part of the problem is that once your card details are stolen – whether through a phishing attack or by someone copying the digits on the back – fraudsters are free to go on a spending spree until you notice something's up.
They're getting away with millions, and it's a problem affecting over half a million people in the first half of 2016 alone.
Normally by the time you get around to actually cancelling your card, it's all too late. But what if the numbers on your card changed every hour so that, even if a fraudster copied them, they'd quickly be out of date?
That's exactly what two French banks are starting to do with their new high-tech ebank cards.
On the back of each card is a 3 digit security number which you must quote to validate any online or telephone purchase. If this number is compromised then there is nothing to prevent the card being used by anyone else. But on the new card the digits are displayed on a small LCD 7-segment display:
The three digits on the back of this card will change, every hour, for three years. And after they change, the previous three digits are essentially worthless, and that's a huge blow for criminals.
Providing that you still have the card in your possession, then whoever has access to the current security number has less than 1 hour to make use of the card. No details are given on how the card issuer and businesses keep synchronised with the current valid card number.
[Ed's Note: Edited to show LCD display rather than LED. Apologies for my error.]
(Score: 1, Interesting) by Anonymous Coward on Wednesday October 05 2016, @04:24PM
What happens to my saved card details - which includes the CCV - when I try to use them on a site like Amazon? Do I have to enter the new CCV every time I make a purchase?
(Score: 3, Insightful) by DannyB on Wednesday October 05 2016, @04:32PM
Would having to enter the CCV every time be such a bad thing?
The lower I set my standards the more accomplishments I have.
(Score: 0) by Anonymous Coward on Wednesday October 05 2016, @05:40PM
Came here to say this. Convenience is not always to your benefit...
(Score: 3, Informative) by jmorris on Wednesday October 05 2016, @08:45PM
Amazon and huge trusted online retailers will get an exception so that once they have validated your account once they can just hold your base number and bill to it so long as it is done on a realtime linkup with the creditcard/issuing bank and they ship to your registered address. So will everyone else who does monthly billing to a credit/debit card. These details are self evident, I don't have any special knowledge and don't have to. We all know Amazon will continue doing one click purchases and DirectTV will continue billing your card until you call your bank to make them stop.
(Score: 4, Informative) by VLM on Wednesday October 05 2016, @04:51PM
I'm going to intentionally not use the technical terms because if you knew the words you'd already have googled the answer.
The way you're supposed to do it under all the industry regulations on signed merchant contracts is one time and one time only you give the bank the customer information, ask for a token, shred all the customer information except the token, and then you and only you can use that token to transfer money to only your merchant account whenever you ask in the future. I can steal the token and its completely useless unless I have access to your merchant account. Customers have no idea whats going on, there's no "click here to open a dedicated line of credit paid by you for XYZ corp" although that's exactly whats going on.
The way idiots do reoccurring charges is they violate all the contracts they signed and regulations they are supposed to follow and they store your card data and just run it thru again next time as if you're a brand new customer, or as if they're a gas station that gets repeat customers a lot instead of being an online store who keeps payment information. Maybe, if you're lucky, they might store your CC encrypted or even offline, but usually people dumb enough to do this have one mysql table called "victims^H^Hcustomers" and have columns with names like "CC_number" and so forth. What idiots.
Like you'd expect there's some bean counter weighing the balance of the cost of doing it the "right way" vs the cost of doing it the "wrong way". The odds of amazon violating PCI/DSS requirements is pretty low. Some random goofballs storefront written in PHP and not updated since 2009, yeah not so good.
Another thing you can expect is like most of finance its corrupt as hell and theres tons of control fraud going on, so if you see a corporate policy that seems to have been written to help someone to steal, that's because odds are actually pretty good that it was in fact written to help someone steal. Maybe not the guy who gets busted or who figures it out, but ... yeah.
(Score: 3, Funny) by Anonymous Coward on Wednesday October 05 2016, @05:15PM
They really call that table "victicustomers"?
(Score: 2) by LoRdTAW on Wednesday October 05 2016, @07:25PM
victomers.
(Score: 2) by Bot on Wednesday October 05 2016, @10:17PM
SELECT COUNT (name) FROM sheeple WHERE name IS YOU
1
Just kidding, in reality you would need to terminate the query with a semicolon.
Account abandoned.
(Score: 2) by frojack on Wednesday October 05 2016, @09:33PM
Maybe, if you're lucky, they might store your CC encrypted or even offline,
With my day job, the credit card company insisted on encryption and non-reach-ability from the internet in order to store credit card info in the sales system. The next year they wanted to do penetration testing against our network. We were confident they wouldn't get past our firewall. And sure enough they couldn't. So then they bitched because their pen-testers did not recognize the operating system of the firewall, and they wanted specifics.
I sent them specifics stating something to the effect that the firewall was sufficient to block the best pen testing firm they could find, and attache the prior emails as evidence.
Never heard back from them, and never had another issue.
We had encrypted card data. We used the best encryption APIs that Microsoft had to offer. (LOL).
No, you are mistaken. I've always had this sig.
(Score: 0) by Anonymous Coward on Thursday October 06 2016, @04:58AM
So why does clerk at the Oaks Goldsbrough in Sydney write down my credit card number including the ccv and take a copy of my driver's licence after successfully swiping the card through their eftpos machine? Why write down the card number at all?
They refuse to give you a room unless you give them your licence and credit card. When you are travelling you are over a barrel on this.
(Score: 2) by Bogsnoticus on Thursday October 06 2016, @06:55AM
I don't use credit cards, and have never had problems staying at hotels.
They do ask for some other form of deposit, usually $100 cash/eftpos, which gets refunded (minus any incidentals), once you check out.
As for license, for me they only glance at it to confirm the name against the booking. Mind you, it could also be that I'm so ugly they can't look at the picture for too long without being violently ill.
Genius by birth. Evil by choice.
(Score: 2) by AndyTheAbsurd on Wednesday October 05 2016, @05:03PM
If Amazon is saving the CCV/CVV, they're violating MasterCard and/or Visa's terms of service. So in that particular case, I suspect that nothing happens.
Please note my username before responding. You may have been trolled.
(Score: 2) by Username on Wednesday October 05 2016, @07:16PM
No, they’ll most likely skip verification after the first transaction. They’d probably only use it when you change shipping/payment info or if their anti-fraud software flags you.
This will only be a temp measure. Eventually how the key/hash is made will become public and it will be as useless as the current ccv.
(Score: 2) by jmorris on Wednesday October 05 2016, @08:50PM
Actually, if they built it right they will publish how the numbers are made. Good cryptosystems survive disclosure of the details. The card will have a secret and it will know the time, hashing those along with your card number will yield the displayed value. Unless you can find a way to make the card give up the secret, knowing the hash formula doesn't get you anything. And if you can extract info from the card you can break chip + pin too.
(Score: 2) by archfeld on Wednesday October 05 2016, @07:34PM
I don't have issues for saved cards like with Amazon, I can easily re-enter the CCV digits each time, but what I question is how is this going to affect things like my DirecTV auto payment setup that runs at a set time each month WITHOUT my initiation ? Under the current setup I don't see this functioning. I have several bills set to auto pay in this manner and having to go back to paying them myself or relying on contact not knowing where I am going to be during any given period is going to be inconvenient to say the least. I move about according to the weather, from Northern CA, to Yuma AZ, and several other points that family and friends live based on the weather and my current job contract. I already have issues quite often with the CC company because of the locations I charge from and the frequency I move about.
For the NSA : Explosives, guns, assassination, conspiracy, primers, detonators, initiators, main charge, nuclear charge
(Score: 2) by Grishnakh on Wednesday October 05 2016, @07:40PM
For people like you, if there's certain spots you regularly go to at certain times of the year, would it make sense to have multiple credit cards, and only use certain cards at certain locations? I know it'd be a bit of a pain, but that might solve the problems with constantly flagging fraud-detection algorithms.
(Score: 0) by Anonymous Coward on Wednesday October 05 2016, @07:34PM
Do I have to enter the new CCV every time I make a purchase?
Yes. That's kind of the point. If/when amazon gets hacked and your credit card details leaked (even though I'm sure they will swear this is impossible, like everyone else who has sworn it was impossible), the thief will not be able to use the info. Seriously if it's too hard to reach into your pants and pull out your wallet and credit card when you make a purchase, maybe you should join a gym.