SoylentNews is people
SoylentNews
Submitted via IRC for AndyTheAbsurd
Forget fraud, Société Générale and Groupe BPCE's new bank cards are about to change everything about fraud.
Part of the problem is that once your card details are stolen – whether through a phishing attack or by someone copying the digits on the back – fraudsters are free to go on a spending spree until you notice something's up.
They're getting away with millions, and it's a problem affecting over half a million people in the first half of 2016 alone.
Normally by the time you get around to actually cancelling your card, it's all too late. But what if the numbers on your card changed every hour so that, even if a fraudster copied them, they'd quickly be out of date?
That's exactly what two French banks are starting to do with their new high-tech ebank cards.
On the back of each card is a 3 digit security number which you must quote to validate any online or telephone purchase. If this number is compromised then there is nothing to prevent the card being used by anyone else. But on the new card the digits are displayed on a small LCD 7-segment display:
The three digits on the back of this card will change, every hour, for three years. And after they change, the previous three digits are essentially worthless, and that's a huge blow for criminals.
Providing that you still have the card in your possession, then whoever has access to the current security number has less than 1 hour to make use of the card. No details are given on how the card issuer and businesses keep synchronised with the current valid card number.
[Ed's Note: Edited to show LCD display rather than LED. Apologies for my error.]
(Score: 2) by VLM on Wednesday October 05 2016, @04:35PM
The three digits on the back of this card .... No details are given on how the card issuer and businesses keep synchronised with the current valid card number.
The secret of the algorithm is its not 1 in 1000 odds or three digit security of randomly guessing but like 1 in 100 or two digits of randomly guessed security.
So if you abstract out the hash function and pretend the "security code" is just a low res digital clock, every successful transaction syncs the card's idea of time to your idea of time.
Also your output usually isn't pass/fail but more like analog odds of fraud, where dead on accurate is 0% odds, an hour off is like 1% odds, two days off is like 100% odds...
No point in getting hung up on "the" answer, the allowed set of good enough is larger than one and increases with time since last use.
With modern microcontrollers and embedded sensors its amazing what the ham radio guys were doing to temperature stabilize free running oscillators like twenty years ago. Now a days a little microcontroller and a sensor and a little money and you can correct timekeeping for temperature over a pretty wide range.
Another way to put it is one hour accuracy over three years of free running is only about 40 or 50 ppm if I did the math in my head right. That is not terribly ambitious hardware spec for COTS equipment.
The way it'll be broken as always isn't by quantum computers factoring primes it'll be some idiot implementing the protocol such that the 1000 digits repeat in a three digit pseudorandom pattern, rather than something sensible like holding say a 128 bit number that never repeats (well, not in 3 years anyway) and only displaying the LSB. Otherwise its time for replay attacks four days later. Oh and some pseudo random patterns are easier to implement than others, and some patterns are quite short and easy to sync to. Thats why better algos exist. Thankfully for security researchers the world is full of people who spin up their own dumb algos and then get powned. I would LOL if the damn things just count up 000-999 sequentially. Wouldn't be half surprised.
(Score: 0) by Anonymous Coward on Wednesday October 05 2016, @05:21PM
No way, they wouldn't be that dumb. Of course they'll count in steps of twenty-five, thus changing at least two digits in every step!