Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Wednesday October 05 2016, @04:08PM   Printer-friendly
from the all-change dept.

Submitted via IRC for AndyTheAbsurd

Forget fraud, Société Générale and Groupe BPCE's new bank cards are about to change everything about fraud.

Part of the problem is that once your card details are stolen – whether through a phishing attack or by someone copying the digits on the back – fraudsters are free to go on a spending spree until you notice something's up.

They're getting away with millions, and it's a problem affecting over half a million people in the first half of 2016 alone.

Normally by the time you get around to actually cancelling your card, it's all too late. But what if the numbers on your card changed every hour so that, even if a fraudster copied them, they'd quickly be out of date?

That's exactly what two French banks are starting to do with their new high-tech ebank cards.

On the back of each card is a 3 digit security number which you must quote to validate any online or telephone purchase. If this number is compromised then there is nothing to prevent the card being used by anyone else. But on the new card the digits are displayed on a small LCD 7-segment display:

The three digits on the back of this card will change, every hour, for three years. And after they change, the previous three digits are essentially worthless, and that's a huge blow for criminals.

Providing that you still have the card in your possession, then whoever has access to the current security number has less than 1 hour to make use of the card. No details are given on how the card issuer and businesses keep synchronised with the current valid card number.

Source: http://www.thememo.com/2016/09/27/oberthur-technologies-societe-generale-groupe-bpce-bank-this-high-tech-card-is-being-rolled-out-by-french-banks-to-eliminate-fraud/


Original Submission

[Ed's Note: Edited to show LCD display rather than LED. Apologies for my error.]

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 4, Informative) by VLM on Wednesday October 05 2016, @04:51PM

    by VLM (445) Subscriber Badge on Wednesday October 05 2016, @04:51PM (#410699)

    I'm going to intentionally not use the technical terms because if you knew the words you'd already have googled the answer.

    The way you're supposed to do it under all the industry regulations on signed merchant contracts is one time and one time only you give the bank the customer information, ask for a token, shred all the customer information except the token, and then you and only you can use that token to transfer money to only your merchant account whenever you ask in the future. I can steal the token and its completely useless unless I have access to your merchant account. Customers have no idea whats going on, there's no "click here to open a dedicated line of credit paid by you for XYZ corp" although that's exactly whats going on.

    The way idiots do reoccurring charges is they violate all the contracts they signed and regulations they are supposed to follow and they store your card data and just run it thru again next time as if you're a brand new customer, or as if they're a gas station that gets repeat customers a lot instead of being an online store who keeps payment information. Maybe, if you're lucky, they might store your CC encrypted or even offline, but usually people dumb enough to do this have one mysql table called "victims^H^Hcustomers" and have columns with names like "CC_number" and so forth. What idiots.

    Like you'd expect there's some bean counter weighing the balance of the cost of doing it the "right way" vs the cost of doing it the "wrong way". The odds of amazon violating PCI/DSS requirements is pretty low. Some random goofballs storefront written in PHP and not updated since 2009, yeah not so good.

    Another thing you can expect is like most of finance its corrupt as hell and theres tons of control fraud going on, so if you see a corporate policy that seems to have been written to help someone to steal, that's because odds are actually pretty good that it was in fact written to help someone steal. Maybe not the guy who gets busted or who figures it out, but ... yeah.

    Starting Score:    1  point
    Moderation   +2  
       Informative=1, Underrated=1, Total=2
    Extra 'Informative' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   4  
  • (Score: 3, Funny) by Anonymous Coward on Wednesday October 05 2016, @05:15PM

    by Anonymous Coward on Wednesday October 05 2016, @05:15PM (#410719)

    but usually people dumb enough to do this have one mysql table called "victims^H^Hcustomers"

    They really call that table "victicustomers"?

    • (Score: 2) by LoRdTAW on Wednesday October 05 2016, @07:25PM

      by LoRdTAW (3755) on Wednesday October 05 2016, @07:25PM (#410775) Journal

      victomers.

      • (Score: 2) by Bot on Wednesday October 05 2016, @10:17PM

        by Bot (3902) on Wednesday October 05 2016, @10:17PM (#410856) Journal

        SELECT COUNT (name) FROM sheeple WHERE name IS YOU

        1

        Just kidding, in reality you would need to terminate the query with a semicolon.

        --
        Account abandoned.
  • (Score: 2) by frojack on Wednesday October 05 2016, @09:33PM

    by frojack (1554) on Wednesday October 05 2016, @09:33PM (#410842) Journal

    Maybe, if you're lucky, they might store your CC encrypted or even offline,

    With my day job, the credit card company insisted on encryption and non-reach-ability from the internet in order to store credit card info in the sales system. The next year they wanted to do penetration testing against our network. We were confident they wouldn't get past our firewall. And sure enough they couldn't. So then they bitched because their pen-testers did not recognize the operating system of the firewall, and they wanted specifics.

    I sent them specifics stating something to the effect that the firewall was sufficient to block the best pen testing firm they could find, and attache the prior emails as evidence.

    Never heard back from them, and never had another issue.

    We had encrypted card data. We used the best encryption APIs that Microsoft had to offer. (LOL).

    --
    No, you are mistaken. I've always had this sig.
  • (Score: 0) by Anonymous Coward on Thursday October 06 2016, @04:58AM

    by Anonymous Coward on Thursday October 06 2016, @04:58AM (#410969)

    So why does clerk at the Oaks Goldsbrough in Sydney write down my credit card number including the ccv and take a copy of my driver's licence after successfully swiping the card through their eftpos machine? Why write down the card number at all?

    They refuse to give you a room unless you give them your licence and credit card. When you are travelling you are over a barrel on this.

    • (Score: 2) by Bogsnoticus on Thursday October 06 2016, @06:55AM

      by Bogsnoticus (3982) on Thursday October 06 2016, @06:55AM (#410998)

      I don't use credit cards, and have never had problems staying at hotels.
      They do ask for some other form of deposit, usually $100 cash/eftpos, which gets refunded (minus any incidentals), once you check out.
      As for license, for me they only glance at it to confirm the name against the booking. Mind you, it could also be that I'm so ugly they can't look at the picture for too long without being violently ill.

      --
      Genius by birth. Evil by choice.