Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 18 submissions in the queue.

This Card is Being Rolled Out by French Banks to Eliminate Fraud

posted by janrinok on Wednesday October 05 2016, @04:08PM   Printer-friendly
from the all-change dept.

MrPlow writes:

Submitted via IRC for AndyTheAbsurd

Forget fraud, Société Générale and Groupe BPCE's new bank cards are about to change everything about fraud.

Part of the problem is that once your card details are stolen – whether through a phishing attack or by someone copying the digits on the back – fraudsters are free to go on a spending spree until you notice something's up.

They're getting away with millions, and it's a problem affecting over half a million people in the first half of 2016 alone.

Normally by the time you get around to actually cancelling your card, it's all too late. But what if the numbers on your card changed every hour so that, even if a fraudster copied them, they'd quickly be out of date?

That's exactly what two French banks are starting to do with their new high-tech ebank cards.

On the back of each card is a 3 digit security number which you must quote to validate any online or telephone purchase. If this number is compromised then there is nothing to prevent the card being used by anyone else. But on the new card the digits are displayed on a small LCD 7-segment display:

The three digits on the back of this card will change, every hour, for three years. And after they change, the previous three digits are essentially worthless, and that's a huge blow for criminals.

Providing that you still have the card in your possession, then whoever has access to the current security number has less than 1 hour to make use of the card. No details are given on how the card issuer and businesses keep synchronised with the current valid card number.

Source: http://www.thememo.com/2016/09/27/oberthur-technologies-societe-generale-groupe-bpce-bank-this-high-tech-card-is-being-rolled-out-by-french-banks-to-eliminate-fraud/

Original Submission

[Ed's Note: Edited to show LCD display rather than LED. Apologies for my error.]

 
This discussion has been archived. No new comments can be posted.
This Card is Being Rolled Out by French Banks to Eliminate Fraud | Log In/Create an Account | Top | 61 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 1, Insightful) by Anonymous Coward on Wednesday October 05 2016, @05:09PM

    by Anonymous Coward on Wednesday October 05 2016, @05:09PM (#410712)

    In one hour I'm pretty sure even the crappiest computer in existence could brute force a 3 digit pin. Will the bank lock down the account after 5 failed attempts? Why don't they use a longer pin and shorter time frame?

    Starting Score:    0  points
    Moderation   +1  
       Insightful=1, Total=1
    Extra 'Insightful' Modifier   0  
    Total Score:   1  

  • (Score: 0) by Anonymous Coward on Wednesday October 05 2016, @05:19PM

    by Anonymous Coward on Wednesday October 05 2016, @05:19PM (#410721)

    Will the bank lock down the account after 5 failed attempts?

    This is usually how banks can 'get away' with such terrible 'passwords'. They simply lock out the account after some small number X of invalid attempts. Therefore having only 1000 possible combinations (or 10,000 in the case of ATM card 4-digit PIN's) isn't the same issue it would be in using a four digit, all numeric, password for a general system.

    Without that "lockout" these pins would be trivial to brute force.

  • (Score: 4, Informative) by VLM on Wednesday October 05 2016, @05:20PM

    by VLM (445) on Wednesday October 05 2016, @05:20PM (#410722)

    If you think like a big bank, cutting your fraud expense by a factor of 1000 is darn near as good as cutting it to zero. Also the bank can go all "check card" and attack the end user, why our system is infallible therefore all fraud reports must be fake or an inside job, if that scares away even 1% of fraud claims (maybe because 1% of fraud claims are fake?) then they still profit.

    Also if some Russian gang steals 10000 CC and tries to cash in on some online betting service in Jolly Ole England as once happened to me, the CC processor isn't going to notice a 99.999% failure rate any faster than a 99.9% failure rate. Sure a couple charges might sneak thru but most processors will completely flip their shit (technical term, lock your merchant account is the term they usually use) if you send them a thousand failure vs one success. They'll assume your API went rogue on your side and lock your API key until they talk to you. It'll be a fascinating conversation.

  • (Score: 2) by janrinok on Wednesday October 05 2016, @05:20PM

    by janrinok (52) Subscriber Badge on Wednesday October 05 2016, @05:20PM (#410723) Journal

    I'm not seeing any reports of the existing chips on cards being brute forced. It is not something that the average home enthusiast can manage. Why do you think that this chip will be any easier?

    • (Score: 2) by janrinok on Wednesday October 05 2016, @05:22PM

      by janrinok (52) Subscriber Badge on Wednesday October 05 2016, @05:22PM (#410725) Journal

      And they are not saying that this will prevent fraud if you do not have the card in your possession - it only prevents fraud from someone having your card details.

    • (Score: 0) by Anonymous Coward on Wednesday October 05 2016, @05:39PM

      by Anonymous Coward on Wednesday October 05 2016, @05:39PM (#410731)

      Its not the type of thing these companies will openly publish, and its not a good enough story for a reporter to hunt down. Actually, reporters don't hunt anything down anymore unless its name is on some street in Los Angeles.