Submitted via IRC for AndyTheAbsurd
Forget fraud, Société Générale and Groupe BPCE's new bank cards are about to change everything about fraud.
Part of the problem is that once your card details are stolen – whether through a phishing attack or by someone copying the digits on the back – fraudsters are free to go on a spending spree until you notice something's up.
They're getting away with millions, and it's a problem affecting over half a million people in the first half of 2016 alone.
Normally by the time you get around to actually cancelling your card, it's all too late. But what if the numbers on your card changed every hour so that, even if a fraudster copied them, they'd quickly be out of date?
That's exactly what two French banks are starting to do with their new high-tech ebank cards.
On the back of each card is a 3 digit security number which you must quote to validate any online or telephone purchase. If this number is compromised then there is nothing to prevent the card being used by anyone else. But on the new card the digits are displayed on a small LCD 7-segment display:
The three digits on the back of this card will change, every hour, for three years. And after they change, the previous three digits are essentially worthless, and that's a huge blow for criminals.
Providing that you still have the card in your possession, then whoever has access to the current security number has less than 1 hour to make use of the card. No details are given on how the card issuer and businesses keep synchronised with the current valid card number.
[Ed's Note: Edited to show LCD display rather than LED. Apologies for my error.]
(Score: 2) by Username on Wednesday October 05 2016, @07:16PM
No, they’ll most likely skip verification after the first transaction. They’d probably only use it when you change shipping/payment info or if their anti-fraud software flags you.
This will only be a temp measure. Eventually how the key/hash is made will become public and it will be as useless as the current ccv.
(Score: 2) by jmorris on Wednesday October 05 2016, @08:50PM
Actually, if they built it right they will publish how the numbers are made. Good cryptosystems survive disclosure of the details. The card will have a secret and it will know the time, hashing those along with your card number will yield the displayed value. Unless you can find a way to make the card give up the secret, knowing the hash formula doesn't get you anything. And if you can extract info from the card you can break chip + pin too.