SoylentNews is people
SoylentNews
Submitted via IRC for SoyCow1984
Pilot project demos credit cards with shifting CVV codes to stop fraud
US-based PNC Bank is in the middle of a pilot project that aims to test out credit cards with constantly changing card verification values (or CVVs) to reduce online credit card fraud. The dynamic CVV is displayed on the back of such a card in e-ink, and changes according to an algorithm supplied by Visa.
[...] A static CVV number can provide some protection from online fraud, but sometimes CVVs can be stolen in tandem with the card number. Worse, researchers have shown that Web bots making random guesses on legitimate websites can often come up with the appropriate CVV and expiration date to pair with a card number.
A dynamic CVV should—at least in theory—be far more difficult to guess and use. The idea of a dynamic CVV isn't new: the cards are being supplied by a company called Idemia, which announced its "Motion Code" dynamic CVV cards in 2016. Since then, Visa has detailed a specification for the dynamic CVV pairing, called dCVV2, and Visa is also a partner in getting this pilot project off the ground.
(Score: 2) by requerdanos on Saturday December 29 2018, @03:15PM (17 children)
(Emphasis added)
Now, in the case of a static, pre-printed CVV, you find that a CVV is generally a 3 to 4-digit code, providing a guessing space of either 1000 or 10000 possible choices.
Thus, 1 random guess out of 1000 or 10000, depending on CVV length, would be a winner.
BUT! If the CVV is a magic, shifting e-ink CVV, you find that a CVV is generally a 3 to 4-digit code, providing a guessing space of either 1000 or 10000 possible choices.
In that totally different case, 1 random guess out of 1000 or 10000, depending on CVV length, would be a winner.
This leads up to my question: What's the theory under which one of these cases is "far more difficult"?
(Score: 1) by fennec on Saturday December 29 2018, @03:24PM (5 children)
Thiefs are not guessing CVV, they get a picture of both sides of the credit card while you get cash from an ATM for example. If CVV changes then the pictures are useless.
(Score: 1) by fennec on Saturday December 29 2018, @03:26PM (3 children)
But regarding guessing you're right, dynamic CVV does not help...
(that's what's happen when you don't read TFA :D)
(Score: 1) by D2 on Saturday December 29 2018, @03:47PM (2 children)
Also not strictly true. Nearly all authentication mechanisms include temporal features: delay-between-guesses or maximum-guesses-before-temporary-lock. In Risk-based-Authentication, seeing rapid/roving authentication attempt activity is itself often a flag.
Nobody's playing 1:1000 games; they're either capturing CHD for reuse (and a roving CVV closes replay attacks) or they're playing slow-n-steady brute-force games, which is bearable if the attacker is clever and patient, and again closed if the target CVV changes faster than one can exhaust the range of possible CVVs.
All that said, Chip and PIN is better, and electronic interactions like NFC remain many orders of magnitude more secure than a 3 or 4 digit CVV.
(Score: 3, Interesting) by requerdanos on Saturday December 29 2018, @04:07PM (1 child)
Let's say I grant your premise, even if the CVV might have to change faster than a slow, plodding typical consumer could copy it down and complete a slow, plodding, typical transaction with it to outrun ~=500 to 750 automated guesses. That's still systematic, directed, nonrandom guessing, and says nothing of the supposed theory alluded to in TFS that randomly guessing a number that changes once in a while is somehow far more difficult than randomly guessing a number that doesn't.
Try it yourself in the laboratory with dice and a clipboard--you'll find that random guessing doesn't work that way.
(Score: 1, Informative) by Anonymous Coward on Saturday December 29 2018, @09:49PM
Credit cards are good for multiple years. Unless you get the card physically replaced, which most people don't do, you can slowly (by computing standards) brute force the CVV and expiration date but then you have to wait to actually use it when the heat dies down. With around 400 guesses per bot per second (which is super easy, if you know what you are doing), you can guess the information real quick. Your software then flags that card for the bruter, who uses it for what they really want after the time out or resells it on the black market for more money, as the CVV and expiration date is included.
With these new cards, there are, at most two valid CVVs, and that is only for a five minute period during the rollover period; most of the one hour period, there is only one valid CVV. Therefore, the bruter can brute it, but it kills the resale value as there is no longer a guarantee that the CVV is still good. So, the bruter has to use it as soon as possible. The problem is that the credit card company can flag transactions with repeated CVVs as suspicious, especially across websites. This is even more of a protection when coupled to the current practice of flagging transactions within a certain window of declined authorization due to wrong CVV, hence why they have to wait to use the card in the first place.
(Score: 0) by Anonymous Coward on Sunday December 30 2018, @07:33AM
I have two credit cards. One for normal transactions and cash. The other is credit only for online transactions. It works.
What I'd really line is the 1 hour cc number some US banks have. The cc number only exists for one hour tired back to the main card.
I'd pay for that kind of faculty for one off payments.
(Score: 0) by Anonymous Coward on Saturday December 29 2018, @03:30PM (3 children)
The theory that you can make many guesses in a row - Wich is usually possible because there is usually a retry available. After guessing once with the static numbers that wrong guess takes a number out of the pool, with a shifting number it does not take that number out of the pool.
Maybe a cool down on the retry would be good as well if that is not in there already.
(Score: 2) by requerdanos on Saturday December 29 2018, @03:36PM (2 children)
Right, but those guesses aren't random; they're systematic. TFS specifically says:
Even in the case of systematic guesses (not random ones), and even if you get a dozen or more guesses before being locked out, a shifting CVV is still going to be "slightly" more difficult, not "far more difficult" to guess.
What's this "far more difficult" theory? How does it work?
(Score: 0) by Anonymous Coward on Saturday December 29 2018, @09:53PM
Because of the way they have to guess. If they speed up guessing to use it in the validity window, it looks more suspicious; if they slow guessing to not look suspicious, it is harder to use it in the validity window.
(Score: 3, Informative) by edIII on Saturday December 29 2018, @10:41PM
I do see your point. Regardless of the time window, how is guessing a random target any different than a static one? With the random one however, it is constantly changing providing a different target to guess. From the viewpoint of several selections though, the odds would seem to be the same.
The answer would be a CVV of greater length. Something like 9 digits, which is what RSA keyfobs use IIRC.
Additionally, nobody seems to catch this interesting gem:
Reallllly? Perhaps similar to the RSA algorithm that was cracked allowing some nation state access to the US military-industrial complex? Algorithm means it's deterministic, and therefore not random at all. Indirectly, it's security through obscurity. Somebody cracks that code and they don't need multiple chances to guess anything.
Situations like this have happened before. NSA compromising a CSPRNG, nation states compromising RSA, and an engineer figuring out an algorithm in use by the lottery for scratchers.....
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 2) by zocalo on Saturday December 29 2018, @04:22PM (2 children)
None of which addreses the elephant in the room with CVVs; the number of times companies get hacked and CVV numbers turn out to be part of the compromised data. AFAIK, CVV numbers are not supposed to be stored under any circumstances so, unless they are able to demonstrate that the CVV numbers were compromised in memory over an extended period of time (which opens a whole other security can of worms), why are these companies allowed to continue processing credit cards in the wake of a clear breach of CVV processing requirements?
UNIX? They're not even circumcised! Savages!
(Score: 0) by Anonymous Coward on Saturday December 29 2018, @05:29PM (1 child)
I don't think anyone snarfing credit card numbers actually cares about fraud detection.
You obtain details from a million cards and then attempt to make a million transactions with them. Supposing a CVV is actually required by the fraudster, and that it is actually unknown, then the fraudster can guess with 1/1000 probability of success. So with one guess per card the fraudster can expect to get 1000 3-digit CVVs correct on the first try. Changing the CVV periodically makes exactly zero difference in this case. But more digits could be used.
An ever-changing CVV would indeed help with this scenario, as such stored CVVs would be useless after a short time. Of course the cost is that the cardholders now have more work to do in order to make transactions.
(Score: 0) by Anonymous Coward on Sunday December 30 2018, @03:21AM
Shotgunning is a minority of online credit card theft. It requires more resources, more exposure, and does not have the same return as bruting does. Sure, those economics might change when iCVV or dynamic CVV is more widespread, but as it stands it is in the minority.
(Score: 2) by sjames on Saturday December 29 2018, @06:05PM (3 children)
If a single wrong guess would lock a card out, you would be right. However, consider a case where the bad gut has 50,000 card numbers and doesn't care which one works. Eventually, one does work and they have a card number with CVV and probably a couple years to exploit it.
A rolling CVV cuts that window to a few minutes.
(Score: 0) by Anonymous Coward on Saturday December 29 2018, @09:16PM (2 children)
Only if they don't use the card afterwards for those couple years. If the fraudster continues to make fraudulent transactions they are unlikely to go unnoticed for very long.
I suspect it's most lucrative to simply binge with the card info as soon as working information is discovered, which means the time window for fraud is probably pretty short.
(Score: 0) by Anonymous Coward on Saturday December 29 2018, @10:40PM
And you'd be wrong. People don't repeatedly screw up their CVV. You have to put some spacing in between the discovery and the use, or it looks suspicious. Not a lot, but enough. However, this new system prevents you from waiting too long.
Also, people don't make a bunch of online purchases at once. Too many, and they all look suspicious. So you have to wait between them. The longer you can wait, especially if you use different delivery mules, the less likely you are to be noticed and the more your theft appears to be a random lucky guess from shotgunners, than it appears to be from compromised credentials. The latter of which is much more likely to be reissued by the card companies and starting the process over for the bad guys.
(Score: 2) by sjames on Saturday December 29 2018, @11:01PM
The window for fraud detection is probably wider than the window for a rolling CVV. If they try to max it out in 2 minutes, they'll be detected before a single item ships. Optimal strategy with fixed CVV is probably 2 weeks so they don't trip the tilt switch and before the rightful owner gets a bill.