Stories
Slash Boxes
Comments

SoylentNews is people

posted by n1 on Saturday December 29 2018, @01:55PM   Printer-friendly
from the ccv-(what's-this?) dept.

Submitted via IRC for SoyCow1984

Pilot project demos credit cards with shifting CVV codes to stop fraud

US-based PNC Bank is in the middle of a pilot project that aims to test out credit cards with constantly changing card verification values (or CVVs) to reduce online credit card fraud. The dynamic CVV is displayed on the back of such a card in e-ink, and changes according to an algorithm supplied by Visa.

[...] A static CVV number can provide some protection from online fraud, but sometimes CVVs can be stolen in tandem with the card number. Worse, researchers have shown that Web bots making random guesses on legitimate websites can often come up with the appropriate CVV and expiration date to pair with a card number.

A dynamic CVV should—at least in theory—be far more difficult to guess and use. The idea of a dynamic CVV isn't new: the cards are being supplied by a company called Idemia, which announced its "Motion Code" dynamic CVV cards in 2016. Since then, Visa has detailed a specification for the dynamic CVV pairing, called dCVV2, and Visa is also a partner in getting this pilot project off the ground.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by requerdanos on Saturday December 29 2018, @03:36PM (2 children)

    by requerdanos (5997) Subscriber Badge on Saturday December 29 2018, @03:36PM (#779703) Journal

    After guessing once with the static numbers that wrong guess takes a number out of the pool

    Right, but those guesses aren't random; they're systematic. TFS specifically says:

    Web bots making random guesses... can often come up with the appropriate CVV.... A dynamic CVV should—at least in theory—be far more difficult to guess and use.

    Even in the case of systematic guesses (not random ones), and even if you get a dozen or more guesses before being locked out, a shifting CVV is still going to be "slightly" more difficult, not "far more difficult" to guess.

    What's this "far more difficult" theory? How does it work?

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 0) by Anonymous Coward on Saturday December 29 2018, @09:53PM

    by Anonymous Coward on Saturday December 29 2018, @09:53PM (#779815)

    A dynamic CVV should—at least in theory—be far more difficult to guess and use.

    Because of the way they have to guess. If they speed up guessing to use it in the validity window, it looks more suspicious; if they slow guessing to not look suspicious, it is harder to use it in the validity window.

  • (Score: 3, Informative) by edIII on Saturday December 29 2018, @10:41PM

    by edIII (791) on Saturday December 29 2018, @10:41PM (#779835)

    I do see your point. Regardless of the time window, how is guessing a random target any different than a static one? With the random one however, it is constantly changing providing a different target to guess. From the viewpoint of several selections though, the odds would seem to be the same.

    The answer would be a CVV of greater length. Something like 9 digits, which is what RSA keyfobs use IIRC.

    Additionally, nobody seems to catch this interesting gem:

    and changes according to an algorithm supplied by Visa.

    Reallllly? Perhaps similar to the RSA algorithm that was cracked allowing some nation state access to the US military-industrial complex? Algorithm means it's deterministic, and therefore not random at all. Indirectly, it's security through obscurity. Somebody cracks that code and they don't need multiple chances to guess anything.

    Situations like this have happened before. NSA compromising a CSPRNG, nation states compromising RSA, and an engineer figuring out an algorithm in use by the lottery for scratchers.....

    --
    Technically, lunchtime is at any moment. It's just a wave function.