SoylentNews is people
SoylentNews
Submitted via IRC for SoyCow1984
Pilot project demos credit cards with shifting CVV codes to stop fraud
US-based PNC Bank is in the middle of a pilot project that aims to test out credit cards with constantly changing card verification values (or CVVs) to reduce online credit card fraud. The dynamic CVV is displayed on the back of such a card in e-ink, and changes according to an algorithm supplied by Visa.
[...] A static CVV number can provide some protection from online fraud, but sometimes CVVs can be stolen in tandem with the card number. Worse, researchers have shown that Web bots making random guesses on legitimate websites can often come up with the appropriate CVV and expiration date to pair with a card number.
A dynamic CVV should—at least in theory—be far more difficult to guess and use. The idea of a dynamic CVV isn't new: the cards are being supplied by a company called Idemia, which announced its "Motion Code" dynamic CVV cards in 2016. Since then, Visa has detailed a specification for the dynamic CVV pairing, called dCVV2, and Visa is also a partner in getting this pilot project off the ground.
(Score: 1) by D2 on Saturday December 29 2018, @03:47PM (2 children)
Also not strictly true. Nearly all authentication mechanisms include temporal features: delay-between-guesses or maximum-guesses-before-temporary-lock. In Risk-based-Authentication, seeing rapid/roving authentication attempt activity is itself often a flag.
Nobody's playing 1:1000 games; they're either capturing CHD for reuse (and a roving CVV closes replay attacks) or they're playing slow-n-steady brute-force games, which is bearable if the attacker is clever and patient, and again closed if the target CVV changes faster than one can exhaust the range of possible CVVs.
All that said, Chip and PIN is better, and electronic interactions like NFC remain many orders of magnitude more secure than a 3 or 4 digit CVV.
(Score: 3, Interesting) by requerdanos on Saturday December 29 2018, @04:07PM (1 child)
Let's say I grant your premise, even if the CVV might have to change faster than a slow, plodding typical consumer could copy it down and complete a slow, plodding, typical transaction with it to outrun ~=500 to 750 automated guesses. That's still systematic, directed, nonrandom guessing, and says nothing of the supposed theory alluded to in TFS that randomly guessing a number that changes once in a while is somehow far more difficult than randomly guessing a number that doesn't.
Try it yourself in the laboratory with dice and a clipboard--you'll find that random guessing doesn't work that way.
(Score: 1, Informative) by Anonymous Coward on Saturday December 29 2018, @09:49PM
Credit cards are good for multiple years. Unless you get the card physically replaced, which most people don't do, you can slowly (by computing standards) brute force the CVV and expiration date but then you have to wait to actually use it when the heat dies down. With around 400 guesses per bot per second (which is super easy, if you know what you are doing), you can guess the information real quick. Your software then flags that card for the bruter, who uses it for what they really want after the time out or resells it on the black market for more money, as the CVV and expiration date is included.
With these new cards, there are, at most two valid CVVs, and that is only for a five minute period during the rollover period; most of the one hour period, there is only one valid CVV. Therefore, the bruter can brute it, but it kills the resale value as there is no longer a guarantee that the CVV is still good. So, the bruter has to use it as soon as possible. The problem is that the credit card company can flag transactions with repeated CVVs as suspicious, especially across websites. This is even more of a protection when coupled to the current practice of flagging transactions within a certain window of declined authorization due to wrong CVV, hence why they have to wait to use the card in the first place.