Stories
Slash Boxes
Comments

SoylentNews is people

Pilot Project Demos Credit Cards With Shifting CVV Codes to Stop Fraud

posted by n1 on Saturday December 29 2018, @01:55PM   Printer-friendly
from the ccv-(what's-this?) dept.

upstart writes:

Submitted via IRC for SoyCow1984

Pilot project demos credit cards with shifting CVV codes to stop fraud

US-based PNC Bank is in the middle of a pilot project that aims to test out credit cards with constantly changing card verification values (or CVVs) to reduce online credit card fraud. The dynamic CVV is displayed on the back of such a card in e-ink, and changes according to an algorithm supplied by Visa.

[...] A static CVV number can provide some protection from online fraud, but sometimes CVVs can be stolen in tandem with the card number. Worse, researchers have shown that Web bots making random guesses on legitimate websites can often come up with the appropriate CVV and expiration date to pair with a card number.

A dynamic CVV should—at least in theory—be far more difficult to guess and use. The idea of a dynamic CVV isn't new: the cards are being supplied by a company called Idemia, which announced its "Motion Code" dynamic CVV cards in 2016. Since then, Visa has detailed a specification for the dynamic CVV pairing, called dCVV2, and Visa is also a partner in getting this pilot project off the ground.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Pilot Project Demos Credit Cards With Shifting CVV Codes to Stop Fraud | Log In/Create an Account | Top | 26 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 0) by Anonymous Coward on Saturday December 29 2018, @05:29PM (1 child)

    by Anonymous Coward on Saturday December 29 2018, @05:29PM (#779748)

    If they're trying to guess the CVV then, as you note, their odds are the same, but they also have a much greater chance of triggering fraud detection through re-tries and getting the card invalidated by the bank/card provider.

    I don't think anyone snarfing credit card numbers actually cares about fraud detection.

    You obtain details from a million cards and then attempt to make a million transactions with them. Supposing a CVV is actually required by the fraudster, and that it is actually unknown, then the fraudster can guess with 1/1000 probability of success. So with one guess per card the fraudster can expect to get 1000 3-digit CVVs correct on the first try. Changing the CVV periodically makes exactly zero difference in this case. But more digits could be used.

    None of which addreses the elephant in the room with CVVs; the number of times companies get hacked and CVV numbers turn out to be part of the compromised data.

    An ever-changing CVV would indeed help with this scenario, as such stored CVVs would be useless after a short time. Of course the cost is that the cardholders now have more work to do in order to make transactions.

  • (Score: 0) by Anonymous Coward on Sunday December 30 2018, @03:21AM

    by Anonymous Coward on Sunday December 30 2018, @03:21AM (#779886)

    Shotgunning is a minority of online credit card theft. It requires more resources, more exposure, and does not have the same return as bruting does. Sure, those economics might change when iCVV or dynamic CVV is more widespread, but as it stands it is in the minority.