[Cryptography] French credit card has time-varying PIN

[Ron Garret]

On Oct 4, 2016, at 10:14 AM, John Levine <johnl at iecc.com> wrote:

>> Well, guess what: problem not solved.  Why?  Because criminals will trivially adapt to the new circumstances.  It?s just not that hard for phishers to
>> set up a distribution channel with latency measured in seconds rather than days.  The only reason they haven?t done it so far is that it hasn?t been
>> necessary.  If it becomes necessary, they will do it.  This is their livelihood after all.
> 
> People who know a lot more than me about this tell me that finding
> mules to cash out is the chokepoint in credit card fraud.  You can buy
> a gazillion "fullz" with name, address, card number and CVV, for like
> a dollar apiece, because they are so hard to monetize.

That’s the price for dead fullz.  Live ones cost $100+

http://venturebeat.com/2015/02/08/fullz-dumps-and-cvvs-heres-what-hackers-are-selling-on-the-black-market/

> They will certainly adapt to some degree, but this appears to be a
> place where it'll be hard.

Why?  Switching to a JIT supply chain just isn’t that hard, particularly for digital goods.  I don’t see any reason why haxers won't do it if that’s what it takes to stay in business.

rg