[Cryptography] French credit card has time-varying PIN

Peter Todd pete at petertodd.org
Mon Oct 3 19:41:14 EDT 2016


On Mon, Oct 03, 2016 at 04:19:10PM -0400, Rick Nakroshis wrote:
> On Mon, Oct 3, 2016 at 2:50 PM, Henry Baker <hbaker1 at pipeline.com> wrote:
> 
> >
> > The three digits on the back of this card will change, every hour, for
> > three years.
> >
> > And after they change, the previous three digits are essentially
> > worthless, and that's a huge blow for criminals.
> >
> 
> 
> I was amused by these lines.  Changing a three digit code every hour
> generates unique values for less than forty-two days, not three years.
> 
> To last for three years, they'll need to reuse each value on the order of
> thirty-five times.  Nonetheless, it's a step in the right direction.

Values repeating doesn't have to be a problem in this application if the
validity window for any particular value is sufficiently small.

For instance, suppose each three digit code is picked by a pseudorandom
function of time, and thus the total sequence doesn't repeat. Secondly, suppose
each three digit code is valid for two hours in total - one hour + a half hour
window on each side.

42 days / 2hrs = 504 slots, which means that you have a 1 in 504 chance of
guessing the right code at random. That's only a little bit worse than the 1 in
1000 chance if the attacker didn't know the code at all and had to guess at
random, so definitely a net improvement in security over a fixed code.

-- 
https://petertodd.org 'peter'[:-1]@petertodd.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: Digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20161003/5ba90101/attachment.sig>


More information about the cryptography mailing list