[Cryptography] French credit card has time-varying PIN
Peter Todd
pete at petertodd.org
Mon Oct 3 19:41:14 EDT 2016
On Mon, Oct 03, 2016 at 04:19:10PM -0400, Rick Nakroshis wrote:
> On Mon, Oct 3, 2016 at 2:50 PM, Henry Baker <hbaker1 at pipeline.com> wrote:
>
> >
> > The three digits on the back of this card will change, every hour, for
> > three years.
> >
> > And after they change, the previous three digits are essentially
> > worthless, and that's a huge blow for criminals.
> >
>
>
> I was amused by these lines. Changing a three digit code every hour
> generates unique values for less than forty-two days, not three years.
>
> To last for three years, they'll need to reuse each value on the order of
> thirty-five times. Nonetheless, it's a step in the right direction.
Values repeating doesn't have to be a problem in this application if the
validity window for any particular value is sufficiently small.
For instance, suppose each three digit code is picked by a pseudorandom
function of time, and thus the total sequence doesn't repeat. Secondly, suppose
each three digit code is valid for two hours in total - one hour + a half hour
window on each side.
42 days / 2hrs = 504 slots, which means that you have a 1 in 504 chance of
guessing the right code at random. That's only a little bit worse than the 1 in
1000 chance if the attacker didn't know the code at all and had to guess at
random, so definitely a net improvement in security over a fixed code.
--
https://petertodd.org 'peter'[:-1]@petertodd.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: Digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20161003/5ba90101/attachment.sig>
More information about the cryptography
mailing list