[Cryptography] French credit card has time-varying PIN

Ron Garret ron at flownet.com
Tue Oct 4 11:48:39 EDT 2016 

On Oct 4, 2016, at 3:40 AM, Peter Gutmann <pgut001 at cs.auckland.ac.nz> wrote:

> Ron Garret <ron at flownet.com> writes:
> 
>> No, it just means you have a one-hour window between phishing the CVV and
>> using it.
> 
> Half an hour on average, not a full hour.  In any case it pretty much kills
> phishing, because the ecosystem requires a matter of some days between the
> card being phished and cashed out.

I am dumbfounded that you of all people have missed the very obvious flaw in this argument.  You *literally* wrote the book on this stuff! [1]  Here is straightforward adaptation of the anecdote with which you open the section on threats (p. 239):

A time-changing CVV code is useless for exactly the same reason that the CVV code itself is useless.  Why do we have CVV codes?  Because someone observed that hackers were stealing credit card numbers, which were supposed to be secret.  So they said to themselves, “What we need is a secret that can’t be stolen.  So we won’t put it on the magstripe and we won’t emboss it on the card.  Then there’s *no way* that hackers will be able to steal it!  Problem solved.”

Well, no, problem not solved.  Why?  Because criminals easily adapted to the new circumstances by adding a CVV code field to their phishing sites.  (How anyone could have not seen that one coming is still beyond my comprehension.)

So where we are today is a very similar situation: someone looked at the phishing ecosystem and observed that it currently takes several days from phishing to use and said to themselves, “If we could change the CVV code every hour then the phished CVV code will be invalid by the time criminals try to use it.  Then there’s *no way* hackers will be able to use phished credit card numbers.  Problem solved.”

Well, guess what: problem not solved.  Why?  Because criminals will trivially adapt to the new circumstances.  It’s just not that hard for phishers to set up a distribution channel with latency measured in seconds rather than days.  The only reason they haven’t done it so far is that it hasn’t been necessary.  If it becomes necessary, they will do it.  This is their livelihood after all.

rg

[1] https://www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf

More information about the cryptography mailing list