[Cryptography] French credit card has time-varying PIN

[Peter Gutmann]

Ron Garret <ron at flownet.com> writes:

>Well, guess what: problem not solved.  Why?  Because criminals will trivially
>adapt to the new circumstances.  It’s just not that hard for phishers to set
>up a distribution channel with latency measured in seconds rather than days.

It's not that easy.  At this point you've switched from the critical link
being technology to it being people, and you can't speed that up with
software.  The rate-limiting step in the ecosystem is how fast you can cash
out the cards, even if you can somehow reduce the time from phish to cashiers
to zero you can't cash them out that quickly because it involves humans doing
the work.  The trick in trying to make something secure is to find the
component that can't be solved/overrun with technology, cashing out cards is a
prime example of this.

In addition there's the outrunning-the-bear issue, you don't have to stop
every single possible attack, you just have to be more secure than everyone
else.  And as long as there are US banks, that's not going to be that hard
:-).

Peter.