Tuesday, September 6, 2011

Visa's post-credit-card-fraud strategy a bit odd

I recently got notified by Bank of America that they'd detected fraud on my account. Meaning someone nasty got a hold of my info. They told me they were changing my card number and mailing a new one to me.

So today I got it and noticed that they'd only changed the last four digits. Having spent a lot of time this year thinking about security (thanks, Security Now), this struck me as strange. Have you noticed how the last four digits are the ones everyone seems to just give away anyway? On receipts, online banking, mailings, etc., they always indicate your card by writing "XXXX XXXX XXXX 1632."

I used to think they accepted the lowered security of those last four because you still had the other twelve that are never given out (ignoring the fact that the first ~4 are entirely deterministic). But now I can assume there's someone out there with my old number, and the only thing Visa gave me to protect against them is those last four, weakly guarded digits.

Now, I know the chances of this person ever finding those last four are vanishingly small. It's probably not even someone close by, and they're not going to be going through my receipts or mail. Plus, I omitted the part where the CSC (those 3-4 digits on the back) is also different. So I'm not actually worried.

It's just funny that while cybersecurity people are arguing about researchers who figured out how to break AES encryption in 190 quadrillion years instead of 760 quadrillion years, in the credit card world they're pretty much saying "Hey c'mon, what're the odds someone finds all four of these digits?"

And hey, maybe they're being a bit more realistic.

image credit: clanao.com (Google Images)