PDA

View Full Version : Personal Cardreaders


Fareastdriver
7th Mar 2015, 10:23
Can some electronic wizard tell me how these work? It started about ten years ago doing internet banking. I had a gadject that displayed a number when you pressed a button. This you typed in to your internet page of your bank when asked. When correct you could access your account. I was suspicious at first especially as I was half way across the world and the delay, however small, might not enable it to work; but it did.

I now have a personal cardreader so instead of just copying a number I have to insert my bank card, tell it what function to go into, enter my pin number and it will display an eight figure number. Again I have to enter this number when asked.

How does the bank know what number it has displayed? Not only that how does my card know when I have changed my pin number?

It's the last bit that gets me. Random numbers working together I can understand but changing pins, I can't.

Can somebody educate me?

highflyer40
7th Mar 2015, 10:47
Your pin is stored on your card and your card only. The little gold square chip on your card stores this information.

ORAC
7th Mar 2015, 10:52
Chip Authentication Program (http://en.wikipedia.org/wiki/Chip_Authentication_Program)

mixture
7th Mar 2015, 11:22
Can somebody educate me?

To save you interpreting ORAC's link, I'll summarise :

(a) Your PIN is used to authenticate yourself against your credit card (the chip on your card is a sort of mini-computer, so you need to give the right code in order to gain access to the restricted functions within)

(b) The chip on your card knows two things :
- The algorithm used to generate these magic numbers
- A seed value stored in such a way that it can never be read or edited by external means

(c) Your banks system knows two things:
- The algorithm used to generate these magic numbers
- What seed value has been assigned to your card

At the time of authentication against the website its then a simple process of you calculate A, your bank calculates B and if A=B, then you are in.

All your card reader does is send your PIN to the card, call the algorithm function embedded on your card and display the results on its little screen. The card reader itself is dumb, nothing but a mere proxy to the whole process.

That is why you can change your card PIN number as many times as you like, because the algorithm and seed value remain embedded in the card.

Fareastdriver
7th Mar 2015, 11:47
:confused::confused::confused::confused::confused::confused:


eeerrrr, thanks.

Loose rivets
8th Mar 2015, 00:58
Erm, thanks, mixture. I did read it twice, but I'm still a bit confused.

Supposing you're at that high-stress moment when the computer is timing out and strumming its fingers while you take your card out of the little machine and put it in the right way. You press a button and it communicate with your card and produces a number. The Internet is getting really impatient. It's at that moment the neighbor, the one with a lovely smile and humongous bazombers, walks by. You wave, unfortunately with the hand holding the little machine. But instinct comes to the rescue. Your fingers are gripping your priceless card. But horrors! The machine now centrifuges itself off the card and lands between the neighbor's buxomness. She smiles. She knows you're harmless and passes the machine through the window. You probably unwisely wipe the drool onto your sleeve before reaching for the card.

The computer tells you you're timed out. Buggah.

You go through it again, and all goes well, but now your little machine gives you a new number.

What I want to know is, how come this new number satisfies the bank when you've skipped a beat? Does it know about old blokes and their frailties?


Poetic license allowed as it's JB and not the computer section.

VnV2178B
8th Mar 2015, 04:24
Thanks,

one thing I did find out is that it doesn't seem to matter whose reader you use with your card.
My Lloyd's reader ran out of batteries but the Barclay's one still generated useable pass codes. The explanation above does make sense of this useful phenomenon, phenomenon because it involves different banks cooperating.:D

VnV

Adam Nams
8th Mar 2015, 06:06
I misread the title of this thread as

Personal Cheerleaders

Wishful thinking...

goudie
8th Mar 2015, 07:20
I've often asked myself this question, when I use my card reader.
Mystery solved!

joy ride
8th Mar 2015, 08:47
I mis-read it as Personal car dreaders!

mixture
8th Mar 2015, 09:09
What I want to know is, how come this new number satisfies the bank when you've skipped a beat?

Your bank will have a "look-ahead window" set on their system.

So when your request comes in, they will calculate the current (expected) value, plus the next X values.

As long as your submitted value is within the calculated window, then you will be OK.

Your submitted value then becomes the current reference value from which they calculate the window next time, i.e. you can never submit a value older or the same as the value you submitted last time, this is in order to avoid what is known as replay attacks.

As for your neighbor and her buxomness, maybe you should become like that bloke who's name escapes me and chase her round your garden.... :E

Loose rivets
8th Mar 2015, 12:31
I'm afraid these days I couldn't catch her. :uhoh:



Most of these cheerleaders are mums.

http://img.photobucket.com/albums/v703/walnaze/PpruNe/Dashboard04thJuly003.jpg (http://smg.photobucket.com/user/walnaze/media/PpruNe/Dashboard04thJuly003.jpg.html)

Mike6567
8th Mar 2015, 14:58
I now understand (just) about the Personal Card Readers.

However, what about my HSBC Secure Key? This has no input from a card but just requires the PIN entry.

mixture
8th Mar 2015, 17:29
However, what about my HSBC Secure Key? This has no input from a card but just requires the PIN entry.

Conceptually very similar, except the algorithm and seed are embedded on the gadget instead of on the chip on the card. So the gadget is no longer dumb (as in the case of the card reader) but has some intelligence now.

Its no less secure than the card reader version, the main difference is its a bit more admin hassle for the bank. Because instead of being able to send them out on demand, they have to link individual gadgets to each customer on the system due to the embedded seed. On the other hand, the benefit for the user is that you don't need to fiddle around with cards, and you can just use the gadget as your second form of authentication.

Algorithm wise, its likely to be one or two things, HOTP or TOTP.

With HOTP, as well as the algorithm and seed, the gadget (and your bank) keeps track of the usage counter, which increments by one each time you use it. The combination of seed+counter is entered into the algorithm and the magic number displayed.

With TOTP, the concept is exactly the same as HOTP, except instead of an incrementing counter, you have an internal clock that outputs the number of seconds elapsed since 1 January 1970 00:00:00 GMT (the so-called epoch time). The combination of seed+epoch is entered into the algorithm. The value displayed on the screen is then generally valid for a window of either 30 or 60 seconds depending on your banks configuration.

vulcanised
8th Mar 2015, 20:43
As usual, First Direct are more helpful with their card reader.

Although you must use it for transferring cash, etc., you can check balances etc., by just logging on in the old way.

John Hill
8th Mar 2015, 22:17
I dont know if it is good or bad but our bank has a simple printed card with a grid of numbers. Each time I log on it asks for the number in a particular square and provided I respond with the right number it is happy, that is after password and card access number checks.

No doubt someone thinks it looks more secure to have the numbers in a grid but I am sure a simple list of numbers would be just as secure.

mixture
8th Mar 2015, 22:50
I dont know if it is good or bad but our bank has a simple printed card with a grid of numbers.

Well, it fulfills the goal of two-factor authentication ("something you know" - i.e. password - and "something you have" i.e. card with numbers).

But its theoretically somewhat less secure than the pin pads because its all out in the open, easy to steal or copy.

ExSp33db1rd
9th Mar 2015, 05:08
It was easier before computers, I opened an envelope containing my bank statement that had just landed on the doormat - hopefully recovered before the dog ate it - and occasionally I'd write a cheque, put it in an envelope, add a 2d stamp and get some exercise walking to the corner post box.

Now I have a variety of "card readers", some need a credit card to be inserted, others just need a button to be pressed and a number is generated, then the WiFi modem goes on the blink and I have to start again, and I also have to remember where I've put my, currently, 24 page A4 sized folder of some many hundred variations of my usernames and passwords. I kid you not.

I've just tried to sell some long held UK shares that I inherited from my mother 20 years ago, but am being denied because I'm no longer allowed to sell them without declaring that I'm a UK resident and providing a UK address, can't even open the website to change my address to a compliant UK family member until I press the button that says " I declare that I'm a UK resident" . Do I perjure myself now ?

Life was easier before computers, and The World's Gone Mad.

gemma10
9th Mar 2015, 08:51
Its always flummoxed me as well, and I think I`ve got it now, but if I write down all the eight digit numbers over say a period of four weeks that I use the card, will these numbers still satisfy the web page without using the card reader? Surely the algorithm cant change unless the "bank" does an input directly to it.

Fareastdriver
9th Mar 2015, 09:51
but if I write down all the eight digit numbers over say a period of four weeks

Put the wrong number in three times and the bank will shut you out.

MagnusP
9th Mar 2015, 10:06
Loose Rivets, now, I know you're an author with a fine and fertile imagination, but I'm slightly bemused as to how your post at #6 came about. Was it the voice of bitter experience? Do you have piccies of this curvilicious neighbour? Enquiring minds &c.

mixture
9th Mar 2015, 11:18
if I write down all the eight digit numbers over say a period of four weeks that I use the card, will these numbers still satisfy the web page without using the card reader? Surely the algorithm cant change unless the "bank" does an input directly to it.

This will work IF the algorithm the bank uses is based on an incrementing counter (i.e seed + counter => algorithm result).

But if the algorithm the bank uses is based on an internal clock then it won't work because you'll obviously be outside the time window by the time you get round to using the values a few days/weeks later.

As hinted at by another poster, most banks allow you three attempts before cutting you off. So you could generate one value, make a note of it, wait a few hours or days and then try that one value and see if it lets you log in. Then you will know for sure if the algorithm is counter or clock based.

My guess would be that for card-reader style authentication, your idea should work because the chips are probably only incrementing counters.