Home card readers
- Thread starter User
- Start date
Page may contain affiliate links. Please see terms for details.
Gerry Attrick
Lincolnshire Mountain Rescue Consultant
I assume the card reader uses the same algorithm as the bank site so the codes they generate are matched.
Gerry Attrick
Lincolnshire Mountain Rescue Consultant
Sorry.
A card reader uses a set formula, calculation pattern or "algorithm", call it what you will, which is programmed into the microchip. The result of this algorithm is that it generates a predictable code which you then enter into the web site. The same algorithm is used by the web site which identifies the code as "friend" or "foe".
A card reader uses a set formula, calculation pattern or "algorithm", call it what you will, which is programmed into the microchip. The result of this algorithm is that it generates a predictable code which you then enter into the web site. The same algorithm is used by the web site which identifies the code as "friend" or "foe".
ian turner
Guru
- Location
- Leicestershire
Two different account holders given the same number will have a completely different number generated by the calculator so it's less predictable and identifiably generated by their card.
Chutzpah
Über Member
- Location
- Somerset, UK
Yep, to expand on what others have said, it uses a (relatively speaking) simple challenge-response system.
The simplest way for bank to verify you would be to ask you to enter your PIN code into your web browser. However, the flaw with this is that anyone watching your internet traffic could easily intercept this, and then do what's called a replay attack - basically just using the same details next time.
And of course, if they're watching your connection then they already have your login details too.....
So here's what happens.
The pin code is stored on both your bank card and the bank's servers.
The bank's server generates a key (the challenge) that it displays to you. You place your card in your reader, enter your PIN to verify that it's you using it, and then enter the key that the bank has just given you.
Then, using a complicated formula that would make your head spin (it does mine!), your card reader takes the number the bank server gave you and enters your PIN code in to it. It does the maths and generates a completely unique number.
You place that unique number into your web browser and send it back to the bank (the response).
Now, the bank's server has a look at the code that you've sent back, and because it knows both the formula it sent you, and your PIN, it can do the same sums and check that the two figures match up.
So why is this safe? Well, number one is that you haven't at any point transmitted your PIN code across the internet.
The second reason is that even if someone was watching your internet connection, they couldn't use that code again, because the next time you try and do a transaction, the bank's server will send a different key to you. Therefore, the response it will be looking for is different.
If you want a worked example of this sort of method, and fancy staring at your screen and saying "wha?", just read this
The simplest way for bank to verify you would be to ask you to enter your PIN code into your web browser. However, the flaw with this is that anyone watching your internet traffic could easily intercept this, and then do what's called a replay attack - basically just using the same details next time.
And of course, if they're watching your connection then they already have your login details too.....
So here's what happens.
The pin code is stored on both your bank card and the bank's servers.
The bank's server generates a key (the challenge) that it displays to you. You place your card in your reader, enter your PIN to verify that it's you using it, and then enter the key that the bank has just given you.
Then, using a complicated formula that would make your head spin (it does mine!), your card reader takes the number the bank server gave you and enters your PIN code in to it. It does the maths and generates a completely unique number.
You place that unique number into your web browser and send it back to the bank (the response).
Now, the bank's server has a look at the code that you've sent back, and because it knows both the formula it sent you, and your PIN, it can do the same sums and check that the two figures match up.
So why is this safe? Well, number one is that you haven't at any point transmitted your PIN code across the internet.
The second reason is that even if someone was watching your internet connection, they couldn't use that code again, because the next time you try and do a transaction, the bank's server will send a different key to you. Therefore, the response it will be looking for is different.
If you want a worked example of this sort of method, and fancy staring at your screen and saying "wha?", just read this
2Loose
Guru
- Location
- Loughborough, Leicestershire.
HJ
Cycling in Scotland
- Location
- Auld Reekie
The important bit is that, so far, no current malware is capable of overcoming transaction verification technology used by the calculator-like thing...
