Someone explain how a pin sentry works please....

[BringTheRain]

OK so for a few days I have been trying to work this out.

What I want to know is HOW does my online banking know I haven't made up an 8 digit code.

I took one apart and it just looks like a calculator.

Are the codes already installed in it....?

I went into Barclays and asked, and her response was magic and lol.

Wasn't impressed with the answer tbh!

So explain how it works. Theory's are ok, as well general **** taking.

BTR

 

[Greenlizard0]

Always wanted to know this myself. Whether it's a radio transmitter or something?

I can't imagine it's good security if the 8 letter codes are pre determined.

 

[Dabbles]

Cryptography. You have to put your card in and a code and then it spits out a number having been through an algorithm. This result is input online and the banks server compares the number to its result from the same inputs, et viola!

 

[Duke]

Yeah my business account has one of these readers. I think it could be linked to your card (or some info on it) and date/time, to calculate the number? And matches it against their side.

 

[BringTheRain]

Always wanted to know this myself. Whether it's a radio transmitter or something?

I can't imagine it's good security if the 8 letter codes are pre determined.

Well i have another one, i am tempted to take this one apart.

 

[BringTheRain]

Cryptography. You have to put your card in and a code and then it spits out a number having been through an algorithm. This result is input online and the banks server compares the number to its result from the same inputs, et viola!

Thanks for killing my thread JOKE! Is that really how it works?

Coz if it is, i am going to go into barclays and tell her!

 

[Greenlizard0]

Actually the suggestions above make sense, my radio transmitter idea is probably a bit sci fi at best.

 

[Stupot_]

Thanks for killing my thread JOKE! Is that really how it works?

Coz if it is, i am going to go into barclays and tell her!

She won't sleep with you.

 

[Uhtred]

i'm guessing it's the same sort of process as the RSA tokens etc? If so I think they are based on complex mathematical formulas which my tiny mind will never understand

 

[chimaera]

Yeah it uses an algorithm that's unique to each device, the same algorithm is stored in their authentication server and so should come up with the identical result when you hit go.

Usually the number is valid for 30-60 seconds to take into account the time it takes to copy the number from the device to the screen and hit the necessary buttons.

This is why everyone freaked when the RSA server got hacked a few months ago, it potentially gave away the key for every device.

 

[Salsa]

As stated above, Cryptography.

When you input the 8 digit number given by the online banking system your device runs an encrypted algorithm and spits a number back out based on your card details (stored on the chip) and the number input. The banks computers obviously know these datails already so calculates the algorithm as well. If the two outputs match then bingo.

/theory

 

[Greebo]

Yeah my business account has one of these readers. I think it could be linked to your card (or some info on it) and date/time, to calculate the number? And matches it against their side.

Time. My one got covered in coffee and the time went out of sync (as they explained) so it basically input the number they are expecting in a certain window of time

 

[Larkspeed]

We have two kinds in this country the kind you put your card in and a smaller one that has to be unlocked with it's own code.

Assuming the kind you put your card in works the same basic way as the smaller ones than the suggestion given above is correct.

The ones we use you unlock them with a 6 digit code
you tell the website the serial number of the unit you are using (every unit has it's own algorithm)
the website then gives you a 6 digit number
you punch that into the unit and the unit spits out a different number based on it's algorithm.
you give that number back to the website and if it matches it's expected result your in.

 

[Energize]

The card number and the number you enter go through a hashing algorithm, the result of which is compared to the one calculated by the bank.

 

[23JMZ07]

http://en.wikipedia.org/wiki/SecurID

Essentially like this.

 

[BringTheRain]

WOW

How cool, well i have taken this one apart. And i can see a chip reader, or more of a metal contact. SO yeah i am happy with this thread outcome

 

[ecksmen]

What I want to know, is that does these "Calcs" have the power to kill a card (three incorrect pin guesses). Doesn't it give someone (ok in theory) who has the "calc" unlimited chances of guessing the pin with no recourse?

I have one, but I'm not wanting to test if it adds a flag to the chip.

 

[23JMZ07]

I think the PIN trys are coded on the chip, so it adds a flag onto the chip itself after each try. I think it would lock out with the pinsentry just like the ATM

 

[Pawnless Endgame]

I've not heard of this calculator approach with online banking before. Which banks implement this?

With Santander (formerly A&L), you type in a number, the system shows you a secret image and phrase that you chose yourself, confirming that the site isn't phishing, then you type in your PIN. Before anyone takes a swipe at me for using Santander, it was the same process during A&L days

 

[BringTheRain]

What I want to know, is that does these "Calcs" have the power to kill a card (three incorrect pin guesses). Doesn't it give someone (ok in theory) who has the "calc" unlimited chances of guessing the pin with no recourse?

I have one, but I'm not wanting to test if it adds a flag to the chip.

I got a business card through, which i aint goning to use. Just need to find it and try this theory!!!!!