Co-op have jsut started rolling it out too.
Someone explain how a pin sentry works please....
- Thread starter BringTheRain
- Start date
I see, makes sense.
How exactly does time factor into seeding the hashing function? If it used discrete measurements (i.e. right down to the second) then obviously when the bank carries out the same calculation it will produce a different hash. I'd be amazed if it is 24 hours.
Edit
Well I just tried my sentry out. I entered my pin twice within the space of 10 seconds and it produced different codes. I'm not sure your explanation is correct as the validity of these codes is definitely longer than 10 seconds as I usually take longer than that when I log into my online bank account.
Last edited:
I don't believe that the PINsentry machine know the time/date in a precise enough way for it to be valid as a security system.Being a Barclays employee this thread has made me grin quite widley
I once convinced someone they did actually work on radio wavesWhich is totally untrue.
The question regarding the devices in branch and at home..... it does not matter which device you use or where, they are all programmed with the same algorithm. In fact, you can use any banks reader with any other banks card (although the technology was developed by Barclays), so if your partner banks with NatWest and you cant find your card reader, you can use thiers.
It is very, very, very clever and indeed links your card number (and amounts and account numbers for making payments) to the time and date you request the code to generate your authentication code to repeat back to the system, which runs the same calculation, all of course having been verified you are in possesion of your card having used your pin number to generate the code. This is why you need to input the last 4 digits of your card when you log in, so that it can match your username to your bank record and then from your record it can tell which card you are using.
We use it in branch simply to identify you - just like using chip and pin. We use the response code to "log in" to your account, just like you use it to log in to online banking - exactly the same theory.
It's usually a matter of minutes. There is a seed on the smart card, which is a shared secret with the bank, there is a cryptographic hash function f = f( time, secret, challengeCode ) = OTP
date was just an example
Whether the calculation is made with the exact date and time, or a 30 second window, the fact is the time is used.
It is trivial to calculate so you can try codes for 30 seconds behind and in front, just to allow for the time being out on the device and for slow entry.
The exact implementation will vary I'm sure, some tokens can give you the same code twice if pressed again quickly (paypal's old key fob token did, the new card type doesn't), some will always give you a different code. I'd not be surprised if a particular token is remembered as being 'used' in situations when you log onto servers as well.
The basic concept is simple though, known encrypt(secret + ever changing time) = one time password.
Interesting. Would you believe it if you were to know that since its introduction online banking fraud has been almost irradicated?
I don't know about the validity of that but what I am saying is that although the PINsentry might be really secure, I am highly sceptical that it works on a system that relies on the time being known by the device itself. For a start, what kind of cheap mass produced device can keep any semblance of accurate time for 7 years (the stated lifespan of the device on one battery). Secondly, if I take the battery out and reset it, it still works fine. How does it keep the time without a battery?
I think I get it. So the server would carry out the same calculation but perhaps do it multiple times using different increments of time from the past up to the present to determine the validity of the passed code (so if you give it a code generated 10 minutes ago, the server won't go that far back therefore you won't be authenticated)?
- Joined
- 3 Jan 2009
- Posts
- 5,593
- Location
- Bedfordshire
There is four big batteries.
I'm putting it back together tom. And gonna see if it's works.
I'm putting it back together tom. And gonna see if it's works.
I can assure you it is true. There will never be zero fraud - People will still get burgled who have thier usernames and pin numbers written down and kept in thier wallets with thier cards etc, but fraud cases for old style online banking fraud has literally vanished.
In relation to the second point, I do not know the answer, but it is probably something simple. Maybe an elecoornics guru can make a suggestion.
It would seem it doesn't need accurate measurements of time. Assuming my understanding is correct then depending on the validity time-frame imposed by the server, it just needs to be accurate within that. So if a code is valid for say 15 minutes then being off by 5 minutes will rarely impact the user.
Probably some on-board supply just for the system clock.
http://en.wikipedia.org/wiki/One-time_password
It also doesn't take much energy to keep the time internally, with no sort of display. A lot of kinetic watches will go to 'sleep' but keep the correct time internally, then when you wake them up again (years later) the hands will spin round to the right time.
The only real ways for otp's to function though are time, challenge, or sequence, it has to be seeded by something that is changing. Time is the most popular for hardware tokens and also for MOTP (check your app store if your an android or iphone user).
It also doesn't take much energy to keep the time internally, with no sort of display. A lot of kinetic watches will go to 'sleep' but keep the correct time internally, then when you wake them up again (years later) the hands will spin round to the right time.
The only real ways for otp's to function though are time, challenge, or sequence, it has to be seeded by something that is changing. Time is the most popular for hardware tokens and also for MOTP (check your app store if your an android or iphone user).
Considering this is a device that works with a C+P card, are we sure a C+P card has no way of telling the time?
I'd guess, if it still works after the battery has been replaced, it's probably got a capacitor or two that will keep a clock "current" for a few minutes (the same way IIRC a bios chip can sometimes remember the settings for a few minutes if you just remove the battery).
Given the power consumption of a clock chip, it wouldn't be hard/expensive to do.
[edit]
Tele's typing faster than me
[edit2]
If the battery life is reported to be 7 years, the device itself must be using practically no power even "in use" - a CR2022 (CMOS type) battery for example has a shelf life of about 8-10 years
Possible - C&P cards can run java, so I am guessing they can also tell the time!
Although I think it is more likely that side of it is in the reader. But I like the idea of it
They almost certainly can (like BDEE said you can run a stripped down version of the JavaVM on those things amongst other things) but without a constant power supply they can't keep time. I don't know but I would imagine it's the device that holds the time and there must be some counter-measure for people just taking the battery out and I can't see how else that would be achieved without some on-board power.