Like many others, I have been issued with a key pad which generates a number when I key in my own code. This new number is then keyed into the account log-on section.
How does it work? How does the bank know what the newly generated number is ? I believe the key pads are not personal so you can use any for the same bank.
Is it really more secure?
On a different tack, a family member was robbed of £2000+ from an internet account and was refunded by the bank within 4 days. I have no worries using the system.
|
You key in your card PIN and the number given to you on the web page (which is different for each transaction). This goes through an algorithm in the device to generate the authentication number you enter. The web site uses the same algorithm to get (hopefully) the same number for comparison.
EDIT So it depends on the algorithm being kept secret.
Last edited by: Focus on Thu 5 May 11 at 12:31
|
" EDIT So it depends on the algorithm being kept secret."
So if you were savvy enough to interrogate the chip in the key pad you'd get the algorithm ?
|
>> " EDIT So it depends on the algorithm being kept secret."
>>
>> So if you were savvy enough to interrogate the chip in the key pad you'd
>> get the algorithm ?
>>
www.cl.cam.ac.uk/~sjm217/papers/oakland10chipbroken.pdf
en.wikipedia.org/wiki/Digital_signature
en.wikipedia.org/wiki/Security_token
|
Despite the number being 8 digits long, it's a bit concerning that it is not entirely random.
My Barclays machine increases the first part of the number by a fixed amount with each use.
I also have the distinct impression that my Lloyds log-in which prompts for 3 characters from my memorable word has a definite bias for numbers 1 and 3. Also if ever two of the prompts are for adjacent characters, they are inaviably 5, 6 or 7, it never asks for 1,2 or 12, 13.
This may only be an unverified impression, and it may not matter, but it does always leave me wondering.
One definite weakness of the Lloyds log-in is that if I make a mistake, the repeat request is always for the same 3 characters.
|
>>..that my Lloyds log-in which prompts for 3 characters from my memorable word..>>
I also have a LloydsTSB online account and as well as a Halifax equivalent (it has brought in the same system for obvious reasons), but I've never noticed any particular sequence becoming apparent in either case.
|
>> One definite weakness of the Lloyds log-in is that if I make a mistake, the
>> repeat request is always for the same 3 characters.
>>
No, that is a design feature. If you get the same requested digits wrong again (three attempts are allowed), then the "bank" software knows you are a fraudster just trying out random numbers.
|
>> >> One definite weakness of the Lloyds log-in is that if I make a mistake, the
>> >> repeat request is always for the same 3 characters.
>>
>> No, that is a design feature. If you get the same requested digits wrong again
>> (three attempts are allowed), then the "bank" software knows you are a fraudster just trying out random numbers.
Well, that may be how it's supposed to work, but I don't understand it. If you have to guess a 3-digit code (having found out my n-digit access code that isn't saved anywhere other than my head) then it's a 1-in-a-thousand chance of getting it right. With three goes on the same three digits it takes it down to 1 in 333.3. Whereas if it chose three digits randomly for each of the three tries then it would stick at 1 in 1000.
|
>> in 333.3. Whereas if it chose three digits randomly for each of the three tries
>> then it would stick at 1 in 1000.
>>
Which is why they reckon that even though they have reduced your chances of getting it wrong at the 2nd and 3rd attempt, and yet you get it wrong on the 3rd attempt, it is time to lock you out.
Last edited by: John H on Thu 5 May 11 at 17:41
|
>> So if you were savvy enough to interrogate the chip in the key pad you'd
>> get the algorithm ?
I believe so, yes - presumably they've tried to protect it.
EDIT (posted before seeing John H's post)
Last edited by: Focus on Thu 5 May 11 at 12:51
|
|
Smile issued these a couple of years ago - then dropped them quietly no message, no fuss.
|
>> >> So if you were savvy enough to interrogate the chip in the key pad
>> you'd
>> >> get the algorithm ?
>>
>> I believe so, yes - presumably they've tried to protect it.
...although I guess the algorithm might be on the card chip rather than the key pad - the latter might just act as the interface. Perhaps John's links clarify (sorry haven't read them yet).
|
|
The device uses your card (which is unique to you) to generate the numbers.
|
>> The device uses your card (which is unique to you) to generate the numbers.
>>
I don't think I understand. In fact I know I don't understand. There is no link between the card and the keypad. The keypads too are not unique - you can use another one.
|
|
Is this not the type where you slide your card into the keypad/reader?
|
>> >> The device uses your card (which is unique to you) to generate the numbers.
The card is unique but I think the algorithm is common to all cards and the website?
|
|
Are they like RAS cards, which need to be synched with the host system before they're issued to users?
|
I think DE means the same device I have from the HSBC for our Charity account.
It's black, about 3'' long by 1.5'' wide.
You log in with your user name and password and then are asked for the number.
After pressing a button the device shows a different random number each time.
I always wonder how it works too.
Pat
|
Or is it a PINsentry type device?
en.wikipedia.org/wiki/Chip_Authentication_Program
Last edited by: VxFan on Thu 5 May 11 at 13:56
|
>> Or is it a PINsentry type device?
That's what I assumed - same sort of thing as our Nationwide thingummies.
|
>> Or is it a PINsentry type device?
>>
>> en.wikipedia.org/wiki/Chip_Authentication_Program
>>
Yes that is it. Your link is the one I was looking for when I posted the other wiki links.
Zero: as it says there,
"The CAP readers of Barclays, Lloyds TSB, Nationwide, NatWest, Co-operative Bank/Smile and RBS are all intercompatible."
Last edited by: John H on Thu 5 May 11 at 14:08
|
>> I always wonder how it works too
>>
Here is a diagram showing how these systems work:
en.wikipedia.org/wiki/File:Digital_Signature_diagram.svg
|
"I think DE means the same device I have from the HSBC for our Charity account.
It's black, about 3'' long by 1.5'' wide."
Yes, Pat it's the HSBC one. There is no card slot and it looks like a calculator. It's black with a red border and 35mm wide, 72mm long, 3mm thick and securely (Mmmm....) made in China
|
>> Yes, Pat it's the HSBC one. There is no card slot and it looks like
>> a calculator. It's black with a red border and 35mm wide, 72mm long, 3mm thick
>> and securely (Mmmm....) made in China
>>
I haven't seen one of those yet.
some years ago, they said
"Efforts to standardise online banking security could be undermined by HSBC’s refusal to adopt two-factor authentication for access to its web accounts.
Some high-street rivals have explicitly linked growth in online banking with improvement in security procedures.
The firm is now questioning the need for investment in industry body Apacs’s standard card reader."
new HSBC system
www.hsbc.co.uk/1/2/security-centre/secure-key
Last edited by: John H on Thu 5 May 11 at 15:06
|
They're not listening to us DE:)
It doesn't have a key pad, you can't put a card in it and it only has one button to press.
It has a small didital screen which generates a 6 figure number.
Pat
|
>> I think DE means the same device I have from the HSBC for our Charity
>> account.
>> It's black, about 3'' long by 1.5'' wide.
>> You log in with your user name and password and then are asked for the
>> number.
>> After pressing a button the device shows a different random number each time.
>>
>> I always wonder how it works too.
>>
>> Pat
>>
That sounds like the kind of thing that some of my "managerial" colleagues had for doing secure work via internet a few years ago.
AFAIK the box is a pseudo-random number generator with time of day being part of its seed (ie the generated number changes periodically and is only valid for a short period of time).
At the "bank" end there is an identical pseudo-random number generator with the same seed - as long as the clocks stay in sync their generated numbers are the same.
The above is from memory and a good googling may find some of the details a bit off the mark, but I think the principle is correct, if not the detail or some of the words used.
|
That certainly sounds like it and I've had it for eight years now.
Pat
|
>> The device uses your card (which is unique to you) to generate the numbers.
>>
All the card readers issued to customers by Natwest, Barclays, and Nationwide are the same and are interchangeable. (don't know about the other banks as yet). They all use the same algorithm and read your card embedded chip in exactly the same way.
|
>> They all use the same algorithm
So the algorithm is on the key pad, not in the chip on the card?
|
>> They all use the same algorithm
So that's secure then...
Last edited by: Dulwich Estate on Thu 5 May 11 at 14:39
|
>> >> They all use the same algorithm
>>
>> So that's secure then...
>>
Yes, just as secure as using CHIP and PIN in a shop.
All they prove is that the person at the keyboard has the original valid bank card, i.e. cardholder is present. The cardholder could well be a thief sitting at your PC, holding you hostage until your PIN has been accepted by the cardreader.
Last edited by: John H on Thu 5 May 11 at 15:00
|
"All they prove is that the person at the keyboard has the original valid bank card"
But I don't use my card - it's just a keypad.
There is no card, there is no card, there is no card.
Last edited by: Dulwich Estate on Thu 5 May 11 at 15:07
|
>> "All they prove is that the person at the keyboard has the original valid bank
>> card"
>>
>> But I don't use my card - it's just a keypad.
>>
I was talking about the card readers issued by the banks I specifically named.
The key word(s) is(are) "cardreader" ("card reader") in my posts.
Last edited by: John H on Thu 5 May 11 at 15:09
|
...But I don't use my card - it's just a keypad....
I fink I must be a bit fick.
First AV, now this.
I can't grasp how an unconnected randomish number generator can effect logging into a bank's website.
|
>> I can't grasp how an unconnected randomish number generator can effect logging into a bank's
>> website.
>>
It sends signals to the moon, where the Sunday Sport editor reads the code in his lunar lander craft, and either approves or rejects the transaction before passing it on to Elvis and Michael Jackson and Osama to clear the reply to be sent back down to the lunatics on earth.
Last edited by: John H on Thu 5 May 11 at 15:15
|
...it sends signals to the moon....
Ah, makes sense now.
Must get one, is diesel or petrol best?
|
Is this how it works?
Think of it as a little man inside armed with a codebook. You put in certain data - the bank account reference, the amount, your PIN. He uses the appropriate code for the time and day, give or take a few minutes. He generates a number.
Another little man at the bank end does the same thing, using the same information, and code book. If he gets the same number, then he lets you open the account or make the payment.
So I suppose the number is not exactly random, simply unpredictable, but repeatable given the same data entered at the same time.
Here's an experiment:
Borrow a second reader, and have two people enter the same information at the same time. Do they get the same number?
(They don't have to use the same card. The Barclays reader has its own card or you can use your ordinary card. It doesn't matter which, as long as you enter the appropriate number)
Last edited by: Cliff Pope on Thu 5 May 11 at 15:35
|
>> I can't grasp how an unconnected randomish number generator can effect logging into a bank's
>> website.
I guess it is attempting to prove that the person logging in is the owner of the account, on the basis that:
- they are in possession of one of the cards issued to the account owner
- they know the card's PIN.
|
The random number generator is just that.
The user doesn't enter anything into it, or swipe their card through it.
Pat PDA's generator only has one button.
Quoting her post (above): "It doesn't have a key pad, you can't put a card in it and it only has one button to press. It has a small didital screen which generates a 6 figure number."
|
>> The random number generator is just that.
Sorry - I had gone back to the 'normal' type that you stick your card into.
|
Just watched the demo at
www.hsbc.co.uk/1/2/security-centre/secure-key-demo
The "secure-key" that they send you is uniquely linked to your account via you having to enter it's serial number to activate it at the first use with your account.
From then on, I think it works very much like the security tokens here:
en.wikipedia.org/wiki/Security_token
Last edited by: John H on Thu 5 May 11 at 15:41
|
|
I think there must be different kinds. Some like Barclays have lots of buttons, and you have to replicate what you are entering online with a similar action on the keypad. It's hard to see how they can all work on the same principle therefore.
|
>> I think there must be different kinds. Some like Barclays have lots of buttons, and
>> you have to replicate what you are entering online with a similar action on the
>> keypad. It's hard to see how they can all work on the same principle therefore.
>>
All the banks I listed earlier use the standardised APACS card reader.
HBOS/Lloyds and Santander/Alliance-Leicester are those I don't know about and haven't checked their websites.
HSBC has gone its separate way with a non-card-reader.
Last edited by: John H on Thu 5 May 11 at 16:00
|
So far we are all agreed - it's an Enigma.
But without the brass wheels.
|
|
..
Last edited by: Zero on Thu 5 May 11 at 17:52
|
|
I now have one of these, the HSBC one so it uses NO CARD. |It offers a different number to type into the website every ten seconds or so. Bizarre.
|
This is an interesting read
Fooled by Randomness: The Hidden Role of Chance in Life and in the Markets by Nassim Nicholas Taleb
|
Internet Banking - Security - Key Pad - Focusless
