We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
how do pin sentry devices work
jamespir
Posts: 21,456 Forumite
just wondered how these work i have one for barclays and its basically a fancy calculator i know theres no link to my online account but when i put my card in put the pin in it gives me a number to type in the box
now ive tried putting1-2 numbers wrong and it tells me the number is wrong how does the online service know this ?
now ive tried putting1-2 numbers wrong and it tells me the number is wrong how does the online service know this ?
Replies to posts are always welcome, If I have made a mistake in the post, I am human, tell me nicely and it will be corrected. If your reply cannot be nice, has an underlying issue, or you believe that you are God, please post in another forum. Thank you
0
Comments
-
Its just an algorithm based on your card number and the certificate stored inside the chip in your card (this is why you are asked for the last 4 digits from your card so it can select the appropriate certificate), from this your card reader generates a number, the online site generates a number using the same algorithm and if they match it lets you in. The source code to PINSentry is freely available on the internet, but its still secure as it still requires the card to function. If you don't want to carry your card reader with you then you can write down a sequence of numbers and use them in sequence.
The online system doesn't really care about your PIN - its never transferred. That part is simply a Verify request to the chip on the card which then returns a OK or NOTOK to state whether or not you entered the correct pin.0 -
Gromitt got it in one. Your card number, pin and the chip together form a very difficult to guess password using a hash function (or algorithm).
http://en.wikipedia.org/wiki/Cryptographic_hash_function0 -
Agree with most of the above though it is actually a 2 step process as if you enter the wrong PIN into the reader you dont get any code generated so the PIN gives access to the code and is not part of the code generation itself.
The part missing from the above is the fact that time is also used in the generation of the code which is why the code is different each time and why you cannot use the same code all the time.0 -
I don't think that PINSentry has any concept of time; it contains no clock, nor does the debit card.InsideInsurance wrote: »The part missing from the above is the fact that time is also used in the generation of the code which is why the code is different each time and why you cannot use the same code all the time.
I understand that the 8-digit codes are purely sequential. This is why you can generate a code and then wait several days before using it, if you so wish.0 -
Think of it more like a One Time Password than a time, it simply generates numbers which are guaranteed to be unique. The way it does this is via the chip command 'GENERATE AUTHORISATION CRYPTOGRAM EMV'. The banks have basically taken what they already have for processing a CNP card at a retailer and used it for internet security. Lots of weaknesses (won't describe them here), but cheap to implement.
Some cards don't require the PIN to be valid to use the appropriate functions, but there is a function to check if the pin you entered is valid (pass it to card and it'll return OK or NOTOK response).
If your really interested you can download the specifications from emvco.com.0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 349.7K Banking & Borrowing
- 252.6K Reduce Debt & Boost Income
- 452.9K Spending & Discounts
- 242.7K Work, Benefits & Business
- 619.4K Mortgages, Homes & Bills
- 176.3K Life & Family
- 255.6K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.1K Discuss & Feedback
- 15.1K Coronavirus Support Boards