Barclays Online - PINsentry

jtq4u

I work in computing for a large multinational, we provide much of the software for banking. As such I have a natrual interest in these things. I investigated how the pinsentry works and here is exactly how:

- there are 100 Million possible numbers that it can output
(8 digits)
- *some* of those are valid for you, probably around
10,000 for reasons I won't go into
- each time you put your card into the reader it gives you
one of this set to use. the bank makes a note of the fact
you have used it (so it can't be used again).
- the bank knows the order of these numbers that belong
to you so you can't use one that was given out before
the last one you used with them (even if you havn't tried
that number yet).
- The time is not encoded in the number in any way.. you
could output a number and not use it for a year, providing
you didn't use another number from the reader in that
time

so how is this useful?

Well heres why.. all you have to do is sit down with the card reader and output 20 or so numbers from it and make a note of them somewhere very secure (it needs to be very secure because this is like writing your password down). then you don't need the card reader any more.. just use the top one on the list, then scribble it out.. next use the next one down and scribble it out etc etc. Simple. Barclays will never know you weren't using the card reader at the time!
as for the safe place i don't suggest writing them on paper as thats daft but you could use one of the many password safe type programs, or a passworded word document (make sure you use a long password string), or a passworded zip file. anything with a strong password should be just fine. you could then upload this protected file to your email or somewhere.

once you know how something works it's so much weaker by the way :-)

Calchas

Cheers jtq4u :beer:

I have been through this whole thread trying to find out how the pin sentry works and here it is, the very last post (at the time of writing)!

I suppose what's currently got people's attention is the inconvenience rather than the intrigue.

Speaking of intrigue, I am intrigued to know if your post will last the fullness of time or, if in the "interests of security" it is removed.

I am not speaking ill of this site or the people that run it, but I guess they will have a decision to make. :money:

Once again, thanks for the explanation.

moneyandmountains

It looks like Nationwide is also joining in with this PIN Sentry madness.

It would be less hassle if the banks got together with some mobile phone manufacturers and integrated a PIN sentry card reader into the side of a mobile phone. After all, they are looking at integrating banking features (e.g. Paypass) into mobile phones anyhow.

Does anyone know if the PIN Sentry devices are identical for all the banks, Barclays / Natwest / Nationwide etc.?
I guess it won't be too long before someone publishes the algorithm inside them.

CSL_2

Yes you are quite correct. There is a "common factor" to all of these. A very good logical deduction, my dear Holmes..........

The only difference is the plastic containers that each device is contained within + or - the level of the operating voltage on which each individual Bank decides to go for .............. ende.

gt94sss2

moneyandmountains wrote: »

Does anyone know if the PIN Sentry devices are identical for all the banks, Barclays / Natwest / Nationwide etc.?

Yes, most are similar and you could use any - regardless of the fact that its not issued by your bank.

All the big banks are issuing them - with the exception of HSBC/First Direct who don't believe the system is secure - they have been looking at a system using mobile phones instead. Abbey also hasn't yet decided whether to take part or not yet.

Regards
Sunil

Primrose

Heaven forbid that mobile phones should be updated to incorporate a pin sentry mechanism! I'm very happy with my 10 year old Nokia "brick" which doesn't even take photos and don't want any more fancy gadgets that cause even more problems because they don't work !

renard_2

NatWest sent me one of these infuriating gadgets more than two months ago. It didn't work properly from day one. I am now on my third replacement card reader, and they are about to send me my third replacement debit card to in the hope that that will work with it. I am not holding my breath . . .

This hassle has driven me up the wall due to the appalling incompetence of the bank. I have spent hours on the phone, at my expense of course, being pushed from one department to another, receiving contrary advice from each new person. One blames faulty card reader, another blames faulty chips in my debit card. Others imply that I must be at fault for allegedly inputting incorrect numbers.

Once, after being on the phone 20 minutes, I was told there was nothing wrong with my card reader and I would have to have a new card; put through to the appropriate department, whereupon the guy promptly assured me there was nothing wrong with my card and at first refused to send me one - despite the other department saying it was essential!! :mad:

One guy I was put through to "who will sort it all out for you" actually said, "Problems with a card reader? What's a card reader?", and had to ask someone else! You could not make it up.

The upshot is that I have been unable to operate my internet banking for over two months and am now awaiting yet another replacement debit card.

I am at my wits' end, have lost my temper on the phone for the first time in my long life, and am utterly appalled at the sheer incompetence of NatWest. :mad:

One of their people let slip to me over the phone: "Yes, this has not been properly thought through. Frankly, it's been a nightmare . . . "

Now, this morning, guess what? One of the pesky card readers has arrived for my wife from her bank, Tesco. Here we go again??

And to think we have to trust these people with our money. :mad: :mad: :mad:

Eydon

jtq4u wrote: »

all you have to do is sit down with the card reader and output 20 or so numbers from it and make a note of them somewhere very secure

Problem with this technique is it will only aid logging in. The second "feature" of PinSentry is when you want to make a payment to someone else's account, you need to enter the payee account number and the payment amount into the device in order to generate your challenge/response code.

If all you want to do is bypass PINSentry for logging in then, as has been said previously, Barclays already provides such a mechanism - just click on the "Not got card reader" link and you can get read only access to your accounts.

Having said all this, I still don't like using it.

Calchas

Eydon wrote: »

The second "feature" of PinSentry is when you want to make a payment to someone else's account, you need to enter the payee account number and the payment amount into the device in order to generate your challenge/response code.

That is perfectly true Eydon, but it is my understanding that the PINsentry only needs to be used if one is paying a bill or somebody for the first time. After the details have been set up and a payment made the PINsentry is no longer needed for subsequent transactions.

moneyandmountains

gt94sss2 wrote: »

All the big banks are issuing them - with the exception of HSBC/First Direct who don't believe the system is secure

I guess though, being a two factor system, it is more secure than just using the rolling codes that the HSBC dongle gives.

It seems strange though hat you have to enter the last few digits of your card. I would have thought that it was more secure to show a number on screen, that you have to enter into your machine. That would stop people writing down codes.