Chris Hocking
Get involved and share your knowlege. You know more than me and i know more than you. Lets know the same!
Friday 4 April 2008, 11:00 AM
Calculator Looking Number Generator from the Bank
Now the instructions say that every time you want to pay money from your account in to some one else’s or set up direct debits etc I need to use this device. It doesn’t communicate with the PC in anyway it just generates a number you need to give to the bank when you make certain transactions.
Maybe I’m wrong but I assume it takes your card details runs some kind of algorithm and generates a number every time. And maybe I’m wrong about this but I assume my bank hasn’t produced a different device, running a different algorithm for every customer!
So surely if I was a fraudster, and I have your Details I just need to know the algorithm on these devices and it makes the whole idea of the device pretty pointless. People who steal from Bank accounts do it for a living and this is in my view a very little hurdle for them to jump.
My opinion is that the Banks have decided to distribute these almost in a way that resembles ignorant Propaganda saying this will solve threats to your account merely for them to look good. They know Joe public will say:
“Isn’t it good, my bank sent me a little calculator thing and now my account is safe (yeah right), my bank are so thoughtful they must really be looking out for their customers”.
Surely the money for devising this scheme could have been better spent on being more proactive when it comes to threats to their customers rather than releasing a Gimmick.
PreviousComments on this post
Hi Chris, I understand your concerns, having had my bank card swiped on one occasion and used for a bit of a shopping spree at Asda and B&Q in the Midlands. The bank acted very quickly in that case and returned my money pretty fast, but it concerned me that someone could, having swiped my card, go and use it as they liked. On that occasion I think it was just before chip and PIN came in, and I was somewhat comforted by the fact that a) I could prove I wasn't in the Midlands at the time the card was used and that b) I felt confident that any analysis would show the the signature used was fruadulent. Chip and PIN, at a swipe, removes one of those comfort factors that I have as a customer. If someone does manage to obtain my PIN, can I really prove that it wasn't I who typed it in to a terminal?
The random key generators, which it sounds like you have, do add an element of security. I'm not sure quite how yours works but some I know produce a random number when you press a button; you then use this random number (something you have), which is only valid for a couple of minutes, along with your PIN (something you know) to create a unique, one-time-use passcode that will authenticate you.
It means that even if your card is swiped then the duplicate card will be useless without your random key generator, which would have to be physically stolen from you. This is true even if the culprit managed to obtain your PIN number.
Can the algorithm be cracked? Well, never say never, but I know I'd feel a whole lot more comfortable if my bank would give me one of these too.
I would ask how can that number generated only be valid for a couple of minutes when it doesn't comunicate with anything. Surely i could when i need to input the number on my online banking i could push the button 5 times and use that number.
I can see Chip and PIn is effective but it can still be used in country's that don't use it. I just really don't think this will bring any security at all if the algorithm is compromised.
The device isn't used for logging in either so your Account number etc can still be gained that way. I have also been fraudulated twice with my cards sitting in my wallet. Aparently i was in Canada.
There must be a mathmatic formula, that combines the number on your card, and the time of generation, and plug maybe the "calculator"'s id.
See this may be the case or it may not. What i would like to know is that if any body out there be you from the banks themselves or anyone else has any definative information on this, please share it so we can establish whether it adds security or is just a publicity stunt.
