On-line bank log-in security

[Geoff S]

I just received a new bank debit card and it has a different number from my old one which led me to wonder about how I log in to view and manipulate the accounts.  I have a bank supplied gadget which I suspect is widely used which accepts the card and after entering my PIN displays an 8 digit number which I enter into the bank's log-in page.  Apart from an account number (which my PC enters automatically) I have to enter the last 4 digits of my debit card.

 

What I don't understand is how the software uses a remotely generated 8 digit number to confirm my identity.  I suspect it's something to do with prime numbers.  I read a book about how they are useful for security which I more or less understood at the time but, 10 years later, I no longer remember.  Anyone with better maths skills than I understand it? 

 

The new card works OK btw using my existing PIN but entering the different 4 last digits.  I haven't experimented much because I don't want to be locked out of the account ?

[Bruce Collinson]

I too wondered about this and found an adequate explanation on Google, involving an algorithm, but the technicality must have escaped me because I cannot recall the details.

BTC

[MattyB]

2 hours ago, Geoff S said:

I just received a new bank debit card and it has a different number from my old one which led me to wonder about how I log in to view and manipulate the accounts.  I have a bank supplied gadget which I suspect is widely used which accepts the card and after entering my PIN displays an 8 digit number which I enter into the bank's log-in page.  Apart from an account number (which my PC enters automatically) I have to enter the last 4 digits of my debit card.

 

What I don't understand is how the software uses a remotely generated 8 digit number to confirm my identity. 

 

Short answer - it doesn't, not really!

 

Long answer - The device in your hand is running the same software algorithm as the website you are logging into, and the banks systems obviously hold both the pin you are entering and the full card number associated with your account. These elements in combination with a rolling input associated with time can therefore be used in combination by both the website and your login device to generate a unique 8 digit number every 30 seconds or so that is only applicable to your account. All the website has to do is compare those numbers - if they are the same it lets you in, if not it doesn't. Most systems will actually let you enter any of the last two or three 8-digit numbers that were generated though to improve usability (some people wouldn't be able to type in the 8 digit code fast and accurately enough if it expired every 30 seconds).

 

PS - Remember the code is only one element of a multi-factor authentication; the site should still require your username and password as well, so in combination with these factors it offers pretty decent security provided the device itself has not been compromised or is a fake.

 

Edited March 7, 2022 by MattyB

[Geoff S]

Thanks, Matty.  I must admit I'm slightly in a panic to enter the number before it disappears off the screen of my local device (well 'panic' is a slight exaggeration but I try to be quick).  I don't think it stays displayed for as long as 30 seconds.  We changed banks a few years back and the local devices were very similar apart from the name of the bank and either worked. 

[MattyB]

46 minutes ago, Geoff S said:

Thanks, Matty.  I must admit I'm slightly in a panic to enter the number before it disappears off the screen of my local device (well 'panic' is a slight exaggeration but I try to be quick).  I don't think it stays displayed for as long as 30 seconds.  We changed banks a few years back and the local devices were very similar apart from the name of the bank and either worked. 

 

Don't worry about it. In my experience it will normally accept the current code plus the previous two as well. Try it, the worst that will happen is that it will deny you access on that attempt.