Geoff S Posted March 7, 2022 Share Posted March 7, 2022 I just received a new bank debit card and it has a different number from my old one which led me to wonder about how I log in to view and manipulate the accounts. I have a bank supplied gadget which I suspect is widely used which accepts the card and after entering my PIN displays an 8 digit number which I enter into the bank's log-in page. Apart from an account number (which my PC enters automatically) I have to enter the last 4 digits of my debit card. What I don't understand is how the software uses a remotely generated 8 digit number to confirm my identity. I suspect it's something to do with prime numbers. I read a book about how they are useful for security which I more or less understood at the time but, 10 years later, I no longer remember. Anyone with better maths skills than I understand it? The new card works OK btw using my existing PIN but entering the different 4 last digits. I haven't experimented much because I don't want to be locked out of the account ? Quote Link to comment Share on other sites More sharing options...
Bruce Collinson Posted March 7, 2022 Share Posted March 7, 2022 I too wondered about this and found an adequate explanation on Google, involving an algorithm, but the technicality must have escaped me because I cannot recall the details. BTC Quote Link to comment Share on other sites More sharing options...
MattyB Posted March 7, 2022 Share Posted March 7, 2022 (edited) 2 hours ago, Geoff S said: I just received a new bank debit card and it has a different number from my old one which led me to wonder about how I log in to view and manipulate the accounts. I have a bank supplied gadget which I suspect is widely used which accepts the card and after entering my PIN displays an 8 digit number which I enter into the bank's log-in page. Apart from an account number (which my PC enters automatically) I have to enter the last 4 digits of my debit card. What I don't understand is how the software uses a remotely generated 8 digit number to confirm my identity. Short answer - it doesn't, not really! Long answer - The device in your hand is running the same software algorithm as the website you are logging into, and the banks systems obviously hold both the pin you are entering and the full card number associated with your account. These elements in combination with a rolling input associated with time can therefore be used in combination by both the website and your login device to generate a unique 8 digit number every 30 seconds or so that is only applicable to your account. All the website has to do is compare those numbers - if they are the same it lets you in, if not it doesn't. Most systems will actually let you enter any of the last two or three 8-digit numbers that were generated though to improve usability (some people wouldn't be able to type in the 8 digit code fast and accurately enough if it expired every 30 seconds). PS - Remember the code is only one element of a multi-factor authentication; the site should still require your username and password as well, so in combination with these factors it offers pretty decent security provided the device itself has not been compromised or is a fake. Edited March 7, 2022 by MattyB 1 Quote Link to comment Share on other sites More sharing options...
Geoff S Posted March 7, 2022 Author Share Posted March 7, 2022 Thanks, Matty. I must admit I'm slightly in a panic to enter the number before it disappears off the screen of my local device (well 'panic' is a slight exaggeration but I try to be quick). I don't think it stays displayed for as long as 30 seconds. We changed banks a few years back and the local devices were very similar apart from the name of the bank and either worked. Quote Link to comment Share on other sites More sharing options...
MattyB Posted March 7, 2022 Share Posted March 7, 2022 46 minutes ago, Geoff S said: Thanks, Matty. I must admit I'm slightly in a panic to enter the number before it disappears off the screen of my local device (well 'panic' is a slight exaggeration but I try to be quick). I don't think it stays displayed for as long as 30 seconds. We changed banks a few years back and the local devices were very similar apart from the name of the bank and either worked. Don't worry about it. In my experience it will normally accept the current code plus the previous two as well. Try it, the worst that will happen is that it will deny you access on that attempt. 1 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.