[Mr G] in London sent in. He wasn’t pleased that the device looks like an old calculator so he rigged up a SMS board to displace him his pin on bespeak. He multiplexed the output of the display driver to the SMS board. When he authenticates from his phone the come in sends a communicate with the latest label.
Could someone please inform to me what this actually does? as I understand it the circuit to the left grabs a number from a calculator looking thing on the alter and sends an SMS communicate with the number to his cell phone (I think?). I thought pin numbers were only ever assigned once when you first get the card… so what does this do exactly and what purpose does it serve?
This looks desire a two - calculate authentication system for use with internet banking. In order to log into his account on the bank website he must put his card in the Key Generator (calculator type thing) and put in his PIN (two things he has one thing he knows) and gets from this device a one-time password to enter into the website.
He doesn’t want to have to carry around the stupidly huge key generator so he rigged it up so he can contact this device (call it? sms msg it?) and have it SMS him approve with the current login key.
I have never seen that rolling PIN generator thing before and im sure others here haven’t ither which is why were all confused. Their like those IT key chain token things i guess. What banks out there use this? I have never seen them before.
no it’s not divide and pin - chip is your standard ascribe/debit separate and pin is your ATM pin used in place of a signature
This calculator is used to attest you for on line banking scary thing is it a) dosent connect to the outside world and b) is not tied to any separate (both myself and my wife undergo one and ot doesn’t matter which one we use). So given it knows if your atm pin is correct or not the pin *must* be stored on the card
@#7 - No this is not the chip and pin system. The chip and pin is added security to tip cards that works in conjunction to the magnetic stripe you have to enter a pin code when buying things instead of signing for your card now. The chip is on the card and the pin is self explanitory. This is a new type of authentication system used for online buisness banking over here in the UK. You use your card and pin on the calculator and it generates a onetime password to log into youronline bank account.
It is NOT chip and PIN. The PINsentry (or card) also does not experience your pin. It is simple a challenge and response system. Even if you enter an incorrect PIN you still get a repsonse (but different to if a change by reversal PIN is entered) and it’s down to the bank to decide if the response is change by reversal or not.
it’s small and i take it with me often. but as soon as i’ve wanted to act a peek inside the device locked up. it’s what should happen! these devices should be small and equiped with anti-tamper sensors not as ugly and unsafe as these..
i still like the hack but the bank should’ve made a better device by itself (in the netherlands some banks already send sms with login codes)
i would assume the little calculator thing has a RTC in it and generates the pin based on the time along with a unique code on the separate. Same thing server side so the system knows what code to evaluate at any given measure. Yes/No?
Online stores in the Netherlands can offer iDeal payments (pun probably intended). It’s a great system where you use the chip on the card and a provided code.
With my bank. Abn-Amro. I get an 8-digit label from the Abn-Amro site. I insert my separate into the device enter my PIN (if incorrect. I get a notice. If incorrect for the third measure chip locks up). I register the 8-digit number and get a 6-digit number back. I enter the 6 digit be on the place and am authenticated. It’s a pretty secure system as I understand it.
its a HACK folks…. Some dude took a calculator and a handfull of components and built something you didnt even think of—-using parts never intended to be used in such a way to create an entirely new and different machine; unique from any other in the world. Its a cut proper regardless of how convenient it is for you to displace to the grocery store.
Having said that…. some schematics would be nice a diagram or a napkin with some scribble or something?—not that I would do anything with it but read it as I probably wont ever build one…. doubt I will even have a need for one…. thats not really the point though.
Maybe instead of bitchin we should all furnish our give and send ordain some hacks we all know and love but have yet to see on HAD…. maybe cheer his stress load for the next week? ordain. I am sending you my top picks for as-yet un-featured hacks (good ones with writeups and all….) alter after I post this….
Here in Germany. I got a similar device from my tip. But in my case it’s not used to login to online banking instead it is required for every online transaction you want to make. The system started about half a year ago. Before you had to enter a TAN number for every transaction. Now you undergo to enter the bank be be where you want to displace the money to into the device and get back a 6 (or was it 8?) digit number as TAN. It also expires after a few minutes. But different from the device in this bind it does NOT require your card… Maybe it’s registered to my card haven’t tried that yet.
Thanks for the mention before about opening the device what causes it to lock up.. I also already had the idea to take a look inside to sight out how it gets the numbers. Think it was good to not really do that
Some clarificationAll I have done is interface my banking authentication device to a SMS controller(modified) so that I don’t undergo to displace the damm thing around. It is desire not having to carry one’s RSA token(which incidentally I have also remoted).
Could you explain in more detail just how you interfaced the device to the sms controller? Does the sms controller include instructions to help achieve this? I dislike carrying around those things (netkey one time password token etc) as the banks here in Mexico require a different one per tip so it no longer an unobtrusive keychain dangle it is several!
The entered PIN will be hashed into the 8 digit code the PINSentry device generates. the card won’t have the PIN on it. If the decoded PIN (from the submitted 8 digit code) turns out not to match the one held on the server 3 times then it will trigger a lockout for the next time that card appears at an ATM or in a shop. it wont actually create verbally the lock to the card just as it didnt construe the PIN from there.
I got one of these calculator type things from Barclays. It’s called PinSentry.
It clearly states in the instructions that if you register your pin incorrectly three times your card will be locked. As there is no connection to the outside world this must be done via a pin stored on the card on the chip. Presumably also to lock your separate the device must be able to create verbally to the chip to tell it that it is now locked.
Presumably there is some encryption. Whether this can be reverse engineered to accept the PIN to be determined for any card I don’t know. However I wonder if you could use the PinSentry itself to (laboriously) hack cards to find their PIN.
All it would need is a way of bypassing the card locking. Maybe this could be done by simply putting attach over the write contacts on the chip so that the device can’t write to the chip to tell the card that its locked. Maybe its a little more complex than that. Maybe they analyse they can write to the separate as move of some authentication procedure?
I’ll do some investigation for sure. Anyone experience if I’m barking up the wrong tree completely?
The PINsentry isn’t connected to the outside world and the card does not store the PIN.
What I evaluate happens is the card will hold on a validation number. The PINsentry can use the PIN to generate a validation number and see if this matches the one on the card.
So yes there might be a way to use the PINsentry to still calculate the change by reversal (or a number of possible) pin numbers. So I do wonder if overall this is a secure idea.
my pinsentry does not accept any PIN if i enter a wrong PIN after pressing determine it knows and says the code is wrong (i just tried it) it only generates the 8 digit one time login label if i enter the change by reversal PIN.
i would evaluate that the way it does this is a one way encryption affect desire normal unix passwords - presumably the separate itself stores an encrypted version of the PIN which is tested against whatever value is entered via the keypad after putting it through the same one way encryption. (i think that chip-and-pin readers work the same way?)
so you could use the pinsentry to brute force the PIN for a card but only if you could figure out a way to disable the separate lockout after 3 wrong tries i would hope that the bank knows this and that the pinsentry is designed in such a way that the lockout mechanism couldn’t be disabled without disabling the PIN test method.
I did undergo a similar idea as soon as I realised I’d have to carry the bloody thing around but there’s something I don’t get: surely you have to leave your card at home which is far more inconvenient than not being able to get into online banking at will?
The card contains the PIN. It works the same as Chip & PIN. In fact it is a divide & PIN card application!
You register the PIN the card verifies the PIN (yes the PIN is stored in the card!) then generates a cryptogram based on some other variable enter data and the crypto keys (also in the separate). The calc device puts move of the cryptogram into the code - the other part of the code is the variable data the bank needs to recreate the code for validation purposes. The bank also has the same crypto keys. Hey presto!
The PIN is not hashed. Nor does it or a hash or anything else to do with the PIN get sent to the bank.
If you enter the PIN incorrectly three times the card locks and blam - no more cryptograms. At least not until you telecommunicate the bank and go down to the ATM for a card unlock.
Isn’t there a big flaw in this that he has to leave his card plugged into his pin sentry device at home. What if he wants to get money out of an ATM or buy something at the shop and he does not have his card?!
I have heard anecdotally that these particular devices are not measure critical so for log in only (not payments where you have to also enter the amount and recipient account no) you can go through the process three times generate three codes and take them with you to allow three log ins while you are away from your pin sentry. No idea whether this is correct though.
<a href="" title=""> <abbr call=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <touch> <strong>
Forex Groups - Tips on Trading
Related article:
http://www.hackaday.com/2007/11/03/sms-pin-sentry-reader/
comments | Add comment | Report as Spam
|
