Probably uses the last 4 digits of your card & the date or time to calculate a number, which could be matched to the banks online computer which should calculate the same number.

I reckon there's something it needs stored on each card.

Funniest of all is how it knows when you get your pin wrong. Now surely that's not stored on the card?!?

I reckon the PIN is stored in the chip (hence chip and pin) so it checks your PIN independently of anything else.

You can use any PINSentry not just your own one, so there is nothing unique about each device.

And yes, I reckon some kind of combination of your card number, the date & time and a random algorithm that does it.

Magic!

I too am puzzled. I can only believe it is a combination of aliens from outerspace, the ambient temperature in the room, and the possiblity of England winning the next World Cup. Hmmm...

It's simple...tiny fairies living inside do everything :P

can't be unique to each pinsentry reader because any pinsentry works with any card.. also, how will it know when you change your pin at the bank? i think it has a small wireless unit that syncs with your details on the internet when you log on.. generates its random numbers to match what the site access is looking for.

It can't be wireless as it would need authentication to access your home internet. I'm going to work on a program to solve this once and for all. Will let you know how it goes!

This should help you out.

http://www.cl.cam.ac.uk/~sjm217/papers/fc09optimised.pdf

I think WIFI might be in use here... And yes, to answer earlier comments, the PIN is and always has been stored ON your card, in an 'ultra secure' location. Bit stupid if you ask me, but hey.

It doesn't use the WIFI, the internet or radio signal, it uses an algorithm. This is a mathematical system to generate a number, based on an input of the last 5 digits of your card number + date + time. The central computer has exactly the same algorithm.

Obviously Barclays keep the details of the system quiet, as to keep it secure.

I don't think the date and time are needed. It's been a while since I used mine, but doesn't the process go something like this?

1) put your card in the reader

2) put in your pin

3) put in a code supplied by the bank on the website

4) get a new code from the reader and put it into the website.

This means that the reader uses your card number + your pin + the code from the website to generate a new number based on a secret algorithm that Barclay also knows. This means that the reader can be very dumb: it doesn't need to know the date, nor does it need any connection to the world other than the card inserted.

The security of the system depends on the secrecy of the algorithm used to turn your card number + the number given from the website into a new number, and thus in principle is very secure. It also of course depends on you not telling/showing people your pin; by far the weakest link in the chip-and-pin system.

http://en.wikipedia.org/wiki/One-time_password

The point of these things is the number generated is no use to anyone who intercepts it. It only works at the time it is generated. There is a clock in the pinsentry, and it uses the date/time, card number and pin to generate a "perishable" code. The pin is on the card encrypted by a "one way" algorithm. When you enter the pin, it is processed by teh same algorithm and compared to the encrypted pin. The pin is never decrypted.

I don't believe the date/time is used or relevent, and the codes are not 'perishable', or at least they weren't a year or so ago - I generated a load of codes for use when I was away and might not have my pinsentry with me, and they worked fine over a period of 2 weeks. They are one-time use though, presumably as the site stores the ones you've used before.

There are one way hash functions such as MD5 and SHA1 that allow you to take any message [A] and easily calculate its hash, [B], but just given some hash [B] it's mathematically very difficult to calculate [A]. These algorithms have been engineered in such a way that 1) It would take hundreds of years using the fastest computer to calculate [A] from [B] and 2) Given any two messages [A1] and [A2], its very very unlikely that they have the same hash.

Therefore the hash [B] of your pin [A] can be safely stored on your card, but not the PIN itself. Even if the card falls into the wrong hands and the criminals are able to extract the hash [B], then it's almost impossible for them to reverse it to get your pin [A].

When you go to the ATM to get money out, the machine asks for your PIN, calculates the hash and then compares it with the hash stored on your card. If the hashes match, then its almost certain that the PIN's match. So, your PIN is not stored on your card, but something mathematically related to is (the hash) is. The same goes for the PINsentry card reader, it doesn't have access to the PIN on your card (the PIN isn't actually on your card), it just compares the hash.

I don't know for certain how the PINsentry works, but if I were designing one, I would do something along these lines. 1) Generate a random four digit number [N], 2) append it to the hash [B] of the PIN, to get [NB] 3) Generate the hash of [NB]. Send both [N] and the hash [NB] over the internet to the bank, where they can use [N] and the [B] they have on record to calculate the hash of [NB] and compare it to the hash of [NB] you sent. If the hashes match, you are who you say you are and you can online bank. The bank will then store the random number you sent, and not allow anyone to log in with it again, in this way if it were intercepted it would be no good.

Here's my 2 cents, based on the following experiment:

I used the PINSENTRY to generate a sequence of four numbers, let's call them A, B, C and D. On the first day, I used A, which worked fine. Then on the same day, I signed out, and logged in again using C. Then again on the same day, I repeated the test using B, which failed, as expected. The next day I used D, which succeeded.

I guess that the PINSENTRY and the Barclays computer both compute a predictable series of pseudo-random numbers using the card number (and possibly the PIN) as a "seed." All that needs to be stored at either end is the seed and the point in the series that's been reached so far. This could be as simple as the latest number used, or more probably as its ordinal number, for example the 107th number has been used. This would explain why a) you can generate a whole bunch of numbers to use while travelling without having to lug the PINSENTRY around, and b) why you cannot use skippped numbers, or re-use used numbers.

Thoughts?

I think NickT's experiment clarifies everything!! Funny enough i thought exactly the same and was gonna do the same experiment!!

The numbers are part of a series based on your pin and any number following the one last-used number should work.

I think that NickT is almost right, however there are a couple of anomalies that the theory doesn't address.

1) Steve says that any reader works with any card. Therefore the point in the sequence would need to be stored on the card rather than the reader.

2) It would be massively insecure for the bank to keep any record of your pin, anywhere! It would be equally insecure if the card reader could generate the online banking password simply from the card number, as someone could reverse engineer the algorithm and start generating valid online banking numbers, using just the card number.

I think the truth is NickT's method, but secured with the cryptographic techniques I refer to in my previous post.

Yeah but, how does it communicate with the bank without wires and without an authorising code for my network yet still gets the transaction correct?

The way this works is described here:

http://en.wikipedia.org/wiki/Chip_Authentication_Program#Protocol_details

Regarding the reverse-engineering of the algorithm.. this would be equialent to applying a reverse mathematical process, no? You're fine as long as it's a simple operation (+-x/), but you can't do the same with integration and differentiation, as integration produces an unknown constant. I'd guess the algorithm is one involving calculus so is irreversible?

You guys are making it a lot more complicated than it actually is. No radio waves, no wireless - just maths.

Like has been said it has an internal clock. Probably in the form a Unix timestamp to make calculations easier. The number changes over time, so obviously time must be a variable involved in the calculations - random numbers would not work because both the server and the device need to reach the same number to allow authentication. Time is a universal variable that can easily be calculated by the server.

Other variables will obviously include the card number, pin etc etc and some sort of other mathematical operations, which will result in an 8 digit number.

Oh and, the card DOES store the PIN (in the chip). But not in plain text of course - or it could just be read by any card reader. When you type in your PIN (in plaintext) it will be encoded, in a way as suggested above by some form of one-way algorithm, the output of which will be stored on the card and then can be used for comparison purposes to determine if the correct pin has been entered.

Simple.

This is interesting. I got my Pin sentry reader today and wondered how it worked. I tried my current account card and my barclaycard. I put another card in and it doesn't "recognise" it. Annoying thing is, my Barclaycard was on my last pin try and I got it wrong so will have to contact bank.

I've blogged about exactly how these work - there's no magic involved! See here http://www.matthewedmondson.info/2009/11/why-i-hate-bank-card-readers.html

1. Forgot my PIN

2. Requested new PIN which arrived by post in 4 days

3. Put the card into the PINSentry and it accepted the new PIN

My question... how did the PINSentry device correctly authenticate the new pin if the card had not been inserted into an ATM to have the hash in the chip reprogrammed?

sounds to me like the pinsentry system unlocks the secret area that your pin is stored on your chip to verify you enter the same pin that is stored. in other words a hackers dream & a free gateway to a series of codes to unlock clones of stolen cards

go up and read the link by peter D..... nuff said

yes, thank god someone's got a brain

OK let me break it down:

1)Every card's chip has a record of its own correct pin.

2)The PINsentry device is not unique, however it has many (possibly millions of) 8 digit numbers which tally with those in barclays database.

3) when you use your card to generate a pin to log in, an algorithm in PINsentry disables that pin from reuse for your login for a long long while (who knows, up to 10yrs) hence inability to reuse the pin if you wrote it down; the same occurs at the barclays end for your account.

thers's no wireless sync. Lol

Assuming what indeed indeed indeed said is true (and I doubt it can be) the only possibility I can come up with is that his bank pre-stored a "next pin" on his card in the event that they needed to re-issue a pin. The card then accepted this when it was used for the first time and effectively changed it to become the current pin. It seems highly unlikely, but I can't think of any other logical explanation.

BTW has anyone removed the battery from the card reader and then put it back (to effectively reset the date and time) to see if that makes a difference. I'll probably try this soon...

You can put your card in several times and instead of using the code it generates write it down. I write sevearal codes down adn therefeore don't have to carry the reader around with me, especially if i am abroad and want to pop into an interenet cafe. Therefore time and date have nothing to do with it and they are all pre-set codes on the chip.

Each card has a set number of pre determined codes(millions) and the reader merely gives you one of those codes each time you want to log on. When there aren't any unique codes left, you are issued a couple more million. that's all

Ok guys, here is my explanation of the PIN Sentry mystery!!

I think the PIN Sentry has simply a SIM Card in it and simply connects to the internet with it!

HOW DID I COME UP WITH THIS CONCLUSION?

When you do a transfer online, you specify on your computer the ammount of money you want to transfer, lets say a 4-digit number with 52p, and before actually making the payment you need to confirm it using your PIN Sentry with the SIGN button, and you are asked to put in the PIN Sentry device the amount you are willing to pay. And you dont put a coma or a point to enter the pences of this amount, it already knows!

And if your device knows the amount that you entered online, that means that it is connected to the Barclays servers to know it.... hence the SIM chip (because yeah, it cannot connect to your wifi as it is protected)

It is the same with the Log in code... It is first generated on your PIN Sentry, then sent to Barclays servers, and when u click on the log in button it veryfies the codes match!

What do you think about this explanation?

A good way to find it out is trying to log in an area where you are connected to the internet via cable and have no telephone coverage...!

Cheers!