The Naked Scientists

The Naked Scientists Forum

Author Topic: How Does This (so called) Random Number Thingy Work With MY Bank ?  (Read 12855 times)

Offline neilep

  • Withdrawnmist
  • Naked Science Forum GOD!
  • *******
  • Posts: 20602
  • Thanked: 8 times
    • View Profile
Dear Bankers and Bankologists,

As a sheepy I of course enjoy many streams of revenue !..well, it's obvious isn't it ?..Sheepy = Income !..blatant !


See this Number generator supplied by my Bank *guess which one ?..DOH*




What I do, is push the button and it displays a  six digit number that I input into the site which allows me access to my accounts and  then to see how much money I do not have !

Are the numbers random ?...I can't see how they can be because how would the site know that the number is correct ?...would I then be right then that all it holds is a database of numbers that offer access ? Do you think that the thingy is specific to my account ?  in that it has been programmed with numbers only to be used on my accounts ?

As a sheepy, I of course need to know these things.

I asked my neigbour by forcing him to transfer all his money to me so that I would have an incentive to access my account !...it was either that or I tickle his feet more and insert the traffic cone deeper...I think he enjoyed it. Unfortunately, the site went down and all I can do is spend his money on ostentatious luxuries that I don't need, so, no luck there !

Thank ewe for your comments.




mwah mwah mwah

Hugs ya



Neil
To Bank Or Not Bank, That Is The Query !
xxxxxxxxxxxxxxxxxxxxxxxxx



 

Offline RD

  • Neilep Level Member
  • ******
  • Posts: 8122
  • Thanked: 53 times
    • View Profile
The number is not random...

Quote
The tokens all have slightly different algorithms that generate different numbers every thirty seconds, according to Mervyn Northam, head of Business Internet banking at HSBC. The back-end computer system tracks which code will be generated by each token depending on the time of day.

"Say your token has algorithm number 79, and it's 1305. The system will know the precise number you are on, and the numbers either side. The tokens aren't specific to certain customers when they are sent out, and each has a barcode which clients use to register the token," said Northam.
http://news.zdnet.co.uk/security/0,1000000189,39262343,00.htm
 

Offline neilep

  • Withdrawnmist
  • Naked Science Forum GOD!
  • *******
  • Posts: 20602
  • Thanked: 8 times
    • View Profile
The number is not random...

Quote
The tokens all have slightly different algorithms that generate different numbers every thirty seconds, according to Mervyn Northam, head of Business Internet banking at HSBC. The back-end computer system tracks which code will be generated by each token depending on the time of day.

"Say your token has algorithm number 79, and it's 1305. The system will know the precise number you are on, and the numbers either side. The tokens aren't specific to certain customers when they are sent out, and each has a barcode which clients use to register the token," said Northam.
http://news.zdnet.co.uk/security/0,1000000189,39262343,00.htm

FANTASTIC !!

So, my thingy has a clock in it too !!..I hope it takes the daylight saving time stuff into consideration.

THANK EWE RD

Brilliant !!
 

Offline RD

  • Neilep Level Member
  • ******
  • Posts: 8122
  • Thanked: 53 times
    • View Profile
A clock and a radio-reciever...
Quote


Radio-controlled movements

Some electronic quartz watches are able to synchronize (time transfer) themselves with an external time source. These sources include radio time signals directly driven by atomic clocks, time signals from GPS navigation satellites, the German DCF77 signal in Europe, WWVB in the US, and others. These watches are free-running most of the time, but periodically align themselves with the chosen external time source automatically, typically once a day. Time transfer describes methods for transferring reference clock synchronization from one point to another, often over long distances. ... A time signal is a visible, audible, mechanical, or electronic signal used as a reference to determine the time of day. ... “Nuclear Clock” redirects here. ... Over fifty GPS satellites such as this NAVSTAR have been launched since 1978. ... DCF77 is a longwave time signal radio station. ... WWVB is a special NIST time signal radio station in Fort Collins, Colorado, co-located with WWV. WWVB is the station that radio-controlled clocks throughout North America use to synchronize themselves. ...


Because these watches are regulated by an external time source of extraordinarily high accuracy, they are never off by more than a small fraction of a second a day (depending on the quality of their quartz movements), as long as they can receive the external time signals that they expect. Additionally, their long-term accuracy is comparable to that of the external time signals they receive, which in most cases (such as GPS signals and special radio transmissions of time based on atomic clocks) is better than one second in three million years. For all practical purposes, then, radio-controlled wristwatches keep near perfect time.


Movements of this type synchronize not only the time of day but also the date, the leap-year status of the current year, and the current state of daylight saving time (on or off). They obtain all of this information from the external signals that they receive. Because of this continual automatic updating, they never require manual setting or resetting.

http://www.nationmaster.com/encyclopedia/Watch#Radio-controlled_movements
« Last Edit: 04/11/2008 23:56:59 by RD »
 

Offline techmind

  • Hero Member
  • *****
  • Posts: 934
  • Un-obfuscated
    • View Profile
    • techmind.org
I'm not familiar with the HSBC widget specifically, but such devices generate a pseudo-random number sequence which, while it looks random (and would pass virtually all the mathematical tests for randomness), actually is an entirely predictable sequence (when you know the algorithm and key).

One method is to move on to a new number each time you press the button. Obviously the bank's computer won't let you use the same number twice, and it will likely accept the next number or a number a few down the sequence from the one it last saw (the button might have got pressed in your pocket etc). If you press the button too many times between logging in the site may refuse your number, then you're stuck!

The other method is to automatically advance the number with time, typically once every minute. I have an RSA security key to log into my work computer from home this way. The clock on the widget doesn't have to be perfectly accurate since they will accept a number a couple either side of the "correct" one (a 6-digit number has 1million combinations, so allowing 5 or 6 at any one time still isn't much of a weakness), and the bank's computer can gradually figure out whether your widget runs fast or slow, and tweak its future expectations accordingly.


The bar code on the back of the widget may contain part of the unique key to the sequence. Part of the key is probably known only to the bank - otherwise 'anyone' who knew the algorithm could generate the sequence just given the barcode ;-)


Putting a radio-controlled (MSF60/DCF77) clock inside would be overkill, and add unnecessary expense.
« Last Edit: 05/11/2008 21:54:01 by techmind »
 

lyner

  • Guest
Quote
Obviously the bank's computer won't let you use the same number twice
My number changes every minute of so. During that period you can use the same number.
(HBOS system)
 

Offline RD

  • Neilep Level Member
  • ******
  • Posts: 8122
  • Thanked: 53 times
    • View Profile
Putting a radio-controlled (MSF60/DCF77) clock inside would be overkill, and add unnecessary expense.

My mistake, radio-controlled clock in fob not is necessary...
http://www.engadget.com/2007/01/15/paypal-to-offer-security-key-fobs-for-additional-account-protect/

The "depending on the time of day" reference in the Zdnet article is misleading, if it is just a predictable sequence of numbers then the time of day is irrelevant. If the time of day was relevant then the fob would need a clock synchronised to the computer clock, (radio control synchronization was the only way I though this could be achieved).
 

Offline techmind

  • Hero Member
  • *****
  • Posts: 934
  • Un-obfuscated
    • View Profile
    • techmind.org
If you really want more info on these tokens, you could do worse than begin by traipsing over to:
http://en.wikipedia.org/wiki/SecurID
 

lyner

  • Guest
The rate of drift of even the naffest quartz clock would be adequate for my bank's system to work as long as the system allows for an overlap of  a minute or two i.e. accept one of several time related codes. It's still pretty bombproof.
Problem is when you haven't got the gizmo with you.
 

The Naked Scientists Forum


 

SMF 2.0.10 | SMF © 2015, Simple Machines
SMFAds for Free Forums