OT on line banking

Its probably very useful as I was sent one and daughter in law nicked it

I did enquire as to its whereabouts but was told it was not worth me having one which suggests it was worth me having one

Thanks for the reminder I will raise the matter again

It allows you to set up new payments.

You insert your bank card, enter the pin, enter the number on the screen and then enter the displayed number into an on-screen box. Proves you have your bank card before authorising a new payment.

Andy C

Told by whom?

it generates a one time password based on your card number and pin, and, I assume, the time of day and date.

so you key your PIN into it, and an 8 digit number comes up. That's your one time password. Valid for however long.

means if someone has compromised the computer and is reading your keystrokes, it wont work for them next time.

In the case of barclays its a master access to all your account details, ad the ability to transfer money around from your accounts to other accounts.

If they want to validate who you are before setting up new payments, they ask you to use the reader. They generate a random one-time code which you put into the reader. You insert the card and give your PIN, too, to prove it's your card. The reader generates another number derived from the info on the card, and the random number given. You enter that back on the website, and they match it with their own calculations.

What's funny is dealing with US banks. Just a username/password, all of which you type in (no first/third letters business). And if you phone up they "validate" you with your SSN, DOB, and mother's maiden name.

Sometimes they ask for the last four numbers of your card, and your zip code.

....is the correct answer, unlike some of the others!

In fact AFAICR you need the reader thingy to set up a third-party payment facility from your account in the first place; then you need it again the first time you make a payment to that third party. If you never make third-party payments online, you'd never actually need it.

David

I need it to make first and second party payments.

According to Barclays you can use another banks card reader, so presumably they are all interchangeable.

It doesn't use the time and date. It uses a counter on the card - the Application Transaction Counter (ATC) - which only ever increases, to generate a one-time token. Variants of the system can get you to enter a challenge number, which will also be used in the algorithm to generate the one time token. Your offline PIN is not used in the calculation - that's just verified by the card, as it is at a POS terminal. Further variants can be used as an add-on to Verified by Visa or MasterCard SecureCode, whereby instead of entering your usual password details, you can be asked to enter things like a merchant code and amount into the reader, and the one-time token can be used to validate all of that.

It's explained here:

That's the theory. It's all to do with a bitmap mask on the card, which determines which bits of data to use in the token generation. If the card contains that bitmap, then any reader will work. But if a reader is designed with an inbuilt bitmap mask, it won't work with cards that have a different one.

JW

I have the same thing for RBS (in fact for various reasons, I have at least 3 now!).

They are a challenge-response device that depends on some magic from the card's chip which also requires validating the PIN.

Essentially, for "dangerous" transactions, the web site prints a number. You have to stick your card in the reader, enter the PIN (which will lock the card if done wrong 3 times just like an ATM). You type in the number and the card reader responds with another number that you type back into the web page. If their computer likes the number, you get to do whatever you were trying to do.

"dangerous" means paying or transferring to a new destination and sometimes just transferring any money to someone other than one of your own accounts, depending on how they've set it up.

It adds security by requiring you have something (your card) and know something (the PIN, not to mention all the passwords to get online in the first place). You could swap card readers with another one from the same bank and possibly from another bank - although I seem to remember my Barclays one would not recognise my RBS card so that's probably a bit random.

The number generation itself is some cryptographic magic that would be very hard to hack.

I'm not sure if there is also a time element too (the card reader would have to have a clock if so).

HTH

Tim

That makes sense. Thanks for that, I am beginning to understand it now.

Dave

On reading the answers to this thread, I put my card in and it asks me to 'Select Function'. Pressing the up/down button, it asks for my pin No. Then says 'Enter Number.' What number and why is it so obtuse?

Dave

The number show on the natwest page that prompted you to put your card in the reader ...

If you have NatWest online banking, you can order a new one on the website.

I don't remember ever getting a one time code number. I'll have to get in touch with my bank for that.

Many thanks for all the help

Dave