My bank (Based in UK: Marks and Spencers Bank, under the umbrella of HSBC) issued me with a small card shaped device. Every time I log in I have to access it, put a passcode in, and then get a code I can put on the banks website. It would be more convenient for me if I could just get 20 or so at a time, write them down and then cross them off. I don’t want to break anything though and am unsure if this would actually work. Can I just get a load of numbers at once then use them as and when I need to log in?
I would imagine there’s a complex algorithm behind generating the TANs (nitpick: Those one-time use numbers for authenticating an individual transaction are called TANs, transaction numbers, not PINs, personal identification numbers), rather than the generator simply having a bucket of them stored. My online banking TAN generator requires me to scan a barcode that appears on the screen when I set up a transaction; details about the amount to be transferred and the recipient of the transfer are encoded in that barcode, and that data is fed into generating the TAN. This is to prevent phishing attacks, whereby a fraudster would intercept the communication between my browswer and the bank, display me a fake online banking page that makes me believe I’m authenticating the transaction I want to do, but in fact they’re using my TAN to authenticate simultaneously another transaction to someone else. I understand your TAN generator doesn’t include such a scan, but almost certainly it incorporates data such as the current date and time when it generates a TAN. So no, I don’t think you can generate a bunch of them to have them in stock for later use.
It depends. There are two types of such devices: time-based, where the PIN depends on the current time; and sequence-based, where there is a counter that increments each time you use it, and the PIN depends on the counter.
If the device is time-based, then of course you can’t write down a list of PINs to use later. If it is sequence-based, then you can: but with the warning that if you write down a bunch of PINs and then lose that paper without using them, the sequence can get out of sync and you could be locked out. (Explanation: the bank knows the last PIN you used corresponded to counter value 5, say. Next time it will allow you to use the PIN corresponding to counter value 6, 7, or 8, maybe, so you can lose a couple of PINs without getting out of sync. But if you write down 20 and lose them, the bank is not going to let you use the PIN corresponding to counter value 25.)
If the device is anything like Barclays PINSentry, it’s time-based - and the system (as a whole) has some clever ways to correct itself if the clock on the device goes out of sync with the main system (it may ask you for a series of codes, from which I think it can figure out a new offset.
Even if it were possible, I think it would also defeat the purpose of the framework - anyone who got hold of your card and your list of numbers could potentially gain access to your account.
The procedure that the OP wishes for (paper list of one-time TAN codes) was im place for the three accounts with German banks that I use/used, from 1988* to about 2010-ish if I rightly recollect.I got these lists by postal mail in tamper-proof printouts (the sort you have to tear open to get at the list)
They were replaced at some time around 2010 (IIRRC) by a hardware TAN generator in one case, and TAN by SMS message for the other bank I use.
The reason given for TAN lists being abolished was that their security had been compromised. One way to get around TAN list security is to set up a web site impersonating your bank’s web site, accept your login credentials and have the scam server log in to the bank’s site with these (that way they can display your correct balance, statements etc. to you), accept your details of a bank transfer order, accept your TAN, then return an error/outage page. That way the perps get your banking login credentials plus one valid TAN - enough information to go to the real bank’s site and do a transfer from your bank account to another account (a cutout account set up by a patsy).
The way my one account with a hardware TAN generator works now: I insert my bank chip card into the generator, input by bank transfer information into the bank’s online banking site; the site returns (via a flickering bar to the TAN generator’s light sensors) information about a start code, the recipient’s bank account number and the amount; the TAN generator hashes that information with a code from my bank chip card, has me acknowledge the target account and amount, then returns a TAN.
Crucially, that way, even if I had mistakenly used a fake site impersonating my bank’s site, the TAN I get from the TAN generator is only valid for a transfer of that amount to that recipient account - because that information has been hashed into the TAN.
- of course there was no Web then. German online banking for consumers was over the now-defunct Datex-J network then.
Given that the OP says he has to enter a code to get a number out of the device, I think it’s more likely that it’s cryptographic. Give each user a public-private key pair. Encode the private key on the device you give the user, and store the public key. Whenever you use it, the bank generates a random code which the user enters, and the device then encodes that using the private key. The user then types in the ciphertext on the bank’s machine, and the bank’s machine decodes it using the public key. If it matches the random number the bank generated, then that’s authentication that the device does in fact have the correct private key on it.
Ideally, the initial code the bank generates would have to be derived in some way from the transaction details. That way, with a man-in-the-middle attack like Mops describes, the only transaction the attacker would be able to make would be the one the user was actually trying to make.
The device you have is what is known as two-factor authentication. You have to have a password plus a code from the device to login. The whole point of this is that you are the only one physically holding the device, so they can be reasonably sure it’s you trying to login if you both have the device *and *know the password.
If you could provide the codes without having the device (probably not possible per the above discussion), then there is no longer the assurance that it’s you. So these things are generally designed so that you have to have it in your hand to use it.
(I have an app that works like this on my smartphone to authenticate me to a federal government account. It works the same way–the assumption is that I have control of my phone.)
And if you also needed a biometric like a fingerprint or retinal scan, that’d be three-factor authentication.