Nationwide again, again. : comments [Matthew's Journal]

"I think the problem with the Card Reader not arriving is because we have the address below for your address associated with the FlexAccount"

Depressingly, I'm really really amazed they actually read your email to the extent of being able to reply at all.

BTW, I wonder if card readers actually provide any security? I just assumed it was useless fluff, but apparently it produces a (one-off?) 'hash', so conceivably it might, but I don't know if it _does_.

[parent entry] [link] [reply]

The below is all semi-informed guesswork.

Prior to the card readers, an attacker just needed to steal your web login details to steal money from your account. This can be done e.g. with a trojan on your computer that runs long enough to pick up the full details where you only enter partial information on each login.

With card readers, then an attacker *also* needs some way to construct the correct response to the issued challenge. If it's possible to clone the chip on a C&P card, then an attacker could do this, e.g. with a trojaned C&P machine in a shop. But the vector for doing that and the vector for stealing your login details are very different, so it'll be much harder - probably you'd need to operate a big database, grab people's details opportunistically, and hope that a few of them would match up. If it's not possible to clone the chip, then the only attack is to steal the card.

So I think they're worthwhile, and I think (Nationwide's adminstrative incompetence aside) that they've implemented it in basically the best way they could.

[link] [parent] [reply]

How they work is to produce an n digit hash that lasts for about 10 seconds on a pseudo random cycle. Each Card Reader has a different seed and that seed is known to the process on the other end, which means that it can predict the hash the Card Reader will generate at any point in time. Then the hash can be used to do whatever encryption or verification is required.

We use a similar mechanism for secure VPN onto some customer networks at work.

[link] [parent] [reply]

This can't be how they work, as card-readers are interchangable, even between banks.

Well, OK, every card reader everywhere could have the same seed, but that would be very silly!

Edited Date: 2008-05-30 10:08 am (UTC)

[link] [parent] [reply]

My understanding is that the card reader is tied to the account (and thus to the card, or possibly cards). Or rather the seed in the card reader is tied to the account. All the card readers are essentially the same, but with a unique seed and when one is issued to a customer their account has the seed from the card reader recorded against it.

[link] [parent] [reply]

Barclays say their card reader isn't account-specific and that you can use someone else's card reader. (Card-reader hijacking, anyone?)

http://www.barclays.co.uk/pinsentry/questions.html

[link] [parent] [reply]

Barclays say their card reader

We're still waiting for ours from Barclays.

isn't account-specific

That's very interesting. In that case I'd guess that something is sent initially from the reader to the bank that identifies the account and then the bank sends something else back to the reader that identifies which seed to use. But that is less secure; once you've identified the link between seed identifier and seed the thing is cracked and that link is on the bit of hardware that everyone has. Also if one could intercept the account identifier and the returned seed identifier that would reveal which seed was associated with a particular account.

[link] [parent] [reply]