If I take the batteries out of the handheld device for an hour or so, does this mean that it will permanently cease to work?
Probably. Another good way is to hit it with a two-pound lump hammer, or failing that, fry it in olive oil for half an hour.
Fair enough but should that perhaps be "optical input"?
I also feel that quite a few potential users around here fall short of "extremely versatile". They are more used to input by inhalation, ingestion or intravenous injection and output by way of a very limited range of vocalisations and gestures.
Not necessarily.
If the card contains say, a 64 bit number that is hashed into a new 64 bit number each time a result is generated, the result is then a separate hash of the number in the card, and nothing other than the hashed result to be displayed leaves the card, then even with full knowledge of the algorithm, provided the hash functions are cryptographically strong it should be impossible to calculate the number in the card from any number of results.
(The 8 digit number potentially has about 30 bits of entropy so if the hash from the 64 bit number to the 8 digit number has some weaknesses then it may be possible to get the internal 64 bit number by brute force on a normal PC in a sensible amount of time. 64 bits will be brute forceable with dedicated hardware or in a distributed effort. If they've used 128 bits then brute force goes out of the window and only weaknesses in the hash will allow the number to be retrieved other than by physically opening up the chip. OTOH, timing attacks or power analysis attacks might be possible)
Tim.
Perhaps that should be digital input and optical output.
Tony
At 17:32:53 on 09/01/2008, neverwas delighted uk.legal by announcing:
No. It has an optical output which is read by optical input of the interface.
Bystander ("Bystander" ) gurgled happily, sounding much like they were saying:
No.
Ours was supplied (through the post) by the bank with the battery isolated by a plastic strip.
yes, my textual sub-system's mistake in misconstruing "its" to refer to the immediately preceding "self-programing and extremely versatile hardware interface". Now fine after rebooting on Wolf Blass President's Selection Cab Sauv
Bystander wrote: Not the first paragraph he didn't
Probably OK if it is extra virgin olive oil. :-)
More info on this here:
David
wrote
That sounds like a useful extra bit of security... If you "re-program" your codes as above, so that they only work after X seconds/minutes (you choose X), then even if you lose the number generator and a fraudster finds it, s/he'll try using the number straight away and it won't work!!
From other posts it appears that there is no time component so this won't work.
OTOH, there does seem to be a somewhat serious security issue - someone can take your card, try it in the pinsentry with a random pin (usually they'll get it wrong but if enough people do it enough times with enough cards then it will work eventually for some of them), record the number displayed and put the card back. Then once they are secure from detection they can they try the (several) numbers they recorded to logon to your account
By them only trying the pin once you'll never know that someone has tried this because your next correct use of the pin will reset the count.
Some defenses: Deliberately get the pin wrong twice using the pinsentry - now there is only one guess left - if you find your card is locked then you know someone has tried it. (I think this sort of lockout can be reset at a cashpoint so it's not too drastic if you do this to yourself)
Record the next few numbers now (somewhere secure) and then look it up and use that number when you logon. Anyone who has had temporary access to your card and used it to generate a number and then logged on will then (probably) lock out your existing numbers and you'll have to generate new ones and you'll at least have a heads-up that someone else has accessed your account.
Tim.
You would have the same problem with RBS - you have to enter a code that they send you so that the PC can access the web pages. You can register a number of PCs - but you could not just use a friend's PC unless you had a spare code on you.
I use RBS and there is no longer a concept of "registering a PC", you can use the system from anywhere.
wrote
... unless they happened to get it right (and actually accessed your codes!!)), when it won't be locked...
Yes. But there's a bit of a difference between someone who tries one pin number per week on your card and someone who tries one pin number. Especially if they also have the opportunity to observe you while you enter your pin number. It's relatively simple to tell approximately what shape the numbers form even if you can't tell exactly what the numbers are.
Tim.
Why on earth might it be illegal?
It *could* be an unfair contract term *IF* they require you to pay a significant amount for the reader they insist you use, but even ten it might not be.
Absolutely.
they have done nothing at all wrong.
You have a simple choice. Use the methods they require, or don't use the system.
Supposing you are disabled and have a condition similar to Prof Hawking. Your computer is all set up and you can use it fine.
Bank introduces new system requiring you to be able to use small calculator like device with very small keys that you are unable to operate.
You are now, by reason of your disability, unable to perform the functions with online banking that you could before.
This means the bank is breaking the Disability Discrimination Act 1995 (Sept 1999 implementation).
In message , Craig Cockburn writes
Is the DDA that specific? My recollection was that it required service providers to take reasonable steps to allow disabled people to access their service, not that it requires them to be able to access every service in exactly the same ways as everyone else.
Are you sure you need to attach it to your computer? The standard one is something into which you put your bank card, type in some characters provided by the bank web page, then it gives you some characters to put back into the form on the web page. No physical connection necessary and all it proves is that you have possession of the bank card associated with the account.
Dave
Nonsense, you appear to have little idea as to what the DDA is all about. It does *not* restrict companies to providing only those services that all disabled people would be able to use, only that they should take *reasonable* steps to cater to disabled people.
What sort of banking service would we have if the only services they were permitted to offer were such that they could be used by a blind deaf dumb quadraplegic.
BeanSmart website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.