Barclay's PIN sentry card reader
HTML-код
- Опубликовано: 19 авг 2024
- A super quick teardown of Barclay's PIN Sentry reader - disappointing really, it's a cheap thing with chip-on-board and not much else. I hoped for some anti tamper stuff... Oh well, I am uploading it anyways :)
It works with any uk bank you where using an expired card and it’s designed to know wether there’s a valid card inserted or not
It has no way of knowing whether the card is expired or not. It's just a dumb code generator.
I'm pretty sure the actual algorythm is stored in ram on the little cob. Once you take the batteries off to get in, it's dead and done. I'm also pretty sure the chip has a temperature sensor and when you keep it powered and get your heat gun to take the epoxy blob off, it'll kill it. Likely some current sensing if you try to probe the wrong test point.. It's not a state of art device but it's good enough. Most of the anti-tamper things can be right on the chip, either software or hardware, which makes it simpler and cheaper.
No, it will still operate as normal if you replace the battery. I had one from NatWest and it still worked after changing batteries. All it does is decrypt the code your bank gives by combining it with information on your card, it then generates the decrypted code. Your card has the actual algorithm. After you input your pin it can get the algorithm from your card and decrypt the code your bank has provided, which will then reveal the correct code. Also, the code your bank has provided can generate multiple other codes which are all valid.
The card rejection part is because criminals were using these devices to force victims to reveal their pins under duress.
Quite a oversight. I much prefer HSBC approach to a one time password token that isn't prone to side channel type of attacks.
That's about what I expected to be inside that card reader. There's no wifi nor cellular connection. It just takes the card, checks your pin and uses the figures produced by the website as a public-private key cryptosystem and then gives a coded message which is entered and verified by the bank system.
They are the same between banks as well, my nationwide works with my Barclays card and vice versa... No need to secure the hardware as you require the card and pin to do anything with it...
FFS! I used my Barclays card in the NatWest one and it worked! Thanks, you saved me a trip to the bank!
That's some secure stuff right there!
@@randomtronic All the reader is used for is to prove you have the card. The device itself is not the security. The algorithm is to provide an answer to a particular card number is where the security is. Find that out from the reader and then you have broken their security.
That actually makes perfect sense! Thanks
I wonder how hard it'd be to replace the firmware with something fun?
I didn't know how to send a PM on this phone app but I have a Philips Sonicare toothbrush that doesn't work anymore if you want it to tear it apart it is clean LOL
XxbeouwulfxX sure, thanks! a random electronic item to rip apart sounds great! email me please on randomtronic@gmail.com
I got the identifier today, I am not even 100% sure from which bank and have no idea how to actually login because all the banks i'm customer with have a manual to use this.
You need the pin entry to sort & load your app to your phone or go to ATM!
I think Lloyds TSB used these as well, when Lloyds was joined to the TSB
When I put my card inside device calculator then want pin number then want again enter number .which number I don't know any body can tell me pls
If you press respond or sign, (which you use for certain online banking functions like making a transfer), there'll be a number on the screen which you type into the card reader
How do these communicate because they create a one-time use code. Is it through the mobile network?
No, they don't communicate. You input a code that your bank gives, and the reader will decrypt the code and give you a new code that is only valid with the code your bank gave.
@@airportdocumentaries but it changes every time. How does it know?
@@ethanmccrory1727 Once you input your pin on the reader, the reader can then access the algorithm in your card to decrypt the code your bank provides. When you decrypt the code the reader will display a new code which is linked to the original code you entered, but the code displayed can be different as there are multiple other codes that are linked to the original code your bank provides. All of them will be valid.
@@airportdocumentaries ah I see, thanks!
@@ethanmccrory1727 using seeds such as time, your pin tied to your account/card, and probably another algorithm. So entering your card and pin, will generate a unique code specific to your account valid for a short period of time. Your online account will be aware of what pin would be valid for your account using that same algorithm.
So you never have to input your pin into your device/pc or the Internet.
Then how did you get it if you don't have an account
+Benjy Linux friend had one, then lost it, bank gave him new one. Then he found old one and gave it to me. Besides, eBay is full of them now if you want one - have a look.
How do i input an amount
They are generic, I used my nans Barclays device when I couldn't find mine and it worked the same.
I thought so, it didn't seem there was anything specific to an account inside. Presumably its just a calculator, that reads the chip on card and generates random code that matches the chip.
It's based on an algorithm that gets the time and your cards ID, then gives an output that you use to sign in online, if you take time putting in the 8 digits you miss your time slot and you have to try again. I'm a software developer and have a little idea how they work, I know 100% it does use time as a factor in the algorithm but I'm not sure what information is retrieved from the card chip itself, it's interesting though. Good video :)
+Ste Dunn that was my thought initially, but then i thought where will it get time/date from... The must be some clever engineering behind this :) Thanks!
I'm guessing it would have an internal clock that always has power to it, even when the card is disconnected.
Possible. But i think there is more to it.
I have that
No man
But you don't actually show how to replace the batteries! That's the most difficult part of it.
You need to put a card in it