Rapport lacking

[pctech]

 

[Technical Ben]

I note you use the descriptor apparently random numbers.  If they are random how does the 'bank' know they are correct and if not random they surely are not secure. There appears to be no time or date in the card reader and no form of transmission between the reader and the computer (except what you type in)  I have used the same card reader for two account numbers (Mr and Mrs) with the correct cards. I have also used that card reader for a different bank, was told they are generic.  All with no problem.  Puzzled as to how they can work if they are random and how secure they are if not random.

Both you and the bank have an original "one time pad" like setup. It's not quite "one time" but unless you use is 9999 times, it's not going to repeat a pattern. As far as I can tell, the bank has a masters list at their end of pin pad codes. When you do the first setup, it gives the code for the bank to get the right list. Then, each time you log in, the pin gives 2 numbers, first the "password" then the "place in the list the password is located". So, it's impossible to crack. When you do a transfer as well, they ask you to enter bank account numbers and amount, this is "salted" into the password, so that the password cannot be used for other accounts if someone gets hold of the information. However, a attacker could steal your pin code machine, hack the banks master file, or do a man in the middle/phishing attack. Better than no code altogether though.

I've not found a website with the details, but that's how I see it working. It might just hash the key as Rik said. Reading up, it may not have a "list" of codes, but just use a calculation to get the correct number.

[Gary]

Rapport gets mentioned here on the Reg :Trusteer has downplayed the significance of reports that it might have been possible to bypass its anti-keylogger online banking protection technology. http://www.theregister.co.uk/2011/10/11/trusteer_rapport_security_bypass/

[Rik]

Well they would, wouldn't they.