Friday, August 3, 2012

SafePass from the Bank of America

This puzzle will come handy to many of us, who are clients of the Bank of America, the second largest bank in the US and the third biggest company in the world.

How could a bank verify the identification of a person doing an online transaction? Yes,one types on the website his ID and a password.  Pretty safe, but we constantly hear about user information being cyber-pirated by various sources. Plus, lets be honest - most of us use the same data for many sites and some stick a note with it on their screen.  A few security questions? Very well, but we frequently forget our mother's days of birth or names of our school teachers that we chose these questions to be about.

New SafePass card from the Bank of America offers extra protection. It slowly becomes a must-have thing without which you can't perform any online transaction. You pay $19 to get this card and then use it to generate some large numbers that you enter on the website.  Now all this is not an ad for a Safe Pass card but rather a puzzle. How does it work? How does this card insure that the person ordering 1 million dollar transaction from your bank account is indeed you?

For those who can't see the image clearly, there is a button that you press for SafePass code and a digital window where this code appears. For a next transaction, press the button again and a new number will appear. Apparently you can take this card with you to the North Pole and it still will work...  How?

Your answers are accepted any time until midnight Eastern Time on Sunday, on our Family Puzzle Marathon


Dennis (of Dennis and Katrina) said...

Electronics in the card do two things: 1) keep the time pretty accurately and 2) contain an algorithm that generates a number based on the card's serial number and the time. BOA's network knows which card is registered to you and linked to your account and also knows the time and algorithm your card is using. When you log in and enter the code, the network generates a code, too, and compares it to the one you entered. The algorithm generates a new code on some fixed time schedule (part of the alogorithm), which is why you only have a certain amount of time to enter a code. I believe VPN tokens work in a similar manner.
-Dennis (of Dennis and Katrina)

Ilya said...

Having used similar devices before for "VPN secure login" to access private corporate networks, I had a chance to think about this in the past, so you might say I have an unfair advantage :-). I think the way this works is via a fairly precise digital clock inside the card. Based on the card/customer ID and the current time, the card generates a new passcode every so often using a secret algorithm. The code is only valid during limited period of time, on the order of a minute or a few minutes at most. When entered, the bank server software on the other end will generate the number using the same exact algorithm in order to verify the code supplied by the customer. There is probably some leeway allowed, e.g. if you entered your code right on the border of its being valid, the bank's server can still allow it by checking against the passcode that was valid in the immediately preceding time period. Note that this mechanism is highly dependent on the accuracy of the card's internal clock. If that clock is significantly off, or if the battery runs out, you are out of luck and have to replace the card most likely. I have to wonder how the internal workings of the card are protected - the low level assembly code running inside the card must be well encrypted and obfuscated in order to protect it from being reverse-engineered!

anne-marie said...

The server already knows the different sequences so the number created with a person's password following by "random" numbers is recognized by the server.

Jerome said...

I don't have any idea exactly how this works, but I can tell you something about how it works in Canada, but first a guess.

The trick is to get the card to give out the same number as would be calculated by the bank's number generator.

The easiest way I know of to accomplish this is to use your assigned number along with a time generator. The number is good for the next number of n minutes or parts there of.

That's how random numbers that are truely random are generated in many computer languages.

One of the things I found out about this problem is what happens when you realize you've lost such a card. It happened in our family. We have a debit card and that lead me to ask some questions.

Jerome: When I report this card lost, what happens? Isn't all the details of my account encrypted on the card.

Bank: Yes.

Jerome: So why aren't you concerned?

Bank: Because the numbers on your card have nothing to do with your account. They are merely an encryted link to your account.

Jerome: No mention of my PIN?

Bank: Oddly, no. You go through the first data base which recorgnizes the link.

Jerome: So it doesn't go directly to my account?

Bank: No. It goes to another data bank which then checks if the link is the proper one. If it is, you get to your account. If it does not, your card is eaten at the ATM and you have to go into the bank to retreive it (if you are at a bank). It just rejects your request if you are not.

Jerome: Brutal.

Bank: but Safe.

Anonymous said...

Each card has an algorithm to generate a number based on the current time and the card's serial number.
After you receive the card in the mail, you need to calibrate it with the bank's website.
You do that by entering one code, waiting a certain amount of time and entering another code.
The first digit of the code will be incremented by one every 30 seconds (so if your first code starts with a 6, the next code will start with another number), so the server knows what time the card thinks it is.


Anonymous said...

Some of the extra security measures for credit cards work by sending a credit card user a one-time randomly generated code to use with their purchases. One of my credit cards offers this service through their web site. Other credit cards have done this with docking stations for the card holder's home computer.

Your puzzle indicates that this extra security feature for the Bank of America card works even at the North Pole, where I am presuming there is no internet access. For the card to work in such circumstances suggests that the randomly generated Safe Pass codes are stored on a computer chip on the card. The Safe Pass codes are 6 digits long. If only numbers are used, there are 10^6 or 1 million possible random numbers that could be generated.

I expect that the this security chip on each of these Safe Pass credit cards has a long list (of probably somewhere between 10,000 and 200,000 long; 200,000 would be enough to make 273 purchases a day for 2 years) of semi-randomly generated 6-digit numbers that was created using a complicated algorithm and there may be different variations of the algorithm in use too for additional security. When a person has one of these cards and goes to use it, the scanning machine reads the chip and knows if if the number being entered matches the next number on the ordered list. Each time a number used, that information is sent to the card's chip so that it can't be used again and so that the pointer knows the next number in the list.

One question I would have about this technology is whether vendors accepting the card would need to have special updated car readers which can read the card's computer chip and which don't need internet access to verify the transaction. Most retail stores rely on internet access for verification and if there are problems with their internet connection to a certain credit card company do not allow that company's cards to be used until the connection is fixed. To have a card that worked without internet access, the card seems like it might also need to keep track of money spent so that a card user doesn't go over their credit limit.

There is also the less technical question about what types of purchases one might be making at the North Pole.

Maria and fellow puzzle solvers, enjoy these last few weeks of summer. I cannot wait until slightly cooler weather returns.


Maria said...

Very interesting. it seems that many here know exactly how this card works.

First of all let me clarify for TracyZ that this card is not accepted at the stores and only used by the bank customer to authenticate any online transactions. Say when your laptop is froze on the North Pole and you have to pay your gas bill from your friend's laptop, you have to authenticate this new laptop. When you press the button on your SafePass card it generates a random number that you enter on the bank's website. Bank apparently has the mechanism to generate this number as well and compare with your number. Match -> authentication.

So, bank and my card generate random numbers in the same order that is different from any other person's card. How? They use the same random number generation algorithm that is seeded by my card's serial number.

But how they keep synchronized? I can press button on my card many times and bank wont know about this. Many here suggested that the card keeps track of time and this random number generating algorithm uses current time in addition to the card's serial number to create a code.

Something to continue thinking about when you are on vacation. Perhaps something to take with you on the vacation. A puzzle point for everyone who participated. Back in a few weeks.

Anonymous said...

TracyZ writing:
Maria, thanks for the clarification about the puzzle. I knew that authentication and random number generation algorithms were involved, but from the moment I first read this problem and the North Pole reference I had been thinking that the problem would involve authentication when the card reader and the issuing bank had no way to talk to each other at the time of the transaction. There are quite a few parts of the world without internet access (even right in western Massachusetts, a number of areas don't have internet access except via satellite), and it seemed to me that there must sometimes be demand for credit card verification in such circumstances......
I realize now, upon reflection, that though that's true, it's probably not a big enough market for BoA to design a whole credit card technology around. (and I am not sure how a card for point of sale verificiation with bank confirmation would work... ).

I am still intrigued by the idea of making credit card purchases from the North Pole, a place without any permanent settlement. Maybe the purchase could be made from North Pole, Alaska (pop: 2,200; located 140 miles from the artic circle) or another North Pole(North Pole, NY; North Pole, OK; or North Pole, ID - who knew there were so many?). :)

Nicolas said...

This kind of device is called a one-time password generator. There are two kinds of devices: time-based (password changes every N seconds), and event-based (password changes every time you press a button). Currently the emerging standard for one-time password generation is called OATH (look it up). So how does this work?

For both time-based and event-based generators you start from a secret seed, a very long random number that is unique for each device and must remain secret. For time-based generators you take this seed, mix it with the current time and pass it through a number mixer (a hash function). For event-based generators you mix the secret seed and the event counter (starts from zero, increments by one every time you press the button). The result is your one-time password.

On the bank side the server knows the secret seed for every customer so whenever you try to login it does the same operation and sees if it gets the same result. If it does, you proved that you own the generator.

These devices obviously have synchronization issues. Time-based generators do not have precise clocks, it would be very hard to build and pretty expensive to do so. Instead, the server is a bit smarter and compares the password you provided to passwords generated with adjacent time values, say within plus or minus 5 minutes. If it finds that your generator is systematically too late or too early it will adjust with a drift and remember it for the future.

Event-based generators can get de-synchronized too. Let your kids play with the generator for a couple of minutes and your generator counter will be far ahead of the server counter. What you need to do in this case is generate two consecutive passwords and enter them together. When the server sees that you entered more digits than needed it understands you want to re-synchronize: it will then generate many passwords for consecutive counter values until it finds a match for the two consecutive passwords you gave. Once this is done the server can adjust its own counter to match yours.

Between time-based and event-based there is no obvious winner in terms of security or convenience. Both have advantages and inconvenients.

Google actually offers a one-time password based on OATH to authenticate yourself when logging in. Instead of distributing hardware generators you download an app for your mobile. Checkout two-factor authentication on your Google account settings. It is really easy to use and fun too!

Anonymous said...

I thought it was done using magic....Go figure.

Unknown said...

I am an American living in Indonesia. I have a Bank of America account which I manage solely online. My primary consideration for a Safe Pass Card is occasional higher dollar amount transactions.
1.) would the card function normally from my location in Indonesia when online with my Bank of America account?
2.) what is the life of the card, like the lithium functioning part of the card's mechanics?

I would appreciate your help with this matter, thanks.
Ken H.

Maria said...

Hi Ken,
I have used this SafePass card from abroad (israel) and can assure that it does work.
So far i have had this card for over a year and it functions smoothly. Not sure about the longer lifespan but i assume you can google this or ask BOA representative.


Post a Comment

Note: Only a member of this blog may post a comment.