What's inside the reader for two-factor authentication?
Due to the fact that one of the banks is finally moving to the SMS code system instead of scratch cards, I had to go to their office to connect SMS.
As practice shows, authorization in Internet banking via SMS is not always safe: the number can be hijacked.
So I decided to find out if the bank does not provide a hardware token or, as they call it, a hardware password generator. It turned out that provide. Of course, not free.
It so happened that earlier I already had a token of another bank that looked like a key ring with a button.
But he was alone, and the bank was far away, and to satisfy his curiosity (and what was there inside?), And then, in the event of a breakdown, it was not encouraging to go for fifteen hundred kilometers.
And here - the bank is nearby, the token is not very expensive, one can be
Alas, there will be no revelations.
(Gently, traffic!)
')
Here and further, by clicking on the picture, you can open a full-size photo, so be careful with traffic!
When I first came for the token, I was handed this calculator:
The card is inserted on top. After inserting the card, you need to select the operation mode (A or B - differ in limits on operations), then enter your pin, and then enter the key that is sent by the Internet bank. After entering the key, the device will issue a response key. That's the whole algorithm of work.
On the back of the generator looks like this:
It was not possible to open the device without damaging the device; the entire perimeter was glued:
Turn off the screws and look at the usual keyboard:
Here, in fact, all the guts. Under the compound closing the microcircuit, it is useless to climb without special tools, so it remains only to guess which controller is on board.
A small lyrical digression.
No longer relevant story about the issuance of a token \ reader
Before opening this token, I attended to getting the second one. And here there are interesting details.
When I received the first token, I informed the bank employee that I did not need SMS authorization. To which I was answered by "ug", and sms-ka that this type of authorization is included, still came. When I got home, I made sure that both the token and sms worked. It certainly did not suit me, so I would have to go to the bank again anyway.
In my second visit to the bank, I again said that I needed a token (the old one was irretrievably destroyed) and that I need to disable SMS authorization. With the disconnection of SMS, there were no problems. A couple of clicks in the program, and I received a text message saying that sms are disabled.
With the connection of a new token, there were questions. Apparently, the system in the bank was launched quite recently, and not all employees are aware of what and how they work there.
What logic should be? A client comes in asking for a new generator. What should be done? Probably, untie the old one and already after that tie a new one. But judging by what the employee told me, the token is not attached to the card, but the card (yes, I forgot to mention, the card must be chipset, their tokens do not work with non-chipged cards). For some thought, the employee decided to simply tie a new token, deciding that the old one would be untied. Token got attached, which I checked on the spot via the mobile Internet.
And then ... And then I came home and, of course, the first thing I decided to use the old token. And what would you think? Of course, the key from him quietly earned. Thus, I now have two tokens.Therefore, after the registration of the token in the system in case of its inoperability, do not throw out the token! You can try to revive it, and then your money cried! I believe that only the extermination of the physical destruction of the device will help . Apparently, the system either does not know how to untie tokens, or it should be done very well, very cleverly. Dear representatives of the bank, for sure you are reading this article and know your devices! Please draw conclusions !
When I received the first token, I informed the bank employee that I did not need SMS authorization. To which I was answered by "ug", and sms-ka that this type of authorization is included, still came. When I got home, I made sure that both the token and sms worked. It certainly did not suit me, so I would have to go to the bank again anyway.
In my second visit to the bank, I again said that I needed a token (the old one was irretrievably destroyed) and that I need to disable SMS authorization. With the disconnection of SMS, there were no problems. A couple of clicks in the program, and I received a text message saying that sms are disabled.
With the connection of a new token, there were questions. Apparently, the system in the bank was launched quite recently, and not all employees are aware of what and how they work there.
What logic should be? A client comes in asking for a new generator. What should be done? Probably, untie the old one and already after that tie a new one. But judging by what the employee told me, the token is not attached to the card, but the card (yes, I forgot to mention, the card must be chipset, their tokens do not work with non-chipged cards). For some thought, the employee decided to simply tie a new token, deciding that the old one would be untied. Token got attached, which I checked on the spot via the mobile Internet.
And then ... And then I came home and, of course, the first thing I decided to use the old token. And what would you think? Of course, the key from him quietly earned. Thus, I now have two tokens.
Yes, now, actually, about the second token, which is in the title picture.
He is another firm. Bank employees told me that it seemed to work more reliably than a white man, for which there are many marriages. It is more compact, and it has a squeaker, which is triggered by pressing buttons.
The first token is not collapsible, and therefore the batteries in it are not supposed to be changed.
Here is the second front and rear view:
Of course, since I now have two tokens, then in one you can distort the batteries and see if it will work adequately after this. So, both tokens work without problems again after changing the batteries.
Black token is a little smarter than white. It is necessary to remove the front sticker-keyboard, under which there will be screws with which the front panel-printed circuit board is bolted to the case:
Turn them off and get the two halves of the device:
The main board is larger:
And now a little personal reasoning.
The white calculator looks pretty clumsy. It's bad that the design is not collapsible and you can not change the batteries. Not washed out flux on the board is also not very good. Why you need a quartz clock, if the key, apparently, is stored in the controller firmware, it is not clear.
Manufacturer's website does not shine with the amount of information. I did not find purchase prices for such tokens.
Black copy is a development of another company . The board looks better, and as a whole the device leaves more positive impressions. Price also not found.
I am not a security specialist, but from Wikipedia articles it turns out that once the batteries do not affect the operation of the device, and in one of the tokens there is no watch quartz, then OATH- type authorization is used.
UPD .: I sprinkle my head with ashes. As Cobolorum and farcaller correctly note, this is not a token, but only a reader and key generation is carried out in the card itself, and not in the reader. So do not panic if you lose such a reader. The main thing - do not lose the card.
I will be glad to any comments and additions!
All errors noted please report in a personal.
Source: https://habr.com/ru/post/234857/
All Articles