FYI: Trusted Reviews | Visa Revamps Humble Credit Card.

[Ian Batten]

On 12 Nov 2008, at 18:11, James Firth wrote:

> Charles Lindsey wrote:
>> But this seems to rely on some purely internal mechanism to  
>> generate the
>> next in some pseudo-random sequence, so how does Visa know  
>> whereabouts in
>> the sequence your card is?
>
> Usually in such devises the sequence is [somewhat loosely]
> time-synchronised.  Codes have a lifetime of one minute +- n minutes.

And if the clocks drift too badly, SecureID (at least) goes into a  
mode where you have to enter two successive, previously unused codes  
to prove possession of the token, and the then notes any time offset  
between your token and reality.  So if you are asked for the current  
and next code, and actually provide next and next plus one, the server  
knows your token is running a minute fast.

This is part of the reason why SecureID tags are lifed, of course.   
RSA guarantee operation until the expiration date, but after that they  
don't work, battery life or no.  So RSA can ship tags whose clocks  
will remain in bounds in terms of slew rate for five years >99% of the  
time, and fix the remaining <1% in the warranty process.   I don't  
know how Vasco manage this with their unlifed tags.

ian