S
S
Seeker2021-10-28 11:57:38
Payment cards
Seeker, 2021-10-28 11:57:38

How do bank cards work?

I would like to know how credit cards work. Here I am a person who knows nothing about banking, but understands cryptography.
How I imagine it: A card is an access key to a bank account that allows you to withdraw cash from an ATM, pay for purchases in stores and online, while the card has a Visa, MasterCard or MIR payment system number, which is an intermediary for making transfers, thus the card provides access to the payment system, and not to the current account. The key is most likely a digital signature certificate of the PKCS standard, possibly PKCS # 12, with which the owner signs his actions, and if there is a certificate, then there must be a certification authority, which is a bank, payment system or some organization that all banks and payment systems trust. It is also necessary that a third party who has taken possession of the card could not use it, for this the certificate itself is encrypted,
And now 2 more factors from which it follows that all my assumptions are wrong.
1) We can make our plastic card electronic by adding it to the GPay application, that is, you can still copy it.
2) Online purchases, in which we present only the card number, CVC code and secret code from SMS, but do not present the digital certificate itself. I can assume that this means that the card does not contain any digital certificate for accessing the payment system, and this certificate is actually stored in the bank's database, but the card contains a certificate for accessing this certificate, an alternative access method is two-factor authorization with help of SMS, online banking or mobile application

During the week I received a Raiffeisenbank card, in the process of communicating with a bank employee, not a single paper was signed, all actions were performed exclusively in a mobile application, including the signing of an agreement. But something else struck me - now it is possible to reset the pin code of the card using a mobile application, by the way, Sberbank also has such a feature. So does the card contain information that is encrypted with this same pin code or not? And what does it turn out, now anyone who takes possession of the phone of the cardholder will be able to access his account?

So, in addition to the question of how bank cards work, another question arose whether it is safe to use mobile applications of banks, SMS banks and applications like GPay, and whether there are banks now that allow you to receive the full range of services with a bank card without the obligatory installation of a mobile application ?

Answer the question

In order to leave comments, you need to log in

6 answer(s)
V
Vladimir Korotenko, 2021-10-28
@firedragon

don't sweat it. It is not possible to clone a chipped card.
Well, here the pin code is not passed on and the phone is kept with you.
You can still get a 2nd card and use it, and transfer money from the main one only from the computer.
Well, almost all "robbery" is social engineering. You yourself enter the confirmation code or card details.

I
Igor, 2021-10-28
@DMGarikk

I will try to describe very briefly:
A plastic bank card is literally a card number, date of action, some technical information and EVERYTHING. so it was originally. no keys, etc. it didn't have it originally. but then when they appeared, they began to perform a slightly different function than signing transactions
at the end of the 2000s, chip (emv) cards appeared massively, which, in addition to the card number, actually store a certain key and can check the pincode offline (so as not to send requests to processing and for offline operations) and remember the last balance of money. but that's all. the increase in security here is that the card still has a strip where its number and date are recorded to support old standards
The security of this scheme is ensured by the fact that all transactions on a chip card must be made on a chip, if they are carried out on a strip (instead of a chip) and then protested, the bank must return the money to you without any special investigation for six months.
Systems like GPay - do not make a copy of the card, they issue some kind of virtual card analogue and make payments on behalf of this 'virtual' card ... deducting money from yours, just like if you subscribed to an online cinema with an auto-pay function.
Further, two-factor authentication is not mandatory, at all. in the Russian Federation it is a little more common than in the rest of the world, but it is always optional and protects not the buyer (no matter how strange it may sound)
==
and the most important and incomprehensible-inaccessible to many, even some bank employees
A bank card transaction can be carried out with ONLY a card number. ALL. no CVV/CVC needed, no expiration dates, no owner name, no chip details, nothing, ONLY a number.
This operation, of course, cannot be done by any employee in the store (about 7 years ago they covered a very big hole in this direction, by the way), but it is possible and is often used by hotels, for example.

R
Ricardo Sanchez, 2021-10-28
@yakovlev_13

The most dangerous invention is a smartphone case with card pockets. And the most fiasco is when the phone is not password protected. Or the password is displayed for a split second as you type. It's easy to remember.
The essence of the fear is clear, but there are so many of us that thieves and scammers do not have to resort to ingenious high-tech hacks of ordinary laymen. There is always a decent mass of individuals who part with funds voluntarily.
As the cat and the fox sang in the famous film: "A fool does not need a knife ..."
Sleep well))

E
Eugene Lerner, 2021-10-28
@ehevnlem

I don’t understand the details of how the card works, but I think that whoever takes possession of your phone gets access to your account. Even if the mobile phone is password-protected, it can be opened. I think the only guarantee is if the card data is stored encrypted and you remember the key or keep it somewhere separate from the mobile. and the data is transferred to the bank after decryption. and at the same time, the history of Internet requests in the mobile is not saved. on the other hand, a person who knows how to open mobile phones in this way makes good money and if you don’t have a lot of messing around in your account. and having access to the account, this money still needs to be cashed out, which is risky

S
Seeker, 2021-11-05
@Iskatel_S

Can you elaborate on the fact that the processing center can disable the requirement to present a PIN code or CVC code, is this a law? Can I send an appeal to the bank so that some operations, such as resetting the login and password for the application, could not be done in the application itself, but only during a personal visit to the bank office?

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question