I think (but don't know) that it works in a similar way to the Authenticator app.

It generates a number based on the time of day and a code specific to your account.  The code refreshes every 30 seconds.

I use one of these with my on-line banking and thought to myself, how does this work when there is no connection (electrical, wireless or otherwise) between the card reader that generates the code and the bank.

Logically it works in this way; with the bank knowing the last four digits of the card (you are using) it has a look-up table of all the allowable 8 digit numbers that are valid for that card (belonging to you); or alternatively it uses the same algorithm (as embedded in the card reader) to check your input number is one of those valid.

For you to obtain one of these 8 digit valid numbers, you have to place the card in the card reader and enter the correct pin.

With 8 digits required, there are 99,999,999 [100 million if you count 0000 0000 ] possible numbers – if for example there are only 10,000 valid 8 digit numbers that can be generated by your card (using the card reader), someone would have a one 10,000 chance of guessing a correct number.

Based on my explanation above, in theory once you obtain a valid 8 digit number, you could use it again and again – I’ve never tired this, but I suspect the banking system removes a previously used valid number (or they are time barred) to stop this method of circumventing the card’s security features.

I don’t think it works how Barry suggests – the card reader does not know the time or date, I’ve even had to replace the battery in my card reader (I’ve had it that long).

You're right about the card reader not knowing the time. I've had to change the battery in my card reader, too.

AI says

"The reader generates a one-time passcode (OTP) based on the card's data and your PIN. This code is unique for each transaction or session."

If the card reader generates a unique single 8 digit number (valid for that transaction only), rather than one of say 10,000 permissible codes (as I have suggested) – how does the bank’s computer system know that this is the only number, when there is no connection whatsoever between the card reader and the bank?

Maybe there is a strict order, rather than random

I met a young fella who said from behind a sweetie counter where he was serving

my  grandfather patented the brown  strip in back cards in 1962. he  is very rich

( clearly not a trust babe) -  only in America

bank card - - not back card, this is Ab sfter all

I used to work in a bank and when I asked the IT people this very question they didn't seem to really know either. I understand how the ones work which are connected to the internet but the others baffle me! I was told they are millions of sequences which pick random numbers and they tally up with algorithm at the bank. However if I generate a code and don't use it - how would the bank know? Sorry this doesn't answer your question🫣

you thinking about the small PIN entry devices, eg this one?

They don’t talk to the bank at all. They send the PIN you enter to the chip on the card, which then checks the PIN is correct, and then does a bunch of maths to generate a code. After checking out online, you’re sent to a web page hosted by your bank, and you enter the code there to send it to your bank, which verifies it.

The important part is the maths. The card has a secret that only it knows, and uses it generate the code. The bank has a corresponding secret it can do its own math on, to verify the code came from someone that knows the card’s secret. It’s very difficult to get the secret off the card’s chip, and the chip won’t generate a code unless you feed it the correct PIN.

Put all these together, and by giving the bank a correct code, you’ve proven that you a) had the card and b) knew the correct PIN for the card. All without the card or reader taking directly to the bank.

I’ve just completed the following tests using my card reader.

I generated three separate 8 digit numbers to enable me to log in to my on-line account.  I did this by placing my bank card in the reader, entering the pin number and recording the 8 digit number displayed, then removing the card – and repeating the process two more times.

I then logged in to my on-line bank account using the first generated 8 digit number, which was successful.  I then logged out, waited about 5 minutes, then attempted to log in using the second generated 8 digit number, again this was successful.  I then logged out, waited about 5 minutes, then attempted to log in using the third generated 8 digit number, which once again was successful.  I then logged out and waited about 5 minutes before attempting to log in using the first generated 8 digit number again – this failed, with the web page showing an error code.

The system will be set to accept only the most recently generated eight-digit number.

In my test above, my on-line account accepted a number that had been generated prior to two later generated numbers.

I read it as being used after being generated.

Can you generate a couple more but use the fifth one before the fourth?

It might be that several can be generated and each can be used in any order but only the once.

I’m willing to bet that if you generated ten different valid 8 digit codes, and made a note of the numbers, you could use any of these numbers (once) in any order (and at any time) and the on-line banking system would allow you to log in.

The above is based on how the system works – in that the card reader randomly generates a valid number using the algorithm, which your bank’s computer system is able to confirm that it is one of the valid numbers.  The bank’s computer system has no way of knowing when you generated/obtained the valid number(s) from the card reader.

I wonder if the time and/or date forms part of the algorithm. Not in time and date form, but eg March 26th could be 9

It could be there is a starting number unique to the person,deviceor card and a different calculation is carried out on that number each time a generated code is required.