I know it has been a year since I last posted, but here I am! It’s been a hectic year and I am sure 2020 has been a hectic year for you too, whoever is reading this post right now. Well, given the situation right now in the US, few months ago, I have decided to fly back to my home country, South Korea, to be with my family during these uncertain times. Ever since I started college, I have never stayed in Korea for more than two months. However, this time, it’s been almost 4 months staying in Korea consecutively, since I came here while my spring quarter was still in progress. There was no reason for me to stay in the states given that my school had gone entirely remote for that quarter.
Staying in Korea for this long, I’ve experienced and seen many new things. Perhaps some of those things were not new to me, but I simply didn’t pay attention to them before. Out of all the new things I’ve seen in Korea, one of the more intriguing things I saw was my mom’s OTP card.
So here’s a short story about how I came to encounter this maginificent piece of technology ( I will stop babbling after this. I promise :D ). One day, while I was at home, my mom called me and asked me to find a card that says “OTP” in her wallet. When I found the card I immidiately realized that this card was not just an ordinary card. It had a little button on the bottom corner and a small screen on the top just like the picture below. I was then told to press the button, and read the number that appeared in the small screen. When I pressed the button on the card, indeed some 7 digit number appeared on the screen. I asked her what she needed this number for, and she told me that she needs the number to access her bank account. That entire day, I couldn’t stop thinking about this damn card.
I’ll be honest, I am not the brightest guy in the world, if you didn’t figure that out already from my other posts. Because of this I had many dumb questions pop up in my head, such as, “If OTP means one-time password, how can a simple card keep generating some random password?”, “Is this card connected to some server? How does the bank know about this number if the number is a randomly generated?” and “Is this some kind of a sorcery?” I was baffled. I tried to figure things out on my own, but I knew it was a waste of time given my limited knowledge on technology. So I decided to do some research, and here’s what I found.
This particular card that my mom is using, was using the Time-based One-Time Password (TOTP). About every 20 seconds, when you press the button, the card would generate a new number. The card has an OTP chip inside, that uses a time based pseudo-random algorithm to generate a number that is shared with the bank’s remote server. The card is not connected to any server, let alone to the internet. That would be kind of weird, but cool. Bank’s server knows what number the card will generate based on the algorithm the chip is using. Apparently, to prevent situations where there might be a slight time differences between the card and the server, the server might allow about to one or two most recent keys generated.
So how does the card keep generating these numbers if there’s no way to charge it? Well, it turns out there’s a small battery embedded in the card that can last a few years before it runs out. When the card dies, you can simply get it replaced at your bank.
While I found this cool, it turns out that using the OTP hardware increases the frequency of payment failures, which could impact the banks overall revenue. Because of this, many banks in US prefer to send the OTP via SMS or email, eventhough that might introduce new potential security concerns.
This is all I’ve got for now, but I want to dig deeper into this. I would like to know what are some benefits you can get in terms of security and fraud prevention when you are using hardware based OTP instead of the alternative. It would also be interesting to learn more about how the OTP hardware actually works, and how these algorithms work to sychronize the cards and the server.
There are so much more to learn, but so little time. Sigh.
