From what I have seen on the internet, people really don't know how a Banking Token works, so I will provide a simple explanation. I hope it helps; if you have any questions, comment on this page and we will try to resolve them.
The Token is a device created to generate numeric passwords that allow access within a specific time interval.
In general, this interval is 30 to 60 seconds. Most Tokens today work with 36 seconds.
Each Token is identified by a serial number, usually written on it or on a sticker. Knowing the serial number is essential, as it was assigned on the assembly line and cannot be replaced.
Let's do a practical experiment.
Token (Serial number 36-107898-1)
The Token has an internal clock (the battery lasts on average 5 (five) years). This clock counts second by second, but the calculations take into account the exact value within a determined time, usually 30 seconds.
Let's look at a simulation.
The Token takes a unit of time (hour, minute, second), performs a calculation that involves a unique internal code, and the result is the password that appears on the display.
| Time | Token Internal Code/Key | Password Result |
| 1st day 15:01:05 |
36-107898-1 |
678420 |
| 1st day 15:01:57 |
36-107898-1 |
787654 |
| 1st day 15:01:57 | 36-107898-1 | 098653 |
| 1st day 15:01:57 | 36-107898-1 | 124232 |
Every 30 seconds, if you press the Token button, it takes a unique internal key (here we used the serial number, but it can be any value stored in it and in the bank's database), performs a CALCULATION along with the time and day, thus producing a new number every time.
And how does the Bank know what my password will be?
It happens that at the moment you activated your Token, the Bank employee, whether in person or by phone, registered this 'unique number' in the system, so it became linked to your account.
Thus, when the Bank asks you to generate a password, it already possesses the unique number, so an identical calculation is performed. Generally, the bank's computer takes into account a range of 90 seconds to avoid problems with possible delays.
When you identify yourself at the Bank (branch, password, username, and access password), the bank generates a password within the range of possibility:
329879 (for the 23rd day 16:07:01)
765902 (for the 23rd day 16:07:31)
093765 (for the 23rd day 16:08:09)
Then, at the opportune moment for you to enter a password: You type: 765902, the bank identifies that it is a valid password for that period and allows your access.
As a rule:
If Token password EQUALS Bank password -> Access granted,
If Token password DIFFERENT from Bank password -> Access denied,
Very simple. Two calculations take place, one on the Token, another in the bank's internal program.
Token calculation = Bank calculation -> access granted; IF different, access denied.
What calculation is this?
There are many forms of calculation; today RSA is the most used. The devices known as SecurID generate different passwords at time intervals, a calculation only possible due to technology. We are talking about a calculator. (Curiosity) In March 2011, hackers managed to steal the calculation 'seed', which caused a lot of insecurity in this tool, but until it is surpassed by another, it will be understood as a technology.
Is it possible to discover the internal password through one or many results?
No.
It is a type of encryption that does not allow 'reversal'. So you have a password A, which when submitted to a calculation B results in C.
A -> B = C
However, the user can only see C, and even if they knew B, it is an algorithm that, so far, seems impossible to decode.
Examples:


In Brazil, BRToken offers several services; it is worth taking a look at the explanatory manual,
http://www.brtoken.com.br/catalogosPT2010/SafeSIGNATURE.pdf (The link has been modified, BrToken has been renamed to DataLink, see http://www.datablink.com/ )
See the patent instructions; this token offered by the company is capable of reading information from the computer screen (receives flashing light signals)
----------------------------------------

(See references at the end, and in the manual whose link is on this page)
The SafeSIGNATURE is much more than a simple common OTP (One-Time Password) token. It has an innovative methodology, capable of generating a time-based password (using the OATH-TOTP standard) and, additionally, a transaction signing feature, using proprietary technology to read and capture transaction information from a flashing image generated on a computer screen or projection.
SafeSIGNATURE "photographs" your operation, offering peace of mind and security.
The user follows the transaction step by step, whether in Internet Banking or e-Commerce, and finishes the operation with an authentication/signature.
Features:
- Only the token holder performs the transaction.
- The dynamic password (OTP) will only be used at the time of the transaction.
- If altered, the operation values will be detected, rejected, and invalidated.
- Total protection against attacks such as trojans, phishing, Man-in-the-Middle, and Man-in-the-Browser.
- Protection against blind transaction signing. The user sees and checks what they are transacting.
- National product, excellent cost-benefit, and local technical support.
- Screen data capture system, convenience and security for the client, as they will not have to type the transaction data again.
- Fully customizable in color and button (with client logo).
- Messages can be added to the display, which will appear automatically so the user can follow and know exactly what they are validating in the transaction.
Patents
pointSET™ U.S. Pat No. 6,466,145
INPI PI 0700657-8
----------------------------------------



