A few days ago, I got the suggestion to protect a transaction with a PIN number. But how does that mechanism work? It looks as if this mechanism is used to describe several situations. One situation (the simplest) looks a bit like a password. On the client side, a user enters a PIN code. This PIN code is translated into another value that is sent to the server. For the moment, one may think of a multiplication of the PIN code by the daynumber. This product is sent to the server. The server undertakes a similar process. It multiplies a stored PIN code with the daynumber. If this result equals the number that is received, the entered PIN code is assumed to be entered by the authorised user. After such verification the user may proceed to the required transaction.
Whenever the network traffic is monitored, the monitor only reveals the calculated code. Suppose the PINcode is multiplied by the daynumber, someone sees a number like 337518. If someone monitors the network with the idea to hack the protected site, such information is worthless. The hacker doesn’t know the algoritm (multiplicating the pincode by the daynumber), he can’t know what PIN code to file out. He might try to use the number 337518 as an attempted PINcode but his attempt will be rejected. From the traffic, he doesn’t get the PINcode that he needs to use.
