Ideas about how OTPs for mobile refills are created?

[0poitr]

Was wondering if the cellular companies or whoever manufactures it for them uses a deterministic algorithm to generate the PINs. I don't have a large enough dataset yet to look for patterns programmatically. Though if there is a pattern, it should differ among providers(my guess).
Also, the PINs expire after a period (as printed on the paper tokens/recharge site). So, if the algorithm is deterministic, the codes should be re-used.
I'm just asking, does anybody have any idea how they are generated?

[Kulverstukas]

This is a good question. I had the same question few years ago, but did some research, but I can't really confirm what I had found. Anyway, I heard there was a case with selling mobile refills cheaper very long time ago. Probably around the time when the mobiles were kicking off in here and mobile refills weren't such a hype. How people got the codes, that I don't know, but now I hear mobile phone companies use changing algos to generate the numbers.

And if you think about it, it's a logical solution against such fraud, but it gets expensive for the mobile companies to think of new algos every month, maybe every year, or half a year, so they probably use the same algo where a value can be changed to produce different results.

But if you think about it, when you buy a refill, at some places a doo-hickey generates you a number directly, meaning you don't buy pre-printed numbers... then how that stuff gets done? either the machine gets updated each time an algo changes... or the algo doesn't change?

This is all interesting and I'd like to hear more... I was just brainstorming here

[0poitr]

Either they save the PINs in a database and make it void when someone uses it up, or runs some number crunching on the PIN to get something that's meaningful to the system.
I think rather than changing the algo, they might use (something like) a random seed to generate a lot and then another one for another lot. And besides, finding a new secure algo every month/year isn't quite practical.

Anyway, thanks a lot for sharing your thoughts, Kulver.
Looking forward to what others have to say.

[Kulverstukas]

They are most definitely have to keep a huge database with pins, so that it cannot be used twice. If they would use the same algo for so many years, they would eventually run out of combos and the database would get too large to manage fast enough quickly. I'd say most practical solution would be to change a value in the algo from time to time, that way you can purge the DB and old records would be invalid since the algo doesn't match.

[Fur]

An algorithm would be too vulnerable to exploitation, one person leaking the algorithm would result in financial losses.


They probably securely generate the codes, hash them, then store them in a database.
On redeem, check if the voucher exists in the database. If so, top up by the amount of money they paid for it. Else return an error code indicating the voucher isn't valid.


I think Vodafone log when the voucher was redeemed, so that supports the database theory (I think that's the right word).
Most providers have a 3 month limit to redeem the serial.