The card reader's job is to help you convince the bank that you really are the person who should have access to your account and that you're not a criminal trying to steal your money.

Imagine we have a conversation in person. I know you're you because I can see you and we know each other. I tell you that if I ever want to confirm it's you when we talk online, I'll ask you "What happens if I have this many apples?" and I'll give you a number. To convince me you're the same person who had this in-person conversation, you multiply the number I gave you by 3 and say "You'll end up with that many seeds."

A few weeks later, we're having a conversation online. I ask you "What happens if I have 6 apples?"

You say "You'll end up with 18 seeds." (because 6*3=18)

I now know you're the person who I had that conversation in person with. I know you're supposed to say 18, because we discussed what you should do with the number I have given you. A person who is posing as you would either not know how they were supposed to respond to the question, or if they had a similar conversation with me before, they don't know what number I gave you specifically.

The banking thing is the same. The card reader is playing the role of the in person conversation. The math is more complicated, but essentially when the bank gives you a number to confirm a transaction, the card reader does some operation on the number. The bank already knows what the answer is supposed to be. If you're able to give them the answer they expect, they know* you have the card reader you were given when you opened your account. The card reader just needs to do the predictable operation, it doesn't need to connect to anything to do that (the same way you can multiply by 3 without looking it up).

​

*Since the operation is predictable (and has to be, that's what lets the bank know what the answer should be), if someone else were to discover what the operation was and what numbers your card reader uses for the operation, they could pose as you. So the bank doesn't so much "know it's you", they really know "you're someone who can do the secret operation we gave you when you opened your account", which is pretty close, but not exactly the same.