Do you mean the ones that generate a code for you to log into your online banking? They are done by having a secret key code which is stored in the device and known by your online banking. Online banking will all you to enter a code into the device, the device will then do a sum including the code and secret key and return a new value which is your login.

Have you ever used a 2FA code? Its a similar mechanism to that.

Essentially, both the bank and your card have a shared secret number - the bank sets this up when they issue you your card. You can think of it like a key that only the two of you have.

When you put your card into your card reader and enter your pin, you're asked to enter something like a confirmation code, like the account number you're trying to transfer money to. The card reader can then combine the secret number on the card with that confirmation code, which you then give to your online bank to give the output. The online bank can then check that output number - since it also has your secret number! But no one else without that secret number can perform that calculation!

The details of exactly how this works is a bit tricky, since cryptography gets mathy fast, and requires lots of other proofs of other useful properties, e.g. protecting against using the same output code twice, etc.

The card reader's job is to help you convince the bank that you really are the person who should have access to your account and that you're not a criminal trying to steal your money.

Imagine we have a conversation in person. I know you're you because I can see you and we know each other. I tell you that if I ever want to confirm it's you when we talk online, I'll ask you "What happens if I have this many apples?" and I'll give you a number. To convince me you're the same person who had this in-person conversation, you multiply the number I gave you by 3 and say "You'll end up with that many seeds."

A few weeks later, we're having a conversation online. I ask you "What happens if I have 6 apples?"

You say "You'll end up with 18 seeds." (because 6*3=18)

I now know you're the person who I had that conversation in person with. I know you're supposed to say 18, because we discussed what you should do with the number I have given you. A person who is posing as you would either not know how they were supposed to respond to the question, or if they had a similar conversation with me before, they don't know what number I gave you specifically.

The banking thing is the same. The card reader is playing the role of the in person conversation. The math is more complicated, but essentially when the bank gives you a number to confirm a transaction, the card reader does some operation on the number. The bank already knows what the answer is supposed to be. If you're able to give them the answer they expect, they know* you have the card reader you were given when you opened your account. The card reader just needs to do the predictable operation, it doesn't need to connect to anything to do that (the same way you can multiply by 3 without looking it up).

​

*Since the operation is predictable (and has to be, that's what lets the bank know what the answer should be), if someone else were to discover what the operation was and what numbers your card reader uses for the operation, they could pose as you. So the bank doesn't so much "know it's you", they really know "you're someone who can do the secret operation we gave you when you opened your account", which is pretty close, but not exactly the same.

What makes you think they're not connected to the Internet?

[removed]

If not connected to the internet at some point, they queue up the transaction information so it's ready for when internet connection is established.

....they are connected to the internet? Either via cellular data, local WiFi, or a lan cable.

Technically there is a method of taking credit card payments (not debit, credit only) while temporarily offline, but the merchant doesn't receive any funds and no transaction is posted to the credit card holder until those offline transactions are submitted to the merchants credit card processing service, processed, and approved.

This has more risk involved than online immediately validated transactions because it can't verify the funds are actually available at the time of the transaction so very few merchants or card processors will allow it.

The prevalence of chip+pin security has pushed all the manual card entry methods out the door in the name of security. Credit Card issuers/processors don't like dealing with fraud cases, so they don't allow customers to use their cards in ways that promote fraud.