A transaction authentication number (TAN) is used by some
online banking
Online banking, also known as internet banking, web banking or home banking, is an electronic payment system that enables customers of a bank or other financial institution to conduct a range of financial transactions through the financial inst ...
services as a form of ''single use''
one-time password
A one-time password (OTP), also known as a one-time PIN, one-time authorization code (OTAC) or dynamic password, is a password that is valid for only one login session or transaction, on a computer system or other digital device. OTPs avoid seve ...
s (OTPs) to authorize
financial transactions. TANs are a second layer of security above and beyond the traditional single-password
authentication
Authentication (from ''authentikos'', "real, genuine", from αὐθέντης ''authentes'', "author") is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicati ...
.
TANs provide additional security because they act as a form of ''two-factor authentication'' (2FA). If the physical document or token containing the TANs is stolen, it will be useless without the password. Conversely, if the login data are obtained, no transactions can be performed without a valid TAN.
Classic TAN
TANs often function as follows:
# The bank creates a set of unique TANs for the user. Typically, there are 50 TANs printed on a list, enough to last half a year for a normal user; each TAN being six or eight characters long.
# The user picks up the list from the nearest bank branch (presenting a
passport
A passport is an official travel document issued by a government that contains a person's identity. A person with a passport can travel to and from foreign countries more easily and access consular assistance. A passport certifies the personal ...
, an
ID card or similar document) or is sent the TAN list through mail.
# The password (PIN) is mailed separately.
# To log on to their account, the user must enter user name (often the account number) and password (
PIN
A pin is a device used for fastening objects or material together.
Pin or PIN may also refer to:
Computers and technology
* Personal identification number (PIN), to access a secured system
** PIN pad, a PIN entry device
* PIN, a former Dutch ...
). This may give access to account information but the ability to process transactions is disabled.
# To perform a transaction, the user enters the request and authorizes the transaction by entering an unused TAN. The bank verifies the TAN submitted against the list of TANs they issued to the user. If it is a match, the transaction is processed. If it is not a match, the transaction is rejected.
# The TAN has now been used and will not be recognized for any further transactions.
# If the TAN list is compromised, the user may cancel it by notifying the bank.
However, as any TAN can be used for any transaction, TANs are still prone to
phishing attacks
Phishing is a type of social engineering where an attacker sends a fraudulent (e.g., spoofed, fake, or otherwise deceptive) message designed to trick a person into revealing sensitive information to the attacker or to deploy malicious softwar ...
where the victim is tricked into providing both password/PIN and one or several TANs. Further, they provide no protection against
man-in-the-middle attack
In cryptography and computer security, a man-in-the-middle, monster-in-the-middle, machine-in-the-middle, monkey-in-the-middle, meddler-in-the-middle, manipulator-in-the-middle (MITM), person-in-the-middle (PITM) or adversary-in-the-middle (AiTM) ...
s (where an attacker intercepts the transmission of the TAN, and uses it for a forged transaction).
Especially when the client system becomes compromised by some form of
malware that enables a
malicious user
A security hacker is someone who explores methods for breaching defenses and exploiting weaknesses in a computer system or network. Hackers may be motivated by a multitude of reasons, such as profit, protest, information gathering, challenge ...
, the possibility of an unauthorized transaction is high. Although the remaining TANs are uncompromised and can be used safely, users are generally advised to take an appropriate action, as soon as possible.
Indexed TAN (iTAN)
Indexed TANs reduce the risk of phishing. To authorize a transaction, the user is not asked to use an arbitrary TAN from the list but to enter a specific TAN as identified by a sequence number (index). As the index is randomly chosen by the bank, an arbitrary TAN acquired by an attacker is usually worthless.
However, iTANs are still susceptible to
man-in-the-middle attack
In cryptography and computer security, a man-in-the-middle, monster-in-the-middle, machine-in-the-middle, monkey-in-the-middle, meddler-in-the-middle, manipulator-in-the-middle (MITM), person-in-the-middle (PITM) or adversary-in-the-middle (AiTM) ...
s, including phishing attacks where the attacker tricks the user into logging into a forged copy of the bank's website and
man-in-the-browser attacks[Candid Wüest, Symantec Global Security Response Tea]
''Current Advances in Banking Trojans?''
iriss.ie, Irish Reporting and Information Security Service, December 2, 2012 (PDF; 1,9 MB) which allow the attacker to secretly swap the transaction details in the background of the PC as well as to conceal the actual transactions carried out by the attacker in the online account overview.
Therefore, in 2012 the
European Union Agency for Network and Information Security
The European Union Agency for Cybersecurity – self-designation ENISA from the abbreviation of its original name – is an agency of the European Union. It is fully operational since September 1, 2005. The Agency is located in Athens, Greece an ...
advised all banks to consider the PC systems of their users being infected by
malware by default and use security processes where the user can cross-check the transaction data against manipulations like for example (provided the security of the mobile phone holds up)
mTAN A transaction authentication number (TAN) is used by some online banking services as a form of ''single use'' one-time passwords (OTPs) to authorize financial transactions. TANs are a second layer of security above and beyond the traditional single ...
or smartcard readers with their own screen including the transaction data into the TAN generation process while displaying it beforehand to the user (
chipTAN A transaction authentication number (TAN) is used by some online banking services as a form of ''single use'' one-time passwords (OTPs) to authorize financial transactions. TANs are a second layer of security above and beyond the traditional single ...
).
Indexed TAN with CAPTCHA (iTANplus)
Prior to entering the iTAN, the user is presented a
CAPTCHA
A CAPTCHA ( , a contrived acronym for "Completely Automated Public Turing test to tell Computers and Humans Apart") is a type of challenge–response test used in computing to determine whether the user is human.
The term was coined in 2003 b ...
, which in the background also shows the transaction data and data deemed unknown to a potential attacker, such as the user's birthdate. This is intended to make it hard (but not impossible) for an attacker to forge the CAPTCHA.
This variant of the iTAN is method used by some German banks adds a
CAPTCHA
A CAPTCHA ( , a contrived acronym for "Completely Automated Public Turing test to tell Computers and Humans Apart") is a type of challenge–response test used in computing to determine whether the user is human.
The term was coined in 2003 b ...
to reduce the risk of man-in-the-middle attacks. Some Chinese banks have also deployed a TAN method similar to iTANplus. A recent study shows that these CAPTCHA-based TAN schemes are not secure against more advanced automated attacks.
Mobile TAN (mTAN)
mTANs are used by banks in Austria, Bulgaria, Czech Republic, Germany, Hungary, the Netherlands, Poland, Russia, Singapore, South Africa, Spain, Switzerland and some in New Zealand, Australia and Ukraine. When the user initiates a transaction, a TAN is generated by the bank and sent to the user's mobile phone by
SMS
Short Message/Messaging Service, commonly abbreviated as SMS, is a text messaging service component of most telephone, Internet and mobile device systems. It uses standardized communication protocols that let mobile devices exchange short text ...
. The SMS may also include transaction data, allowing the user to verify that the transaction has not been modified in transmission to the bank.
However, the security of this scheme depends on the security of the mobile phone system. In South Africa, where SMS-delivered TAN codes are common, a new attack has appeared: SIM Swap Fraud. A common attack vector is for the attacker to
impersonate
An impersonator is someone who imitates or copies the behavior or actions of another. There are many reasons for impersonating someone:
*Entertainment: An entertainer impersonates a celebrity, generally for entertainment, and makes fun of ...
the victim, and obtain a replacement
SIM card
A typical SIM card (mini-SIM with micro-SIM cutout)
A GSM mobile phone
file:Simkarte NFC SecureElement.jpg, T-Mobile nano-SIM card with NFC capabilities in the SIM tray of an iPhone 6s
file:Tf sim both sides.png, A TracFone Wireless SIM card ha ...
for the victim's phone from the
mobile network operator
A mobile network operator (MNO), also known as a wireless service provider, wireless carrier, cellular company, or mobile network carrier, is a provider of wireless communications services that owns or controls all the elements necessary to sell ...
. The victim's user name and password are obtained by other means (such as
keylogging
Keystroke logging, often referred to as keylogging or keyboard capturing, is the action of recording (logging) the keys struck on a keyboard, typically covertly, so that a person using the keyboard is unaware that their actions are being monitored ...
or
phishing
Phishing is a type of social engineering where an attacker sends a fraudulent (e.g., spoofed, fake, or otherwise deceptive) message designed to trick a person into revealing sensitive information to the attacker or to deploy malicious softwa ...
). In-between obtaining the cloned/replacement SIM and the victim noticing their phone no longer works, the attacker can transfer/extract the victim's funds from their accounts. In 2016
study was conducted on SIM Swap Fraudby a
social engineer, revealing weaknesses in issuing porting numbers.
In 2014, a weakness in the
Signalling System No. 7
Signalling System No. 7 (SS7) is a set of telephony signaling protocols developed in 1975, which is used to set up and tear down telephone calls in most parts of the world-wide public switched telephone network (PSTN). The protocol also perfo ...
used for SMS transmission was published, which allows interception of messages. It was demonstrated by Tobias Engel during the 31st
Chaos Communication Congress
The Chaos Communication Congress is an annual conference organized by the Chaos Computer Club. The congress features a variety of lectures and workshops on technical and political issues related to security, cryptography, privacy and online ...
. At the beginning of 2017, this weakness was used successfully in Germany to intercept SMS and fraudulently redirect fund transfers.
Also the rise of
smartphone
A smartphone is a portable computer device that combines mobile telephone and computing functions into one unit. They are distinguished from feature phones by their stronger hardware capabilities and extensive mobile operating systems, whic ...
s led to malware attacks trying to simultaneously infect the PC and the mobile phone as well to break the mTAN scheme.
pushTAN
pushTAN is an
app-based TAN scheme by German Sparkassen banking group reducing some of the shortcomings of the
mTAN A transaction authentication number (TAN) is used by some online banking services as a form of ''single use'' one-time passwords (OTPs) to authorize financial transactions. TANs are a second layer of security above and beyond the traditional single ...
scheme. It eliminates the cost of SMS messages and is not susceptible to SIM card fraud, since the messages are sent via a special text-messaging application to the user's smartphone using an encrypted Internet connection. Just like mTAN, the scheme allows the user to cross-check the transaction details against hidden manipulations carried out by
Trojans
Trojan or Trojans may refer to:
* Of or from the ancient city of Troy
* Trojan language, the language of the historical Trojans
Arts and entertainment Music
* '' Les Troyens'' ('The Trojans'), an opera by Berlioz, premiered part 1863, part 189 ...
on the user's PC by including the actual transaction details the bank received in the pushTAN message. Although analogous to using mTAN with a smartphone, there is the risk of a parallel malware infection of PC and smartphone. To reduce this risk the pushTAN app ceases to function if the mobile device is
rooted or jailbroken. In late 2014 the Deutsche Kreditbank (DKB) also adopted the pushTAN scheme.
TAN generators
Simple TAN generators
The risk of compromising the whole TAN list can be reduced by using
security token
A security token is a peripheral device used to gain access to an electronically restricted resource. The token is used in addition to or in place of a password. It acts like an electronic key to access something. Examples of security tokens inc ...
s that generate TANs on-the-fly, based on a secret known by the bank and stored in the token or a smartcard inserted into the token.
However, the TAN generated is not tied to the details of a specific transaction. Because the TAN is valid for any transaction submitted with it, it does not protect against
phishing
Phishing is a type of social engineering where an attacker sends a fraudulent (e.g., spoofed, fake, or otherwise deceptive) message designed to trick a person into revealing sensitive information to the attacker or to deploy malicious softwa ...
attacks where the TAN is directly used by the attacker, or against
man-in-the-middle attack
In cryptography and computer security, a man-in-the-middle, monster-in-the-middle, machine-in-the-middle, monkey-in-the-middle, meddler-in-the-middle, manipulator-in-the-middle (MITM), person-in-the-middle (PITM) or adversary-in-the-middle (AiTM) ...
s.
ChipTAN / Sm@rt-TAN / CardTAN
ChipTAN is a TAN scheme used by many German and Austrian banks. It is known as ChipTAN or Sm@rt-TAN in Germany and as CardTAN in Austria, whereas cardTAN is a technically independent standard.
A ChipTAN generator is not tied to a particular account; instead, the user must insert their
bank card
A bank card is typically a plastic card issued by a bank to its clients that performs one or more of a number of services that relate to giving the client access to bank account.
Physically, a bank card will usually have the client's name, the ...
during use. The TAN generated is specific to the bank card as well as to the current transaction details. There are two variants: In the older variant, the transaction details (at least amount and account number) must be entered manually. In the modern variant, the user enters the transaction online, then the TAN generator reads the transaction details via a flickering
barcode
A barcode or bar code is a method of representing data in a visual, machine-readable form. Initially, barcodes represented data by varying the widths, spacings and sizes of parallel lines. These barcodes, now commonly referred to as linear or o ...
on the computer screen (using
photodetector
Photodetectors, also called photosensors, are sensors of light or other electromagnetic radiation. There is a wide variety of photodetectors which may be classified by mechanism of detection, such as Photoelectric effect, photoelectric or photoc ...
s). It then shows the transaction details on its own screen to the user for confirmation before generating the TAN.
As it is independent hardware, coupled only by a simple communication channel, the TAN generator is not susceptible to attack from the user's computer. Even if the computer is subverted by a
Trojan
Trojan or Trojans may refer to:
* Of or from the ancient city of Troy
* Trojan language, the language of the historical Trojans
Arts and entertainment Music
* ''Les Troyens'' ('The Trojans'), an opera by Berlioz, premiered part 1863, part 189 ...
, or if a
man-in-the-middle attack
In cryptography and computer security, a man-in-the-middle, monster-in-the-middle, machine-in-the-middle, monkey-in-the-middle, meddler-in-the-middle, manipulator-in-the-middle (MITM), person-in-the-middle (PITM) or adversary-in-the-middle (AiTM) ...
occurs, the TAN generated is only valid for the transaction confirmed by the user on the screen of the TAN generator, therefore modifying a transaction retroactively would cause the TAN to be invalid.
An additional advantage of this scheme is that because the TAN generator is generic, requiring a card to be inserted, it can be used with multiple accounts across different banks, and losing the generator is not a security risk because the security-critical data is stored on the bank card.
While it offers protection from technical manipulation, the ChipTAN scheme is still vulnerable to
social engineering. Attackers have tried to persuade the users themselves to authorize a transfer under a pretext, for example by claiming that the bank required a "test transfer" or that a company had falsely transferred money to the user's account and they should "send it back".
Users should therefore never confirm bank transfers they have not initiated themselves.
ChipTAN is also used to secure batch transfers (''Sammelüberweisungen''). However, this method offers significantly less security than the one for individual transfers. In case of a batch transfer the TAN generator will only show the number and total amount of all transfers combined – thus for batch transfers there is little protection from manipulation by a Trojan. This vulnerability was reported by RedTeam Pentesting in November 2009.
In response, as a mitigation, some banks changed their batch transfer handling so that batch transfers containing only a single record are treated as individual transfers.
See also
*
One-time password
A one-time password (OTP), also known as a one-time PIN, one-time authorization code (OTAC) or dynamic password, is a password that is valid for only one login session or transaction, on a computer system or other digital device. OTPs avoid seve ...
*
Security token
A security token is a peripheral device used to gain access to an electronically restricted resource. The token is used in addition to or in place of a password. It acts like an electronic key to access something. Examples of security tokens inc ...
References
{{Commons category, Transaction authentication number
Online banking
Banking technology
Computer access control