Transaction authentication number
A transaction authentication number (TAN) is used by some online banking services as a form of single use one-time passwords to authorize financial transactions. TANs are a second layer of security above and beyond the traditional single-password authentication.
TANs provide additional security because they act as a form of two-factor authentication. Should the physical document or token containing the TANs be stolen, it will be of little use without the password; conversely, if the login data are obtained, no transactions can be performed without a valid TAN.
An outline of how TANs function:
- The bank creates a set of unique TANs for the user. Typically, there are 50 TANs printed on a list, enough to last half a year for a normal user; each TAN being six or eight characters long.
- The user picks up the list from the nearest bank branch (presenting a passport, an ID card or similar document) or is sent the TAN list through mail.
- The password (PIN) is mailed separately.
- To log on to his/her account, the user must enter user name (often the account number) and password (PIN). This may give access to account information but the ability to process transactions is disabled.
- To perform a transaction, the user enters the request and authorizes the transaction by entering an unused TAN. The bank verifies the TAN submitted against the list of TANs they issued to the user. If it is a match, the transaction is processed. If it is not a match, the transaction is rejected.
- The TAN has now been consumed and will not be recognized for any further transactions.
- If the TAN list is compromised, the user may cancel it by notifying the bank.
However, as any TAN can be used for any transaction, TANs are still prone to phishing attacks where the victim is tricked into providing both password/PIN and one or several TANs. Further, they provide no protection against man-in-the-middle attacks where an attacker intercepts the transmission of the TAN and uses it for a forged transaction. Especially when the client system should become compromised by some form of malware that enables a malicious user, the possibility of an unauthorized transaction is high. It should be noticed that the remaining TANs remain uncompromised and can be used safely, even though action should be taken by the user as soon as possible.
Indexed TAN (iTAN)
Indexed TANs reduce the risk of phishing. To authorize a transaction, the user is not asked to use an arbitrary TAN from the list but to enter a specific TAN as identified by a sequence number (index). As the index is randomly chosen by the bank, an arbitrary TAN acquired by an attacker is usually worthless.
However, iTANs are still susceptible to man-in-the-middle attacks, including phishing attacks where the attacker tricks the user into logging in into a forged copy of the bank's website and man-in-the-browser attacks which allow the attacker to secretly swap the transaction details in the background of the PC as well as to conceal the actual transactions carried out by the attacker in the online account overview.
Therefore in 2012 the European Union Agency for Network and Information Security advised all banks to consider the PC systems of their users being infected by malware by default and use security processes where the user can cross check the transaction data against manipulations like for example (provided the security of the mobile phone holds up) mTAN or smartcard readers with an own screen including the transaction data into the TAN generation process while displaying it beforehand to the user (chipTAN).
Indexed TAN with CAPTCHA (iTANplus)
Prior to entering the iTAN, the user is presented a CAPTCHA, which in the background also shows the transaction data and data deemed unknown to a potential attacker, such as the user's birthdate. This is intended to make it hard (but not impossible) for an attacker to forge the CAPTCHA.
This variant of the iTAN is method used by some German banks adds a CAPTCHA to reduce the risk of man-in-the-middle attacks. Some Chinese banks have also deployed a TAN method similar to iTANplus. A recent study shows that these CAPTCHA-based TAN schemes are not secure against more advanced automated attacks.
Mobile TAN (mTAN)
mTANs are used by banks in Austria, Bulgaria, Czech Republic, Germany, Hungary, the Netherlands, Poland, Russia, South Africa, Spain, Switzerland and some in New Zealand, Australia and Ukraine. When the user initiates a transaction, a TAN is generated by the bank and sent to the user's mobile phone by SMS. The SMS may also include transaction data, allowing the user to verify that the transaction has not been modified in transmission to the bank.
However, the security of this scheme depends on the security of the mobile phone system. In South Africa, where SMS-delivered TAN codes are common, a new attack has appeared: SIM Swap Fraud. A common attack vector is for the attacker to impersonate the victim, and obtain a replacement SIM card for the victim's phone from the mobile network operator. The victim's user name and password are obtained by other means (such as keylogging or phishing). In-between obtaining the cloned/replacement SIM and the victim noticing their phone no longer works, the attacker can transfer/extract the victim's funds from their accounts.
pushTAN is an app-based TAN scheme by German Sparkassen banking group reducing some of the short-comings of the mTAN scheme. It eliminates the cost of SMS messages and is not susceptible to SIM card frauds, since the messages are send via a special text-messaging app to the user's smartphone using an encrypted internet connection. Just like mTAN the scheme allows the user to cross check the transaction details against hidden manipulations carried out by trojans on the user's PC by including the actual transaction details the bank received into the pushTAN message. Although analogous of using mTAN with a smartphone there is the risk of a parallel malware infection of PC and smartphone. To reduce this risk the pushTAN app ceases to function if the mobile device is rooted or jailbroken.
Simple TAN generators
The risk of compromising the whole TAN list can be reduced by using security tokens that generate TANs on-the-fly, based on a secret known by the bank and stored in the token or a smartcard inserted into the token.
However, the TAN generated is not tied to the details of a specific transaction. Because the TAN is valid for any transaction submitted with it, it does not protect against phishing attacks where the TAN is directly used by the attacker, or against man-in-the-middle attacks.
chipTAN / cardTAN
A chipTAN generator is not tied to a particular account; instead, the user must insert their bank card during use. The TAN generated is specific to the bank card as well as to the current transaction details. There are two variants: In the older variant, the transaction details (at least amount and account number) must be entered manually. In the modern variant, the user enters the transaction online, then the TAN generator reads the transaction details via a flickering barcode on the computer screen (using a photodetector). It then shows the transaction details on its own screen to the user for confirmation before generating the TAN.
As it is independent hardware, coupled only by a simple communication channel, the TAN generator is not susceptible to attack from the user's computer. Even if the computer is subverted by a trojan, or if a man-in-the-middle attack occurs, the TAN generated is only valid for the transaction confirmed by the user on the screen of the TAN generator, therefore modifying a transaction retroactively would cause the TAN to be invalid.
An additional advantage of this scheme is that because the TAN generator is generic, requiring a card to be inserted, it can be used with multiple accounts across different banks, and losing the generator is not a security risk because the security-critical data is stored on the bank card.
Although because of the high security of the chipTAN scheme attackers started to use social engineering to persuade the users themselves to transfer money to the fraudsters on the ground of false claims (like the claim the bank would require a "test transfer" or the claim a company had falsely transferred money to the user's account and he should "send it back"). Users should therefore never perform bank transfers they have not initiated themselves.
photoTAN / CrontoSign
photoTAN (also called "CrontoSign") is a TAN scheme by Cronto Ltd., currently in use at German Commerzbank and Comdirect as well as Swiss Raiffeisen bank group which is available as smartphone app and as stand alone device. Unlike chipTAN the TAN is not generated on the device itself, but sent by the bank along with the transaction data the TAN is referring to as an encrypted message. It is transferred by a colorized QR code that is read via digital camera. The message key is user specific and has to be initialized the first time the system is used. Since the user can cross check the transaction details on a separate device the system is secured against man-in-the-middle attacks, provided the security of the smartphone or the stand alone reading device holds up.
The following password managers include specific support for managing TAN lists.
- Candid Wüest, Symantec Global Security Response Team Current Advances in Banking Trojans? iriss.ie, Irish Reporting and Information Security Service, December 2, 2012 (PDF; 1,9 MB)
- Katusha: LKA zerschlägt Ring von Online-Betrügern WinFuture.de, October 29, 2010
- “High Roller” online bank robberies reveal security gaps European Union Agency for Network and Information Security, July 5, 2012
- heise online (2007-10-26). "Verbessertes iTAN-Verfahren soll vor Manipulationen durch Trojaner schützen" (in German).
- Li, Shujun; Syed Amier Haider Shah, Muhammad Asad Usman Khan, Syed Ali Khayam, Ahmad-Reza Sadeghi and Roland Schmitz (2010). "Breaking e-Banking CAPTCHAs". Proceedings of 26th Annual Computer Security Applications Conference (ACSAC 2010). New York, NY, USA: ACM. pp. 171–180. doi:10.1145/1920261.1920288.
- Victim's SIM swop fraud nightmare iol.co.za, Independent Online, January 12, 2008
- Eurograbber SMS Trojan steals €36 million from online banks techworld.com, December 5, 2012
- Online-Banking mit pushTAN - FAQ berliner-sparkasse.de, Berliner Sparkasse (AöR), Retrieved on August 27, 2014.
- Postbank chipTAN comfort official page of Postbank, Retrieved on April 10, 2014.
- chipTAN: Listen werden überflüssig official page of Sparkasse, Retrieved on April 10, 2014.
- Die cardTAN official page of Raiffeisen Bankengruppe Österreich, Retrieved on April 10, 2014.
- Tatanga Attack Exposes chipTAN Weaknesses trusteer.com, September 4, 2012
- Commerzbank and Cronto launch photoTAN for Secure Online Banking Transactions cronto.com, Cronto Ltd., February 13, 2013
- Neu bei comdirect: photoTAN comdirect.de, Comdirect Bank Aktiengesellschaft, April 9, 2013
- Raiffeisen photoTAN raiffeisen.ch, Raiffeisen Schweiz Genossenschaft, Retrieved on April 23, 2014.
- CrontoSign Mobile App cronto.com, Cronto Ltd., Retrieved on April 23, 2014.
- CrontoSign Device cronto.com, Cronto Ltd., Retrieved on April 23, 2014.
- comdirect.de: Aktivierung photoTAN (PDF; 1,0 MB)
- Keypass documentation on TAN