Transaction authentication number
Encyclopedia
A Transaction authentication number, TAN or T.A.N. is used by some online banking
services as a form of single use one-time password
s to authorize financial transaction
s. TANs are a second layer of security above and beyond the traditional single-password authentication
.
TANs are believed to provide additional security because they act as a form of two-factor authentication
. Should the physical document or token containing the TANs be stolen, it will be of little use without the password; conversely, if the login data are obtained, no transactions can be performed without a valid TAN.
However, as any TAN can be used for any transaction, TANs are still prone to phishing attacks where the victim is tricked into providing both password/PIN and one or several TANs. Further, they provide no protection against man-in-the-middle attack
s where an attacker intercepts the transmission of the TAN and uses it for a forged transaction.
Especially when the client system should become compromised by some form of malware
that enables a malicious user
, the possibility of an unauthorized transaction is high. It should be noticed that the remaining TANs remain uncompromised and can be used safely, even though action should be taken by the user as soon as possible.
However, iTANs are still susceptible to man-in-the-middle attacks, including phishing attacks where the attacker tricks the user into logging in into a forged copy of the bank's website.
This variant of the iTAN is method used by some German banks adds a CAPTCHA
to reduce the risk of man-in-the-middle attacks. Some Chinese banks have also deployed a TAN method similar to iTANplus. A recent study shows that these CAPTCHA-based TAN schemes are not secure against more advanced automated attacks.
. The SMS may also include transaction data, allowing the user to verify that the transaction has not been modified in transmission to the bank.
However, the security of this scheme depends on the security of the mobile phone system. In South Africa, where SMS-delivered TAN codes are common, a new attack has appeared: SIM Swap Fraud. A common attack vector is for the attacker to impersonate
the victim, and obtain a replacement SIM card for the victim's phone from the mobile network operator
. The victim's user name and password are obtained by other means (such as keylogging or phishing
). In-between obtaining the cloned/replacement SIM and the victim noticing their phone no longer works, the attacker can transfer/extract the victim's funds from their accounts.
s that generate TANs on-the-fly, based on a secret known by the bank and stored in the token or a smartcard inserted into the token.
However, this is mostly ineffective against phishing
attacks where the TAN is directly used by the attacker.
Online banking
Online banking allows customers to conduct financial transactions on a secure website operated by their retail or virtual bank, credit union or building society.-Features:...
services as a form of single use one-time password
One-time password
A one-time password is a password that is valid for only one login session or transaction. OTPs avoid a number of shortcomings that are associated with traditional passwords. The most important shortcoming that is addressed by OTPs is that, in contrast to static passwords, they are not vulnerable...
s to authorize financial transaction
Financial transaction
A financial transaction is an event or condition under the contract between a buyer and a seller to exchange an asset for payment. It involves a change in the status of the finances of two or more businesses or individuals.-History:...
s. TANs are a second layer of security above and beyond the traditional single-password authentication
Authentication
Authentication is the act of confirming the truth of an attribute of a datum or entity...
.
TANs are believed to provide additional security because they act as a form of two-factor authentication
Two-factor authentication
Two-factor authentication is an approach to authentication which requires the presentation of two different kinds of evidence that someone is who they say they are. It is a part of the broader family of multi-factor authentication, which is a defense in depth approach to security...
. Should the physical document or token containing the TANs be stolen, it will be of little use without the password; conversely, if the login data are obtained, no transactions can be performed without a valid TAN.
Classic TAN
An outline of how TANs function:- The bank creates a set of unique TANs for the user. Typically, there are 50 TANs printed on a list, enough to last half a year for a normal user; each TAN being six or eight characters long.
- The user picks up the list from the nearest bank branch (presenting a passportPassportA passport is a document, issued by a national government, which certifies, for the purpose of international travel, the identity and nationality of its holder. The elements of identity are name, date of birth, sex, and place of birth....
, an ID card or similar document) or is sent the TAN list through mail. - The password (PIN) is mailed separately.
- To log on to his/her account, the user must enter user name (often the account number) and password (PIN). This may give access to account information but the ability to process transactions is disabled.
- To perform a transaction, the user enters the request and authorizes the transaction by entering an unused TAN. The bank verifies the TAN submitted against the list of TANs they issued to the user. If it is a match, the transaction is processed. If it is not a match, the transaction is rejected.
- The TAN has now been consumed and will not be recognized for any further transactions.
- If the TAN list is compromised, the user may cancel it by notifying the bank.
However, as any TAN can be used for any transaction, TANs are still prone to phishing attacks where the victim is tricked into providing both password/PIN and one or several TANs. Further, they provide no protection against man-in-the-middle attack
Man-in-the-middle attack
In cryptography, the man-in-the-middle attack , bucket-brigade attack, or sometimes Janus attack, is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other...
s where an attacker intercepts the transmission of the TAN and uses it for a forged transaction.
Especially when the client system should become compromised by some form of malware
Malware
Malware, short for malicious software, consists of programming that is designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, or gain unauthorized access to system resources, or that otherwise exhibits abusive behavior...
that enables a malicious user
Hacker (computer security)
In computer security and everyday language, a hacker is someone who breaks into computers and computer networks. Hackers may be motivated by a multitude of reasons, including profit, protest, or because of the challenge...
, the possibility of an unauthorized transaction is high. It should be noticed that the remaining TANs remain uncompromised and can be used safely, even though action should be taken by the user as soon as possible.
Indexed TAN (iTAN)
Indexed TANs reduce the risk of phishing. To authorize a transaction, the user is not asked to use an arbitrary TAN from the list but to enter a specific TAN as identified by a sequence number (index). As the index is randomly chosen by the bank, an arbitrary TAN acquired by an attacker is usually worthless.However, iTANs are still susceptible to man-in-the-middle attacks, including phishing attacks where the attacker tricks the user into logging in into a forged copy of the bank's website.
Indexed TAN with CAPTCHA (iTANplus)
Prior to entering the iTAN, the user is presented a CAPTCHA, which in the background also shows the transaction data and data deemed unknown to a potential attacker, such as the user's birthdate. This is intended to make it hard (but not impossible) for an attacker to forge the CAPTCHA.This variant of the iTAN is method used by some German banks adds a CAPTCHA
CAPTCHA
A CAPTCHA is a type of challenge-response test used in computing as an attempt to ensure that the response is generated by a person. The process usually involves one computer asking a user to complete a simple test which the computer is able to generate and grade...
to reduce the risk of man-in-the-middle attacks. Some Chinese banks have also deployed a TAN method similar to iTANplus. A recent study shows that these CAPTCHA-based TAN schemes are not secure against more advanced automated attacks.
Mobile TAN (mTAN)
mTANs are used by banks in Germany, Spain, Switzerland, Austria, Bulgaria, Poland, the Netherlands, Hungary, Russia and South Africa. When the user initiates a transaction, a TAN is generated by the bank and sent to the user's mobile phone by SMSSMS
SMS is a form of text messaging communication on phones and mobile phones. The terms SMS or sms may also refer to:- Computer hardware :...
. The SMS may also include transaction data, allowing the user to verify that the transaction has not been modified in transmission to the bank.
However, the security of this scheme depends on the security of the mobile phone system. In South Africa, where SMS-delivered TAN codes are common, a new attack has appeared: SIM Swap Fraud. A common attack vector is for the attacker to impersonate
Identity theft
Identity theft is a form of stealing another person's identity in which someone pretends to be someone else by assuming that person's identity, typically in order to access resources or obtain credit and other benefits in that person's name...
the victim, and obtain a replacement SIM card for the victim's phone from the mobile network operator
Mobile network operator
A mobile network operator , also known as mobile phone operator , carrier service provider , wireless service provider, wireless carrier, or cellular company, or mobile network carrier is a telephone company that provides services for mobile phone subscribers.One essential...
. The victim's user name and password are obtained by other means (such as keylogging or phishing
Phishing
Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT...
). In-between obtaining the cloned/replacement SIM and the victim noticing their phone no longer works, the attacker can transfer/extract the victim's funds from their accounts.
ciTAN or ChipTAN
The Process of using a TAN-Generator to generat or receive a TAN for Bank Transaction.TAN generators
The risk of compromising the whole TAN list can be reduced by using security tokenSecurity token
A security token may be a physical device that an authorized user of computer services is given to ease authentication...
s that generate TANs on-the-fly, based on a secret known by the bank and stored in the token or a smartcard inserted into the token.
However, this is mostly ineffective against phishing
Phishing
Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT...
attacks where the TAN is directly used by the attacker.