End of the iTAN: New Security Methods for Online Banking – PC Magazine

© bjoern wylezich / shutterstock

with itan still used for transactions by many bnk customers, it ll'soon be over.

atta l8st on sep 14, 2019, it’s over w'da printed tan list, where usually one to two hundred 6-digit №s are w8in to authorize a transaction or other process in online bnking and then expire.

in their early dys atta end of the last millennium, twas still possible to read any of these tans from the note and enter. unfortunately, twas enough for crooks to use phishing to pick up any № of digits in order to make a transfer. inna middle of the last decade, the now widespread indexed tan list (itan) was introduced. effective immediately, a specific tan was requested to release an operation.

ingenious culprits outsmart tan list

but even the criminals are creative and found new wys'2 get mny from other pplz. pticularly dangerous tis man-in-the-middle attack. for ex, bnk customers are directed by spam mail to a fake website o'their bnk. there, they supposedly log into their account and supposedly confirm their data via itan; for ex, so that access aint restricted.

in fact, an in-tween cheater (man inna middle) simultaneously accesses the victim’s real account and performs a transaction there. the required itan ll'be requested onna fake page. the problem now s'dat nowhere is it clear wha’ the tan entered thris really used for. the angry awakening for the bounced is usually 1-ly when the loss appears onna account overview.

here lies the decisive security advantage of modern, electronic release procedures. w'dem, the tan indicates which process is actually carried out. is there that 3000 euros onna cayman islands wanna disappear, so be careful. w'da abolition of the itan, the eu takes this into account inna new payment srvcs directive 2 (psd2). in addition, bnks will also ‘ve to set up a 2nd security factor for logging in to online bnking.

sms-tan: better, but not good enough

w'da proliferation of mobile phones, the tan became pop via sms (also mobiletan, mtan). in this case, a tan that is directly linked to the corresponding transaction and that is valid for a limited time is sent to a stored telephone № via short message. this additionally states which process is currently bein’ carried out.

the problem s'dat for the sms reception tody mostly smartphones are used. unlike keyboard phones without internet function, these are vulnerable to malware. for ex, a trojan can then forward the sms w'da tan inna background to a fraudster.

inna past, attacks were also reprted in which the criminals managed to obtain a 2nd sim for the reged telephone №.


© screenshot: pc magazine

the tan via sms aint optimal, but at least shows the transaction data.

then just as an app

not connected to the phone № but to the smartphone and ⊢ safer than the tan via sms tis apptan (also pushtan, vr-securego / vr-securesign, tan2go and others). the required app dep'onna credit institution must 1st be activated after installation and then receives the tans from the bnk together w'da transaction data. to read them, the app must be unlocked inna rule.

postbnk’s bestsign app and ing’s bnking-to-go app no ​​longer use tan at all. there the data of the transaction are displayed after unlocking, which is then confirmed directly by button. bestsign can alternatively be carried out with an additional device that is connected to the pc or laptop via usb or bluetooth.

the ing also offers a process witha spesh accessory with phototan. this calcul8s the tan when a colored dot graphic is scanned when a transaction is completed.

for other institutes that use phototan, s'as deutsche bnk, commerzbnk and comdirect, an app variant is available in addition to the reader, which reads the graphics using a smartphone camera. the qr-tan process of the 1822direkt becomes a qr scanned the code and calcul8d the tan. but tis also possible to release transactions inna app.

Photo TAN

© manufacturer

in optical processes, s'as phototan, a graphic is scanned by a reader or smartphone and then calcul8s the tan on this.

the gold standard

chiptan (also called smarttan) uses a spesh tan generator with keyboard, in which the usr also uses the girocard. the spesh feature s'dat the tan is generated onna chip of the card na device serves 1-ly as input and output medium. scanned is usually a flicker code, an animated bar graph.

there are also variants with qr code or colored dot matrix, +over, data input is possible by hand. chiptan is pondered pticularly safe. however, all procedures that require a spesh accessory provide very high protection, cause unlike smartphones, they cannot be hijacked by hackers. however, the devices are less practical than apps nolso cost mny (see table belo).

however, vincent haupert, a security expert atta university of erlangen-nuremberg, also sees app variants as sufficiently secure when the transaction is exed na' 2nd device. “criminals ‘ve a tough time, cause they ‘ve to compromise two ≠ devices for a successful attack,” said the expert. critly, he sees systems that allo both transaction and tan to be created onna same device. for some bnks this is possible, mostly onna smartphone. either two apps xchange with each other or even everything is integrated into a single app.


© manufacturer

the chiptan process is very secure cause it also requires a girocard to calcul8 the tan.

demonstratively hijacked

in order to clarify the problem, haupert demonstrated in 2015 atta ccc an ex of an attack onna combined app of the savings bnks.


© manufacturer

the chopped by vincent haupert bnking app shows a transfer for 10 cents to the tax office. 1-ly the sales details reveal l8r that actually 13.37 euros went to him.

he emphasizes, however, that the procedures of other institutions are just as vulnerable, with variants with two indie apps offering somewha’ better protection due to the security architectures of android and ios.

but no matter wha’ method is used in online bnking: attentive and security-conscious usrs are definitely at an advantage.

tan procedure of individual institutes

financial institution
tan procedures offered
qr-tan, sms-tan (free)
phototan (app or reader – 29.90 euro), sms-tan (9 cent each)
german bnk
phototan (app or reader – 14,90 euro), sms-tan (9 cent each)
apptan, chiptan (device via speshist shops – from ≈. 15 euro)
apptan, phototan (reader 1-ly – 32 euro), sms tan (free)
bestsign (app or reader – 29.90 euro)
financial institutions
chiptan, apptan, sms-tan (prices dep'on institute)
cooperative bnks
pushtan, smarttan (prices dep'on institute)

read +

continue to the homepage

+ onna subject

Facebook-Betrug mit Fake-Profilen

Zahl zehn

Synology NAS: Sicherheit gefährdet

original content at: www.pc-magazin.de/authors…:


Leave a Reply

Your email address will not be published. Required fields are marked *