Transaction authentication number

As the index is randomly chosen by the bank, an arbitrary TAN acquired by an attacker is usually worthless.

[3] Therefore, in 2012 the European Union Agency for Network and Information Security advised all banks to consider the PC systems of their users being infected by malware by default and use security processes where the user can cross-check the transaction data against manipulations like for example (provided the security of the mobile phone holds up) mTAN or smartcard readers with their own screen including the transaction data into the TAN generation process while displaying it beforehand to the user (chipTAN).

This variant of the iTAN is method used by some German banks adds a CAPTCHA to reduce the risk of man-in-the-middle attacks.

A recent study shows that these CAPTCHA-based TAN schemes are not secure against more advanced automated attacks.

[6] mTANs are used by banks in Austria, Bulgaria, Czech Republic, Germany, Hungary, Malaysia, the Netherlands, Poland, Russia, Singapore, South Africa, Spain, Switzerland and some in New Zealand, Australia, UK, and Ukraine.

In South Africa, where SMS-delivered TAN codes are common, a new attack has appeared: SIM Swap Fraud.

[7] In 2016 a study was conducted on SIM Swap Fraud by a social engineer, revealing weaknesses in issuing porting numbers.

[8] At the beginning of 2017, this weakness was used successfully in Germany to intercept SMS and fraudulently redirect fund transfers.

[9] Also the rise of smartphones led to malware attacks trying to simultaneously infect the PC and the mobile phone as well to break the mTAN scheme.

To reduce this risk the pushTAN app ceases to function if the mobile device is rooted or jailbroken.

As it is independent hardware, coupled only by a simple communication channel, the TAN generator is not susceptible to attack from the user's computer.

ChipTAN generator (optical version) with bank card attached. The two white arrows mark the borders of the barcode on the computer screen.