Wikipedia

Transaction authentication number

This is an old revision of this page, as edited by 195.70.37.226 (talk) at 08:37, 22 August 2006. The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

A transaction authentication number, or TAN, is used by some online banking services as a form of single use passwords to authorize financial transactions. TANs are a second layer of security above and beyond the traditional single-password authentication.

An outline of how TANs function:

  1. The bank creates a set of unique TANs for the user. Typically, there are 50 TANs printed on a list, each 8 characters long, which is enough to last half a year for a normal user.
  2. The user picks up the list from the nearest bank branch. The user must typically identify him/herself through presenting a passport, an ID card or similar document.
  3. A few days later, the user receives a 5 digit password by mail to the user's home address. The user is requested to memorise the password, destroy the notice and keep the TAN list in a safe place near the PC.
  4. To log on to his/her account, the user must enter user name and password. This may give access to account information but the ability to process transactions is disabled.
  5. To perform a transaction, the user enters the request and "signs" the transaction by entering an unused TAN. The bank verifies the TAN submitted against the list of TANs they issued to the user. If it is a match, the transaction is processes. If it is not a match, the transaction is rejected.
  6. The TAN has now been consumed and will not be recognized for any further transactions.
  7. If the TAN list is compromised, the user may cancel it by notifying the bank.

In the Netherlands customers of the Postbank can get the TAN codes sent by SMS. The advantage is that users only get a TAN code when they are initiating a (real) transaction. Several banks use TAN codes sent by SMS in Hungary.

TANs are believed to provide additional security because they act as a form of two-factor authentication. If the physical document containing the TANs is stolen, it will be of little use without the password. On the other hand, if a hacker cracks the user's password, they can not process transactions without the TAN. This form of two-factor authentication wrongly assumed it was unlikely for someone to gain illegal access to both the TAN, the user's password and additional login details at the same time.

A trojan named Trojan-Spy.Win32.Bancos.pw is making its way in underground, changing the security landscape once again. This menace intercepts https traffic, obtaining usernames, passwords and even TAN codes which remains useful in the moments after its robbery.

Recent research has shown that slightly over half of all identity theft is committed by an insider, often a family member. An insider would, of course, have greater access and opportunity to gain simultaneous access to both the TAN list and to the user's password. Two-factor authentication is generally an improvement over traditional single-factor authentication but it should not be mistaken for a panacea.

Retrieved from "https://en.wikipedia.org/w/index.php?title=Transaction_authentication_number&oldid=71129997"