Content deleted Content added
→Mobile TAN (mTAN): update |
RandFreeman (talk | contribs) Changing short description from "Type of one time password" to "One-time password used in banking" |
||
| (7 intermediate revisions by 6 users not shown) | |||
Line 1:
{{Short description|One-time password used in banking}}
{{Other uses|TAN (disambiguation){{!}}Tan}}
A '''transaction authentication number''' ('''TAN''') is used by some [[online banking]] services as a form of ''single use'' [[one-time password]]s (OTPs) to authorize [[financial transaction]]s. TANs are a second layer of security above and beyond the traditional single-password [[Authentication protocol|authentication]].
Line 4 ⟶ 6:
==Classic TAN==
TANs often function as follows:
# The bank creates a set of unique TANs for the user.<ref>{{Cite web |title=Transaction Authentication Number (TAN) |url=https://fraud.net/d/transaction-authentication-number/ |access-date=2023-12-14 |website=Fraud.net |language=en-US}}</ref> Typically, there are 50 TANs printed on a list, enough to last half a year for a normal user; each TAN being six or eight characters long.
# The user picks up the list from the nearest bank branch (presenting a [[passport]], an [[ID card]] or similar document) or is sent the TAN list through mail.
# The password (PIN) is mailed separately.
Line 15:
# If the TAN list is compromised, the user may cancel it by notifying the bank.
However, as any TAN can be used for any transaction, TANs are still prone to [[phishing attacks]] where the victim is tricked into providing both password/PIN and one or several TANs. Further, they provide no protection against [[man-in-the-middle attack]]s,
== Indexed TAN (iTAN) ==
Line 31 ⟶ 30:
== Mobile TAN (mTAN) ==
mTANs are used by banks in Austria, Bulgaria, Czech Republic, Germany, Hungary, Malaysia, the Netherlands, Poland, Russia, Singapore, South Africa, Spain, Switzerland and some in New Zealand, Australia, UK, and Ukraine. When the user initiates a transaction, a TAN is generated by the bank and sent to the user's mobile phone by [[SMS]]. The SMS may also include transaction data, allowing the user to verify that the transaction has not been modified in transmission to the bank.
However, the security of this scheme depends on the security of the mobile phone system. In South Africa, where SMS-delivered TAN codes are common, a new attack has appeared: SIM Swap Fraud. A common attack vector is for the attacker to [[Identity theft|impersonate]] the victim, and obtain a replacement [[SIM card]] for the victim's phone from the [[mobile network operator]]. The victim's user name and password are obtained by other means (such as [[keylogging]] or [[phishing]]). In-between obtaining the cloned/replacement SIM and the victim noticing their phone no longer works, the attacker can transfer/extract the victim's funds from their accounts.<ref>[http://www.iol.co.za/news/south-africa/victim-s-sim-swop-fraud-nightmare-1.385531 ''Victim's SIM swop fraud nightmare''] iol.co.za, Independent Online, January 12, 2008</ref> In 2016 a [https://theantisocialengineer.com/sim-swap-fraud-porting-your-digital-life-in-minutes/ study was conducted on SIM Swap Fraud] by a [[Social engineering (security)|social engineer]], revealing weaknesses in issuing porting numbers.
Line 55 ⟶ 54:
ChipTAN is a TAN scheme used by many German and Austrian banks.<ref>[https://www.postbank.de/privatkunden/services/banking-und-brokerage/chiptan.html Postbank chipTAN] official page of Postbank, Retrieved on April 10, 2014.</ref><ref>[http://www.sparkasse.de/privatkunden/sicherheit-im-internet/chipTAN.html chipTAN: Listen werden überflüssig] official page of Sparkasse, Retrieved on April 10, 2014.</ref><ref>[http://www.raiffeisen.at/cardtan Die cardTAN] official page of Raiffeisen Bankengruppe Österreich, Retrieved on April 10, 2014.</ref> It is known as ChipTAN or Sm@rt-TAN<ref>{{Cite web|url=https://www.vr-banking-app.de/smart-tan.html|title=Sm@rt-TAN|website=www.vr-banking-app.de|language=de|access-date=2018-10-10}}</ref> in Germany and as CardTAN in Austria, whereas cardTAN is a technically independent standard.<ref>[http://ebankingsicherheit.at/die-neue-cardtan Die neue cardTAN] ebankingsicherheit.at, Gemalto N.V., Retrieved on October 22, 2014.</ref>
A ChipTAN generator is not tied to a particular account; instead, the user must insert their [[bank card]] during use. The TAN generated is specific to the bank card as well as to the current transaction details. There are two variants: In the older variant, the transaction details (at least amount and account number) must be entered manually. {{anchor|Flicker code}}In the modern variant, the user enters the transaction online, then the TAN generator reads the transaction details via a flickering [[barcode]] on the computer screen (using [[photodetector]]s). It then shows the transaction details on its own screen to the user for confirmation before generating the TAN.
As it is independent hardware, coupled only by a simple communication channel, the TAN generator is not susceptible to attack from the user's computer. Even if the computer is subverted by a [[Trojan horse (computing)|Trojan]], or if a [[man-in-the-middle attack]] occurs, the TAN generated is only valid for the transaction confirmed by the user on the screen of the TAN generator, therefore modifying a transaction retroactively would cause the TAN to be invalid.
| |||