Content deleted Content added
→Mobile TAN (mTAN): Added Malaysia |
RandFreeman (talk | contribs) Changing short description from "Type of one time password" to "One-time password used in banking" |
||
(6 intermediate revisions by 5 users not shown) | |||
Line 1:
{{Short description|One-time password used in banking}}
{{Other uses|TAN (disambiguation){{!}}Tan}}
A '''transaction authentication number''' ('''TAN''') is used by some [[online banking]] services as a form of ''single use'' [[one-time password]]s (OTPs) to authorize [[financial transaction]]s. TANs are a second layer of security above and beyond the traditional single-password [[Authentication protocol|authentication]].
Line 4 ⟶ 6:
==Classic TAN==
TANs often function as follows:
# The bank creates a set of unique TANs for the user.<ref>{{Cite web |title=Transaction Authentication Number (TAN) |url=https://fraud.net/d/transaction-authentication-number/ |access-date=2023-12-14 |website=Fraud.net |language=en-US}}</ref> Typically, there are 50 TANs printed on a list, enough to last half a year for a normal user; each TAN being six or eight characters long.
# The user picks up the list from the nearest bank branch (presenting a [[passport]], an [[ID card]] or similar document) or is sent the TAN list through mail.
# The password (PIN) is mailed separately.
Line 15:
# If the TAN list is compromised, the user may cancel it by notifying the bank.
However, as any TAN can be used for any transaction, TANs are still prone to [[phishing attacks]] where the victim is tricked into providing both password/PIN and one or several TANs. Further, they provide no protection against [[man-in-the-middle attack]]s,
== Indexed TAN (iTAN) ==
Line 55 ⟶ 54:
ChipTAN is a TAN scheme used by many German and Austrian banks.<ref>[https://www.postbank.de/privatkunden/services/banking-und-brokerage/chiptan.html Postbank chipTAN] official page of Postbank, Retrieved on April 10, 2014.</ref><ref>[http://www.sparkasse.de/privatkunden/sicherheit-im-internet/chipTAN.html chipTAN: Listen werden überflüssig] official page of Sparkasse, Retrieved on April 10, 2014.</ref><ref>[http://www.raiffeisen.at/cardtan Die cardTAN] official page of Raiffeisen Bankengruppe Österreich, Retrieved on April 10, 2014.</ref> It is known as ChipTAN or Sm@rt-TAN<ref>{{Cite web|url=https://www.vr-banking-app.de/smart-tan.html|title=Sm@rt-TAN|website=www.vr-banking-app.de|language=de|access-date=2018-10-10}}</ref> in Germany and as CardTAN in Austria, whereas cardTAN is a technically independent standard.<ref>[http://ebankingsicherheit.at/die-neue-cardtan Die neue cardTAN] ebankingsicherheit.at, Gemalto N.V., Retrieved on October 22, 2014.</ref>
A ChipTAN generator is not tied to a particular account; instead, the user must insert their [[bank card]] during use. The TAN generated is specific to the bank card as well as to the current transaction details. There are two variants: In the older variant, the transaction details (at least amount and account number) must be entered manually. {{anchor|Flicker code}}In the modern variant, the user enters the transaction online, then the TAN generator reads the transaction details via a flickering [[barcode]] on the computer screen (using [[photodetector]]s). It then shows the transaction details on its own screen to the user for confirmation before generating the TAN.
As it is independent hardware, coupled only by a simple communication channel, the TAN generator is not susceptible to attack from the user's computer. Even if the computer is subverted by a [[Trojan horse (computing)|Trojan]], or if a [[man-in-the-middle attack]] occurs, the TAN generated is only valid for the transaction confirmed by the user on the screen of the TAN generator, therefore modifying a transaction retroactively would cause the TAN to be invalid.
|