Wikipedia

Transaction authentication number: Difference between revisions

Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
AnomieBOT (talk | contribs)
Bots
6,858,142 edits
m Dating maintenance tags: {{Mergeto}} {{Unreferenced section}}
Monkbot (talk | contribs)
Bots
3,695,952 edits
m Task 18 (cosmetic): eval 7 templates: hyphenate params (3×); cvt lang vals (3×);
Line 30:
Prior to entering the iTAN, the user is presented a [[CAPTCHA]], which in the background also shows the transaction data and data deemed unknown to a potential attacker, such as the user's birthdate. This is intended to make it hard (but not impossible) for an attacker to forge the CAPTCHA.
 
This variant of the iTAN is method used by some German banks adds a [[CAPTCHA]] to reduce the risk of man-in-the-middle attacks.<ref>{{cite web|url=http://www.heise.de/newsticker/meldung/98025|title=Verbessertes iTAN-Verfahren soll vor Manipulationen durch Trojaner schützen|author=heise online|date=2007-10-26|language=Germande}}</ref> Some Chinese banks have also deployed a TAN method similar to iTANplus. A recent study shows that these CAPTCHA-based TAN schemes are not secure against more advanced automated attacks.<ref>{{Cite conference | first = Shujun | last = Li |author2=Syed Amier Haider Shah |author3=Muhammad Asad Usman Khan |author4=Syed Ali Khayam |author5=Ahmad-Reza Sadeghi |author6=Roland Schmitz | title = Breaking e-Banking CAPTCHAs | booktitlebook-title = Proceedings of 26th Annual Computer Security Applications Conference (ACSAC 2010) | pages = 171–180 | publisher = ACM | year = 2010 | ___location = New York, NY, USA | url = http://www.acsac.org/2010/openconf/modules/request.php?module=oc_program&action=summary.php&id=53 | doi = 10.1145/1920261.1920288 }}</ref>
 
== Mobile TAN (mTAN) ==
Line 37:
However, the security of this scheme depends on the security of the mobile phone system. In South Africa, where SMS-delivered TAN codes are common, a new attack has appeared: SIM Swap Fraud. A common attack vector is for the attacker to [[Identity theft|impersonate]] the victim, and obtain a replacement [[SIM card]] for the victim's phone from the [[mobile network operator]]. The victim's user name and password are obtained by other means (such as [[keylogging]] or [[phishing]]). In-between obtaining the cloned/replacement SIM and the victim noticing their phone no longer works, the attacker can transfer/extract the victim's funds from their accounts.<ref>[http://www.iol.co.za/news/south-africa/victim-s-sim-swop-fraud-nightmare-1.385531 ''Victim's SIM swop fraud nightmare''] iol.co.za, Independent Online, January 12, 2008</ref> In 2016 a [https://theantisocialengineer.com/sim-swap-fraud-porting-your-digital-life-in-minutes/ study was conducted on SIM Swap Fraud] by a [[Social engineering (security)|social engineer]], revealing weaknesses in issuing porting numbers.
 
In 2014, a weakness in the [[Signalling System No. 7]] used for SMS transmission was published, which allows interception of messages. It was demonstrated by Tobias Engel during the 31st [[Chaos Communication Congress]]<ref>{{cite web|title=31C3: Mobilfunk-Protokoll SS7 offen wie ein Scheunentor|url=https://www.heise.de/newsticker/meldung/31C3-Mobilfunk-Protokoll-SS7-offen-wie-ein-Scheunentor-2506892.html|date=2014-12-28|language=Germande}}</ref>. At the beginning of 2017, this weakness was used successfully in Germany to intercept SMS and fraudulently redirect fund transfers<ref>
{{cite web| url=https://www.heise.de/newsticker/meldung/Deutsche-Bankkonten-ueber-UMTS-Sicherheitsluecken-ausgeraeumt-3702194.html| title=Deutsche Bankkonten über UMTS-Sicherheitslücken ausgeräumt| author=Fabian A. Scherschel| date=2017-05-03|language=Germande}}</ref>.
 
Also the rise of [[smartphone]]s led to malware attacks trying to simultaneously infect the PC and the mobile phone as well to break the mTAN scheme.<ref>[http://news.techworld.com/security/3415014/eurograbber-sms-trojan-steals-36-million-from-online-banks/ ''Eurograbber SMS Trojan steals €36 million from online banks''] techworld.com, December 5, 2012</ref>
Line 65:
While it offers protection from technical manipulation, the ChipTAN scheme is still vulnerable to [[social engineering (security)|social engineering]]. Attackers have tried to persuade the users themselves to authorize a transfer under a pretext, for example by claiming that the bank required a "test transfer" or that a company had falsely transferred money to the user's account and they should "send it back".<ref name="symantec"/><ref>[http://www.trusteer.com/blog/tatanga-attack-exposes-chiptan-weaknesses ''Tatanga Attack Exposes chipTAN Weaknesses''] trusteer.com, September 4, 2012</ref> Users should therefore never confirm bank transfers they have not initiated themselves.
 
ChipTAN is also used to secure batch transfers (''Sammelüberweisungen''). However, this method offers significantly less security than the one for individual transfers. In case of a batch transfer the TAN generator will only show the number and total amount of all transfers combined – thus for batch transfers there is little protection from manipulation by a Trojan.<ref>{{cite web|title=chipTAN-Verfahren / Was wird im TAN-Generator angezeigt?|url=https://www.sparkasse-neckartal-odenwald.de/pdf/download/anzeige_tan_generator.pdf|publisher=Sparkasse Neckartal-Odenwald|accessdateaccess-date=1 December 2014|date=June 2013|quote=SEPA-Sammelüberweisung, Inhalt: mehr als 1 Posten. Anzeige 1: Summe, Anzeige 2: Anzahl Posten}}</ref> This vulnerability was reported by RedTeam Pentesting in November 2009.<ref>{{cite web|title=Man-in-the-Middle Attacks against the chipTAN comfort Online Banking System|url=https://www.redteam-pentesting.de/en/publications/mitm-chiptan-comfort/-man-in-the-middle-attacks-against-the-chiptan-comfort-online-banking-system|publisher=RedTeam Pentesting GmbH|accessdateaccess-date=1 December 2014}}</ref> In response, as a mitigation, some banks changed their batch transfer handling so that batch transfers containing only a single record are treated as individual transfers.
 
==See also==
Retrieved from "https://en.wikipedia.org/wiki/Transaction_authentication_number"