Content deleted Content added
key-lock concept |
|||
Line 21:
Since a single TAN can be compromised, some banks require a TAN both for the log in and to authorize a set of transactions. For additional security, these have to be non-sequantial and retrieved by using a security challenge. There have been cases of fraud where two consecutive TAN's have been [[phishing|phished]] from a user. To protect against this, each TAN is associated with a "lock number" and randomly selected from a list. The bank server randomly selects a lock number as a challenge; the user then enters the corresponding TAN from the list. Since the order of the TAN's is randomly selected, an attacker can't acquire two consecutive TAN's. Also, because a TAN is associated with a lock number, the attacker can't just randomly select a position on the list — the only thing an attacker can do to steal a TAN is to guess lock numbers. In practice, the attacker should coax the user to write down the whole list of lock numbers and corresponding TAN's, which is clearly implausible.
==Overall security==
{{Unreferencedsection|date=January 2007}}
{{ Off-topic-other | identity theft }}
When the system itself is difficult to compromise, the weakest link is physical security. If the attacker can gain access to the password and the key-lock card, then the entire system is compromised.
Recent research has shown that slightly over half of all [[identity theft]] is committed by an insider, often a family member. An insider would, of course, have greater access and opportunity to gain simultaneous access to both the TAN list and to the user's password. While an improvement over simple single-password methods, it is important to keep in mind that a system's security strength depends on multiple factors.
| |||