Content deleted Content added
TastyPoutine (talk | contribs) rvv |
Expansion + some cleanup |
||
Line 3:
A '''Transaction authentication number''' or '''TAN''' is used by some [[online banking]] services as a form of ''single use'' [[one-time password]]s to authorize [[financial transaction]]s. TANs are a second layer of security above and beyond the traditional single-password [[authentication]].
TANs are believed to provide additional security because they act as a form of [[two-factor authentication]]. Should the physical document or token containing the TANs be stolen, it will be of little use without the password; conversely, if the login data are obtained, no transactions can be performed without a valid TAN.▼
==Classic TAN==
An outline of how TANs function:
# The bank creates a set of unique TANs for the user. Typically, there are 50 TANs printed on a list, each
# The user picks up the list from the nearest bank branch
# The password (PIN) is mailed separately.
# To log on to his/her account, the user must enter user name (often the account number) and password (PIN). This may give access to account information but the ability to process transactions is disabled.
# To perform a transaction, the user enters the request and
# The TAN has now been consumed and will not be recognized for any further transactions.
# If the TAN list is compromised, the user may cancel it by notifying the bank.
However, as any TAN can be used for any transaction, TANs are still prone to phishing attacks where the victim is tricked into providing both password/PIN and one or several TANs. Further, they provide no protection against [[man-in-the-middle attack]]s where an attacker intercepts the transmission of the TAN and uses it for a forged transaction.
== Indexed TAN (iTAN) ==
▲TANs are believed to provide additional security because they act as a form of [[two-factor authentication]]. Should the physical document containing the TANs be stolen, it will be of little use without the password; conversely, if the login data are obtained, no transactions can be performed without a valid TAN.
Indexed TANs reduce the risk of phishing. To authorize an transaction, the user is not asked to use an arbitrary transaction number from the list but to enter a specific number identified by a sequence number (index). As the index is randomly chosen by the bank, an arbitrary TAN acquired by an attacker is usually worthless.
However, iTANs are still susceptible to man-in-the-middle attacks, including phishing attacks where the attacker tricks the user into logging in into a forged copy of the bank's website.
In South Africa, where [[SMS]]-delivered TAN codes are common, a new attack has appeared: SIM Swap Fraud. A common attack vector is for the attacker to [[Identity theft|impersonate]] the victim, and obtain a replacement [[SIM card]] for the victim's phone from the [[mobile network operator]]. The victim's user name and password are obtained by other means (such as [[keylogging]] or [[phishing]]). In-between obtaining the cloned/replacement SIM and the victim noticing their phone no longer works, the attacker can transfer/extract the victim's funds from their accounts.<ref>http://www.iol.co.za/index.php?art_id=vn20080112083836189C511499 IOL: "Victim's SIM swap fraud nightmare"</ref>▼
== Indexed TAN with CATCHPA (iTANplus) ==
▲Should the client system become compromised by some form of [[malware]] that enables a [[Hacker (computer security)|malicious user]] to obtain both the login data and a TAN number (in some systems, a TAN is usable for some minutes after the initial insertion), the possibility of an unauthorized transaction is high. It should be noticed that the remaining TANs remain uncompromised and can be used safely, even though action should be taken by the user as soon as possible.
[[Image:ITANplus-Kontrollbild.png|thumb|right|CAPTCHPA for iTANplus]]A variant of the iTAN method used by some German banks adds a [[CATCHPA]] to reduce the risk of man-in-the-middle attacks.<ref>{{cite web|url=http://www.heise.de/newsticker/meldung/98025|title=Verbessertes iTAN-Verfahren soll vor Manipulationen durch Trojaner schützen|author=heise online|date=2007-10-26|language=German}}</ref>
Prior to entering the iTAN, the user is presented a CATCHPA, which in the background also shows the transaction data and data deemed unknown to a potential attacker, such as the user's birthdate. This is intended to make it hard (but not impossible) for an attacker to forge the CATCHPA.
==
mTANs are used by banks in Germany, the Netherlands, Hungary and South Africa. When the user initiates a transaction, a TAN is generated by the bank and sent to the user's mobile phone by [[SMS]]. The SMS may also include transaction data, allowing the user to verify that the transaction has not been modified in transmission to the bank.
▲However, the security of this scheme depends on the security of the mobile phone system. In South Africa, where
== TAN generators ==
The risk of compromising the whole TAN list can be reduced by using [[security token]]s that generate TANs on-the-fly, based on a secret known by the bank and stored in the token or a smartcard inserted into the token.
However, this is mostly ineffective against phishing attacks where the TAN is directly used by the attacker.
==References==
{{reflist}}
{{German|Transaktionsnummer}}
[[Category:Authentication methods]]
| |||