Content deleted Content added
ce) split |
Borisbaran (talk | contribs) |
||
Line 60:
An additional advantage of this scheme is that because the TAN generator is generic, requiring a card to be inserted, it can be used with multiple accounts across different banks, and losing the generator is not a security risk because the security-critical data is stored on the bank card.
While it offers protection from technical manipulation, the ChipTAN scheme is still vulnerable to [[social engineering (security)|social engineering]]. Attackers have tried to persuade the users themselves to authorize a transfer under a pretext, for example by claiming that the bank required a "test transfer" or that a company had falsely transferred money to the user's account and they should "send it back".<ref name="symantec"/><ref>[http://www.trusteer.com/blog/tatanga-attack-exposes-chiptan-weaknesses ''Tatanga Attack Exposes chipTAN Weaknesses''] trusteer.com, September 4, 2012</ref> Users should therefore never
ChipTAN is also used to secure batch transfers (''Sammelüberweisungen''). However, this method offers significantly less security than the one for individual transfers. In case of a batch transfer the TAN generator will only show the number and total amount of all transfers combined – thus for batch transfers there is little protection from manipulation by a Trojan.<ref>{{cite web|title=chipTAN-Verfahren / Was wird im TAN-Generator angezeigt?|url=https://www.sparkasse-neckartal-odenwald.de/pdf/download/anzeige_tan_generator.pdf|publisher=Sparkasse Neckartal-Odenwald|accessdate=1 December 2014|date=June 2013|quote=SEPA-Sammelüberweisung, Inhalt: mehr als 1 Posten. Anzeige 1: Summe, Anzeige 2: Anzahl Posten}}</ref> This vulnerability was reported by RedTeam Pentesting in November 2009.<ref>{{cite web|title=Man-in-the-Middle Attacks against the chipTAN comfort Online Banking System|url=https://www.redteam-pentesting.de/en/publications/mitm-chiptan-comfort/-man-in-the-middle-attacks-against-the-chiptan-comfort-online-banking-system|publisher=RedTeam Pentesting GmbH|accessdate=1 December 2014}}</ref> In response, as a mitigation, some banks changed their batch transfer handling the way that batch transfers containing only a single record are treated as individual transfers.
| |||