Content deleted Content added
Fix acronym description |
We do not give advice, though it may be appropriate to describe advice given by others Tags: Mobile edit Mobile app edit iOS app edit |
||
Line 4:
==Classic TAN==
TANs often function as follows:
# The bank creates a set of unique TANs for the user. Typically, there are 50 TANs printed on a list, enough to last half a year for a normal user; each TAN being six or eight characters long.
# The user picks up the list from the nearest bank branch (presenting a [[passport]], an [[ID card]] or similar document) or is sent the TAN list through mail.
# The password (PIN) is mailed separately.
# To log on to his/her account, the user must enter user name (often the account number) and password ([[PIN]]). This may give access to account information but the ability to process transactions is disabled.
# To perform a transaction, the user enters the request and authorizes the transaction by entering an unused TAN. The bank verifies the TAN submitted against the list of TANs they issued to the user. If it is a match, the transaction is processed. If it is not a match, the transaction is rejected.
# The TAN has now been used and will not be recognized for any further transactions.
# If the TAN list is compromised, the user may cancel it by notifying the bank.
However, as any TAN can be used for any transaction, TANs are still prone to [[phishing attacks]] where the victim is tricked into providing both password/PIN and one or several TANs. Further, they provide no protection against [[man-in-the-middle attack]]s (where an attacker intercepts the transmission of the TAN, and uses it for a forged transaction).
Especially when the client system becomes compromised by some form of [[Antivirus software|malware]] that enables a [[Hacker (computer security)|malicious user]], the possibility of an unauthorized transaction is high. Although the remaining TANs are uncompromised and can be used safely,
== Indexed TAN (iTAN) ==
| |||