Transaction authentication number

Last updated

A transaction authentication number (TAN) is used by some online banking services as a form of single use one-time passwords (OTPs) to authorize financial transactions. TANs are a second layer of security above and beyond the traditional single-password authentication.

Contents

TANs provide additional security because they act as a form of two-factor authentication (2FA). If the physical document or token containing the TANs is stolen, it will be useless without the password. Conversely, if the login data are obtained, no transactions can be performed without a valid TAN.

Classic TAN

TANs often function as follows:

  1. The bank creates a set of unique TANs for the user. [1] Typically, there are 50 TANs printed on a list, enough to last half a year for a normal user; each TAN being six or eight characters long.
  2. The user picks up the list from the nearest bank branch (presenting a passport, an ID card or similar document) or is sent the TAN list through mail.
  3. The password (PIN) is mailed separately.
  4. To log on to their account, the user must enter user name (often the account number) and password (PIN). This may give access to account information but the ability to process transactions is disabled.
  5. To perform a transaction, the user enters the request and authorizes the transaction by entering an unused TAN. The bank verifies the TAN submitted against the list of TANs they issued to the user. If it is a match, the transaction is processed. If it is not a match, the transaction is rejected.
  6. The TAN has now been used and will not be recognized for any further transactions.
  7. If the TAN list is compromised, the user may cancel it by notifying the bank.

However, as any TAN can be used for any transaction, TANs are still prone to phishing attacks where the victim is tricked into providing both password/PIN and one or several TANs. Further, they provide no protection against man-in-the-middle attacks, where an attacker intercepts the transmission of the TAN, and uses it for a forged transaction, such as when the client system becomes compromised by some form of malware that enables a malicious user. Although the remaining TANs are uncompromised and can be used safely, users are generally advised to take further action, as soon as possible.

Indexed TAN (iTAN)

Indexed TANs reduce the risk of phishing. To authorize a transaction, the user is not asked to use an arbitrary TAN from the list but to enter a specific TAN as identified by a sequence number (index). As the index is randomly chosen by the bank, an arbitrary TAN acquired by an attacker is usually worthless.

However, iTANs are still susceptible to man-in-the-middle attacks, including phishing attacks where the attacker tricks the user into logging into a forged copy of the bank's website and man-in-the-browser attacks [2] which allow the attacker to secretly swap the transaction details in the background of the PC as well as to conceal the actual transactions carried out by the attacker in the online account overview. [3]

Therefore, in 2012 the European Union Agency for Network and Information Security advised all banks to consider the PC systems of their users being infected by malware by default and use security processes where the user can cross-check the transaction data against manipulations like for example (provided the security of the mobile phone holds up) mTAN or smartcard readers with their own screen including the transaction data into the TAN generation process while displaying it beforehand to the user (chipTAN). [4]

Indexed TAN with CAPTCHA (iTANplus)

Prior to entering the iTAN, the user is presented a CAPTCHA, which in the background also shows the transaction data and data deemed unknown to a potential attacker, such as the user's birthdate. This is intended to make it hard (but not impossible) for an attacker to forge the CAPTCHA.

This variant of the iTAN is method used by some German banks adds a CAPTCHA to reduce the risk of man-in-the-middle attacks. [5] Some Chinese banks have also deployed a TAN method similar to iTANplus. A recent study shows that these CAPTCHA-based TAN schemes are not secure against more advanced automated attacks. [6]

Mobile TAN (mTAN)

mTANs are used by banks in Austria, Bulgaria, Czech Republic, Germany, Hungary, Malaysia, the Netherlands, Poland, Russia, Singapore, South Africa, Spain, Switzerland and some in New Zealand, Australia, UK, and Ukraine. When the user initiates a transaction, a TAN is generated by the bank and sent to the user's mobile phone by SMS. The SMS may also include transaction data, allowing the user to verify that the transaction has not been modified in transmission to the bank.

However, the security of this scheme depends on the security of the mobile phone system. In South Africa, where SMS-delivered TAN codes are common, a new attack has appeared: SIM Swap Fraud. A common attack vector is for the attacker to impersonate the victim, and obtain a replacement SIM card for the victim's phone from the mobile network operator. The victim's user name and password are obtained by other means (such as keylogging or phishing). In-between obtaining the cloned/replacement SIM and the victim noticing their phone no longer works, the attacker can transfer/extract the victim's funds from their accounts. [7] In 2016 a study was conducted on SIM Swap Fraud by a social engineer, revealing weaknesses in issuing porting numbers.

In 2014, a weakness in the Signalling System No. 7 used for SMS transmission was published, which allows interception of messages. It was demonstrated by Tobias Engel during the 31st Chaos Communication Congress. [8] At the beginning of 2017, this weakness was used successfully in Germany to intercept SMS and fraudulently redirect fund transfers. [9]

Also the rise of smartphones led to malware attacks trying to simultaneously infect the PC and the mobile phone as well to break the mTAN scheme. [10]

pushTAN

pushTAN is an app-based TAN scheme by German Sparkassen banking group reducing some of the shortcomings of the mTAN scheme. It eliminates the cost of SMS messages and is not susceptible to SIM card fraud, since the messages are sent via a special text-messaging application to the user's smartphone using an encrypted Internet connection. Just like mTAN, the scheme allows the user to cross-check the transaction details against hidden manipulations carried out by Trojans on the user's PC by including the actual transaction details the bank received in the pushTAN message. Although analogous to using mTAN with a smartphone, there is the risk of a parallel malware infection of PC and smartphone. To reduce this risk the pushTAN app ceases to function if the mobile device is rooted or jailbroken. [11] In late 2014 the Deutsche Kreditbank (DKB) also adopted the pushTAN scheme. [12]

TAN generators

Simple TAN generators

The risk of compromising the whole TAN list can be reduced by using security tokens that generate TANs on-the-fly, based on a secret known by the bank and stored in the token or a smartcard inserted into the token.

However, the TAN generated is not tied to the details of a specific transaction. Because the TAN is valid for any transaction submitted with it, it does not protect against phishing attacks where the TAN is directly used by the attacker, or against man-in-the-middle attacks.

ChipTAN / Sm@rt-TAN / CardTAN

ChipTAN generator (optical version) with bank card attached. The two white arrows mark the borders of the barcode on the computer screen. SmartTAN optic-Gadget.jpg
ChipTAN generator (optical version) with bank card attached. The two white arrows mark the borders of the barcode on the computer screen.

ChipTAN is a TAN scheme used by many German and Austrian banks. [13] [14] [15] It is known as ChipTAN or Sm@rt-TAN [16] in Germany and as CardTAN in Austria, whereas cardTAN is a technically independent standard. [17]

A ChipTAN generator is not tied to a particular account; instead, the user must insert their bank card during use. The TAN generated is specific to the bank card as well as to the current transaction details. There are two variants: In the older variant, the transaction details (at least amount and account number) must be entered manually. In the modern variant, the user enters the transaction online, then the TAN generator reads the transaction details via a flickering barcode on the computer screen (using photodetectors). It then shows the transaction details on its own screen to the user for confirmation before generating the TAN.

As it is independent hardware, coupled only by a simple communication channel, the TAN generator is not susceptible to attack from the user's computer. Even if the computer is subverted by a Trojan, or if a man-in-the-middle attack occurs, the TAN generated is only valid for the transaction confirmed by the user on the screen of the TAN generator, therefore modifying a transaction retroactively would cause the TAN to be invalid.

An additional advantage of this scheme is that because the TAN generator is generic, requiring a card to be inserted, it can be used with multiple accounts across different banks, and losing the generator is not a security risk because the security-critical data is stored on the bank card.

While it offers protection from technical manipulation, the ChipTAN scheme is still vulnerable to social engineering. Attackers have tried to persuade the users themselves to authorize a transfer under a pretext, for example by claiming that the bank required a "test transfer" or that a company had falsely transferred money to the user's account and they should "send it back". [2] [18] Users should therefore never confirm bank transfers they have not initiated themselves.

ChipTAN is also used to secure batch transfers (Sammelüberweisungen). However, this method offers significantly less security than the one for individual transfers. In case of a batch transfer the TAN generator will only show the number and total amount of all transfers combined – thus for batch transfers there is little protection from manipulation by a Trojan. [19] This vulnerability was reported by RedTeam Pentesting in November 2009. [20] In response, as a mitigation, some banks changed their batch transfer handling so that batch transfers containing only a single record are treated as individual transfers.

See also

Related Research Articles

An authenticator is a means used to confirm a user's identity, that is, to perform digital authentication. A person authenticates to a computer system or application by demonstrating that he or she has possession and control of an authenticator. In the simplest case, the authenticator is a common password.

<span class="mw-page-title-main">Smart card</span> Pocket-sized card with embedded integrated circuits for identification or payment functions

A smart card (SC), chip card, or integrated circuit card is a physical electronic authentication device, used to control access to a resource. It is typically a plastic credit card-sized card with an embedded integrated circuit (IC) chip. Many smart cards include a pattern of metal contacts to electrically connect to the internal chip. Others are contactless, and some are both. Smart cards can provide personal identification, authentication, data storage, and application processing. Applications include identification, financial, public transit, computer security, schools, and healthcare. Smart cards may provide strong security authentication for single sign-on (SSO) within organizations. Numerous nations have deployed smart cards throughout their populations.

<span class="mw-page-title-main">Online banking</span> Electronic payment system

Online banking, also known as internet banking, virtual banking, web banking or home banking, is a system that enables customers of a bank or other financial institution to conduct a range of financial transactions through the financial institution's website or mobile app. Since the early 2000s this has become the most common way that customers access their bank accounts.

Internet security is a branch of computer security. It encompasses the Internet, browser security, web site security, and network security as it applies to other applications or operating systems as a whole. Its objective is to establish rules and measures to use against attacks over the Internet. The Internet is an inherently insecure channel for information exchange, with high risk of intrusion or fraud, such as phishing, online viruses, trojans, ransomware and worms.

<span class="mw-page-title-main">One-time password</span> Password that can only be used once

A one-time password (OTP), also known as a one-time PIN, one-time authorization code (OTAC) or dynamic password, is a password that is valid for only one login session or transaction, on a computer system or other digital device. OTPs avoid several shortcomings that are associated with traditional (static) password-based authentication; a number of implementations also incorporate two-factor authentication by ensuring that the one-time password requires access to something a person has as well as something a person knows.

<span class="mw-page-title-main">Security token</span> Device used to access electronically restricted resource

A security token is a peripheral device used to gain access to an electronically restricted resource. The token is used in addition to, or in place of, a password. It acts like an electronic key to access something. Examples of security tokens include wireless keycards used to open locked doors, or a banking token used as a digital authenticator for signing in to online banking, or signing a transaction such as a wire transfer.

Crimeware is a class of malware designed specifically to automate cybercrime.

3-D Secure is a protocol designed to be an additional security layer for online credit and debit card transactions. The name refers to the "three domains" which interact using the protocol: the merchant/acquirer domain, the issuer domain, and the interoperability domain.

<span class="mw-page-title-main">Mobile banking</span> Service provided by a bank

Mobile banking is a service provided by a bank or other financial institution that allows its customers to conduct financial transactions remotely using a mobile device such as a smartphone or tablet. Unlike the related internet banking it uses software, usually called an app, provided by the financial institution for the purpose. Mobile banking is usually available on a 24-hour basis. Some financial institutions have restrictions on which accounts may be accessed through mobile banking, as well as a limit on the amount that can be transacted. Mobile banking is dependent on the availability of an internet or data connection to the mobile device.

Electronic authentication is the process of establishing confidence in user identities electronically presented to an information system. Digital authentication, or e-authentication, may be used synonymously when referring to the authentication process that confirms or certifies a person's identity and works. When used in conjunction with an electronic signature, it can provide evidence of whether data received has been tampered with after being signed by its original sender. Electronic authentication can reduce the risk of fraud and identity theft by verifying that a person is who they say they are when performing transactions online.

<span class="mw-page-title-main">SMS banking</span> Form of mobile banking

SMS banking' is a form of mobile banking. It is a facility used by some banks or other financial institutions to send messages to customers' mobile phones using SMS messaging, or a service provided by them which enables customers to perform some financial transactions using SMS.

<span class="mw-page-title-main">Chip Authentication Program</span>

The Chip Authentication Program (CAP) is a MasterCard initiative and technical specification for using EMV banking smartcards for authenticating users and transactions in online and telephone banking. It was also adopted by Visa as Dynamic Passcode Authentication (DPA). The CAP specification defines a handheld device with a smartcard slot, a numeric keypad, and a display capable of displaying at least 12 characters. Banking customers who have been issued a CAP reader by their bank can insert their Chip and PIN (EMV) card into the CAP reader in order to participate in one of several supported authentication protocols. CAP is a form of two-factor authentication as both a smartcard and a valid PIN must be present for a transaction to succeed. Banks hope that the system will reduce the risk of unsuspecting customers entering their details into fraudulent websites after reading so-called phishing emails.

<span class="mw-page-title-main">Credit card fraud</span> Financial crime

Credit card fraud is an inclusive term for fraud committed using a payment card, such as a credit card or debit card. The purpose may be to obtain goods or services or to make payment to another account, which is controlled by a criminal. The Payment Card Industry Data Security Standard is the data security standard created to help financial institutions process card payments securely and reduce card fraud.

Man-in-the-browser, a form of Internet threat related to man-in-the-middle (MITM), is a proxy Trojan horse that infects a web browser by taking advantage of vulnerabilities in browser security to modify web pages, modify transaction content or insert additional transactions, all in a covert fashion invisible to both the user and host web application. A MitB attack will be successful irrespective of whether security mechanisms such as SSL/PKI and/or two- or three-factor authentication solutions are in place. A MitB attack may be countered by using out-of-band transaction verification, although SMS verification can be defeated by man-in-the-mobile (MitMo) malware infection on the mobile phone. Trojans may be detected and removed by antivirus software;, but a 2011 report concluded that additional measures on top of antivirus software were needed.

Multi-factor authentication is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence to an authentication mechanism. MFA protects personal data—which may include personal identification or financial assets—from being accessed by an unauthorized third party that may have been able to discover, for example, a single password.

Experi-Metal, Inc., v. Comerica Bank is a decision by the United States District Court for the Eastern District of Michigan in a case of a phishing attack that resulted in unauthorized wire transfers of US$1.9 million through Experi-Metal's online banking accounts. The court held Comerica liable for losses of US$560,000 that could not be recovered from the phishing attack, on the ground that the bank had not acted in good faith when it failed to recognize the transfers as fraudulent.

Reliance authentication is a part of the trust-based identity attribution process whereby a second entity relies upon the authentication processes put in place by a first entity. The second entity creates a further element that is unique and specific to its purpose, that can only be retrieved or accessed by the authentication processes of the first entity having first being met.

SpyEye is a malware program that attacks users running Google Chrome, Opera, Firefox and Internet Explorer on Microsoft Windows operating systems. This malware uses keystroke logging and form grabbing to steal user credentials for malicious use. SpyEye allows hackers to steal money from online bank accounts and initiate transactions even while valid users are logged into their bank account

Internet security awareness or Cyber security awareness refers to how much end-users know about the cyber security threats their networks face, the risks they introduce and mitigating security best practices to guide their behavior. End users are considered the weakest link and the primary vulnerability within a network. Since end-users are a major vulnerability, technical means to improve security are not enough. Organizations could also seek to reduce the risk of the human element. This could be accomplished by providing security best practice guidance for end users' awareness of cyber security. Employees could be taught about common threats and how to avoid or mitigate them.

Cerberus is a trojan horse targeting Android mobile phone banking credentials.

References

  1. "Transaction Authentication Number (TAN)". Fraud.net. Retrieved 2023-12-14.
  2. 1 2 Candid Wüest, Symantec Global Security Response Team Current Advances in Banking Trojans? Archived 2014-04-25 at the Wayback Machine iriss.ie, Irish Reporting and Information Security Service, December 2, 2012 (PDF; 1,9 MB)
  3. Katusha: LKA zerschlägt Ring von Online-Betrügern WinFuture.de, October 29, 2010
  4. “High Roller” online bank robberies reveal security gaps European Union Agency for Network and Information Security, July 5, 2012
  5. heise online (2007-10-26). "Verbessertes iTAN-Verfahren soll vor Manipulationen durch Trojaner schützen" (in German).
  6. Li, Shujun; Syed Amier Haider Shah; Muhammad Asad Usman Khan; Syed Ali Khayam; Ahmad-Reza Sadeghi; Roland Schmitz (2010). "Breaking e-Banking CAPTCHAs". Proceedings of 26th Annual Computer Security Applications Conference (ACSAC 2010). New York, NY, USA: ACM. pp. 171–180. doi:10.1145/1920261.1920288.
  7. Victim's SIM swop fraud nightmare iol.co.za, Independent Online, January 12, 2008
  8. "31C3: Mobilfunk-Protokoll SS7 offen wie ein Scheunentor" (in German). 2014-12-28.
  9. Fabian A. Scherschel (2017-05-03). "Deutsche Bankkonten über UMTS-Sicherheitslücken ausgeräumt" (in German).
  10. Eurograbber SMS Trojan steals €36 million from online banks techworld.com, December 5, 2012
  11. Online-Banking mit pushTAN - FAQ berliner-sparkasse.de, Berliner Sparkasse (AöR), Retrieved on August 27, 2014.
  12. Informationen zu pushTAN dkb.de, Deutsche Kreditbank AG, Retrieved on March 12, 2015.
  13. Postbank chipTAN official page of Postbank, Retrieved on April 10, 2014.
  14. chipTAN: Listen werden überflüssig official page of Sparkasse, Retrieved on April 10, 2014.
  15. Die cardTAN official page of Raiffeisen Bankengruppe Österreich, Retrieved on April 10, 2014.
  16. "Sm@rt-TAN". www.vr-banking-app.de (in German). Retrieved 2018-10-10.
  17. Die neue cardTAN ebankingsicherheit.at, Gemalto N.V., Retrieved on October 22, 2014.
  18. Tatanga Attack Exposes chipTAN Weaknesses trusteer.com, September 4, 2012
  19. "chipTAN-Verfahren / Was wird im TAN-Generator angezeigt?" (PDF). Sparkasse Neckartal-Odenwald. June 2013. Retrieved 1 December 2014. SEPA-Sammelüberweisung, Inhalt: mehr als 1 Posten. Anzeige 1: Summe, Anzeige 2: Anzahl Posten
  20. "Man-in-the-Middle Attacks against the chipTAN comfort Online Banking System". RedTeam Pentesting GmbH. Retrieved 1 December 2014.