iTAN, mTAN, chipTAN? An overview of all TAN pro­ce­dures

First enter the username, then the PIN - and then a TAN at the end? For many online banking users, strict security pre­cau­tions are a necessary evil they would like to do without. Since its in­tro­duc­tion in 1976, the trans­ac­tion number in par­tic­u­lar has ef­fec­tive­ly helped protect people’s finances – provided of course that the account holder carries out the re­spec­tive TAN pro­ce­dures correctly and does not fall from cyber fraud schemes. Find out what pro­ce­dures are out there, how secure they are, and what you can do to yourself to protect your hard-earned money from cyber criminals in this guide.

A TAN is a one-time password, usually con­sist­ing of six decimal digits. It is mainly used for bank transfers and changes to settings in online banking. TANs are one of the most fre­quent­ly used two-factor au­then­ti­ca­tion tools and they create an extra access layer in addition to the username and PIN: they should prevent criminals from gaining unau­tho­rized control over foreign bank accounts. Even if they have already obtained your PIN using phishing or Trojans, transfers cannot be made without a TAN. This is guar­an­teed by the fact that each TAN is directly linked to sensitive data like the IBAN and transfer amount – in addition, a TAN is only valid for a single trans­ac­tion and is only valid for a limited period of time (just a few minutes).

A TAN procedure is the method whereby a valid TAN is trans­mit­ted to its le­git­i­mate user and used for au­then­ti­ca­tion purposes. There are several different methods – but the basic principle is very similar for all of them:

1. First, log into your bank’s internet portal through an online banking app or banking software, begin the transfer and then finalize and confirm.
2. The transfer in­for­ma­tion you entered will now be displayed again. Check them carefully to ensure that they are really your order and that they have not been ma­nip­u­lat­ed in any way by third parties. Then confirm the transfer.
3. Now your bank will ask for a valid TAN. This is generated according to the procedure you have defined in advance. By entering the valid trans­ac­tion number, you verify your transfer and it will be executed.

You may remember that in the past, personal TANs were only available in the form of a numbered list on paper that was sent to you by your bank. To le­git­imize trans­ac­tions, all you had to do was enter a TAN from the list while online banking. When all the numbers were used up, a new one was ordered. The weak­ness­es of this kind of procedure are obvious: If the list were lost, all valid trans­ac­tion numbers end up in the finders’ hand. For this reason, newer and safer pro­ce­dures replaced the classic TAN list from 2005. Most of them use digital tech­nolo­gies. 

In­di­vid­ual processes differ in terms of re­quire­ments, user comfort and level of safety. Before deciding on a current account, it is therefore worth taking a critical look at the available TAN pro­ce­dures on the market.

The “indexed TAN list” is the direct successor to the classic TAN list, and has long been the standard procedure in online banking for private customers. The most important in­no­va­tion compared to their pre­de­ces­sor? The customer can no longer verify their transfer orders with any of the TAN selected from their list. Instead, the re­spec­tive bank/financial in­sti­tu­tion specifies a very specific position number (called an index) that matches a trans­ac­tion number on the lost and that cannot be foreseen in advance.

Although this small mod­i­fi­ca­tion the­o­ret­i­cal­ly provides a higher level of security, it also has dis­ad­van­tages. Since you never know in advance which TAN the bank will require, you always need to have the entire TAN list at hand for payment trans­ac­tions. While in the classic version, you could write out in­di­vid­ual TANs that were not directly rec­og­niz­able as TANs (after all, they could the­o­ret­i­cal­ly also be telephone numbers), an iTAN list is prac­ti­cal­ly always rec­og­niz­able as such.

Cases where criminals have gotten a hold of these lists and used them for fraud­u­lent ac­tiv­i­ties also increased in this procedure. Therefore, the iTAN was not quickly con­sid­ered to be one hundred percent secure. The iTANplus extension and the in­tro­duc­tion of a con­fir­ma­tion number (BEN) only mar­gin­al­ly increased security.

However, there are still some banks that continue to offer iTAN lists but just as “minimum pro­tec­tion”. Most providers will advise against relying on just iTANs and will refer you to more modern pro­ce­dures. First and foremost, it is usually just existing customers that use this method because switching to other processes seems time-consuming or com­pli­cat­ed. If you are still working with the analog list, you should def­i­nite­ly choose another TAN pro­ce­dures.

The concept of the mTAN procedure (also called smsTAN or mobileTAN procedure) is based on the use of a second device, which is usually used in addition to the laptop or computer that you are logging into for online banking. If you want to verify a transfer, the bank sends you a freshly generated TAN via SMS (mobile charges may apply) to the customers mobile phone or smart­phone. The customer then enters the TAN in their online banking ap­pli­ca­tion. Although mTAN is not a widely used procedure in the USA, it is common practice in a number of countries, including: Austria, Czech Republic, Hungary, Bulgaria, Germany, the Nether­lands, Russia, South Africa, Switzer­land, Australia, New Zealand, Spain and the Ukraine.

Due to the wide­spread use of mobile phones, the mTAN procedure is con­sid­ered the most popular TAN procedure in many European countries, where many banks offer it as standard. Since it is not necessary to store a paper list, mTAN is much more secure than the iTAN process due to its basic concept. Ad­di­tion­al­ly, the customer can check his transfer data (es­pe­cial­ly target account number and transfer amount) again on a separate device in order to identify man-in-the-middle attacks (see point 5, “Which safety aspects need to be observed when handling TAN pro­ce­dures?”).

Although it makes sense to run online banking and TAN reception through the same device, most banks prevent this with technical hurdles. If both were running a device, this would con­sid­er­ably reduce the security of transfer orders. Therefore, this kind of sep­a­ra­tion is also in the customer’s interest: If the user loses his smart­phone, both au­then­ti­ca­tion factors could fall into the hands of strangers without this sep­a­ra­tion. For this reason, you should always use a separate device for online banking.

When online banking and TAN devices are separated, the mTAN procedure offers a medium to high degree of security. However, his rep­u­ta­tion has suffered somewhat recently: as mobile phones have evolved over time to mul­ti­func­tion devices with a constant internet con­nec­tion, it has become easier for cyber criminals to obtain access data stored there using phishing and Trojans.

Although usually just a single mobile device (like a smart­phone or tablet) is used in the pushTAN procedure, it still enables two-factor au­then­ti­ca­tion. In this procedure, the mobile device uses two logically separate channels: on one channel, the customer access his bank’s web portal or banking app, and on the second channel a password-protected pushTAN app (available free of charge in the Apple Store or at Google Play) is installed, dis­play­ing the transfer data for ver­i­fi­ca­tion and generates a valid TAN on request. These can then be entered in online banking, or, if the banking and pushTAN app are com­pat­i­ble, trans­ferred directly to the transfer form. The advantage is obvious – with pushTAN you just need one device and you can also carry out your banking business on the move.

To run the chipTAN or smartTAN procedure, you will need ad­di­tion­al hardware in the form of a chipTAN generator, or card reader. The small, wireless device is available either as a branded version from your bank as a dedicated product in spe­cial­ist shops – in­ex­pen­sive devices usually cost $12-17, and some banks will send their customers the devices free of charge. You can use them for several accounts and users without any problems. To activate the chipTAN generator, you need a chip card (usually your bank EC/Visa/Maestro card) granted by your bank. To generate a TAN, you then insert your chip card into the card reader. You can now issue a bank transfer through your online banking portal with a graphic code generated from the reader. It scans the chip in your card and outputs the TAN as a result. If the scan doesn’t work for some reason, you can also enter the transfer data manually.

Since the chipTAN generator is never connected to the internet, the procedure is con­sid­ered to be very secure – after all, cy­ber­crim­i­nals have no way of gaining access to the generator. This alone makes the procedure worth­while, despite the possible purchase costs for the device and the ad­di­tion­al handling effort. However, a potential risk is the loss of the chip card. If a criminal gets their hands on it, they can the­o­ret­i­cal­ly create an infinite number of trans­ac­tion number with any chipTAN generator. So, if you lose your card, be sure to have it blocked im­me­di­ate­ly to prevent misuse. This is generally rec­om­mend­ed anyway because criminals can use your bank card to pay for items online without needing to know your bank details.

The in­di­vid­ual devices differ in design and func­tion­al­i­ty more than anything. Some are similar to a com­mer­cial cal­cu­la­tor with a multi-line display, and some are the size of a USB stick without any displays. The longest possible battery life and Bluetooth ca­pa­bil­i­ty (for trans­fer­ring bank transfer data and TAN) are also useful.

The rel­a­tive­ly new photoTAN procedure is basically similar to the chipTAN procedure described above, in that it uses special hardware, a photoTAN reader (price: $17-35). As an al­ter­na­tive, you can use a free photoTAN app using your smart­phone’s internal camera. However, instead of a chip, the photoTAN process scans a colored mosaic graphic.

This procedure offers the same ad­van­tages as pushTAN and chipTAN, but also the same risks: first and foremost, losing the chip card or smart­phone that has the photoTAN app installed. Since the procedure is still not widely used, experts consider a high fraud rate with the photoTAN procedure to be very unlikely, even if hacking is tech­ni­cal­ly possible when using a smart­phone instead of a reader. Re­gard­less, the card reader is still the rec­om­mend­ed ver­i­fi­ca­tion method.

Strictly speaking, the standard HBCI (Home Banking Computer Interface), which was developed back in 1998, is not a TAN procedure at all. Instead, it’s a security mechanism for banking trans­ac­tions on the internet. It was primarily designed for companies and users with several accounts at different financial in­sti­tu­tions. Although the process was ef­fec­tive­ly renamed FinTS (Financial Trans­ac­tion Services) after its further de­vel­op­ment in 2002, it is still known as HBCI.

Similar to chipTAN and photoTAN, this procedure requires a card reader (price is approx. $70) to be used with your chip card. In addition, users also need a PIN and special financial software. The latter can be obtained in spe­cial­ist shops or directly from your bank for approx. $23-$117 (depending on the version and range of functions), or used for a monthly fee.

The process’s complex reg­is­tra­tion ensures a high level of security for HBCI:

1. First, start your financial software and login with your access data. During the first use, the program au­to­mat­i­cal­ly generates two digital keys – a “signature key” for the chip card and an “en­cryp­tion key” for the bank server – as an elec­tron­ic signature for all trans­ac­tions.
2. After you have done your transfer, connect the HBCI card reader to your computer, verify your PIN and insert your HBCI chip card into the device.
3. The signing key on the chip card now au­tho­rizes the transfer, which is coded with the en­cryp­tion key and sent to the bank server through a multi-secured line. As soon as they have checked the en­cryp­tion key, the transfer is executed.

Due to the high ac­qui­si­tion costs and the complex process, HBCI is un­at­trac­tive for most private users. However, it is un­doubt­ed­ly the safest TAN procedure currently on the market. Since cyber criminals tend to focus on common operating systems and web browsers instead of de­vel­op­ing attack methods for rarely used home banking programs in order to maximize ef­fi­cien­cy, no cases of fraud are yet known.

All TAN pro­ce­dures have their ad­van­tages and dis­ad­van­tages. To find the right one for you, you should carefully weigh up the costs, usability and level of security. Be sure not to take un­nec­es­sary risks out of con­ve­nience.

TAN pro­ce­dures guarantee the highest possible safety, but can never guarantee 100% security when it comes to online banking – even if some financial in­sti­tu­tions claim this to be true. The sobering truth is: with the exception of HBCI, which is not actually a TAN procedure itself, every procedure has at some point been suc­cess­ful­ly hacked. Although pro­ce­dur­al vul­ner­a­bil­i­ties have played an important role in every fraud case, a com­plete­ly different weakness was usually the decisive factor: the customer. Isolated from the bank’s internal security in­fra­struc­ture, often un­fa­mil­iar with IT issues and sometimes impulsive, they are the weakest link in the chain for many criminals.

This is also the reason why cy­ber­at­tacks on bank accounts always target the owner first. For this reason, it’s up to the customer to deal with account security and develop an awareness for the secure handling of online banking and TAN pro­ce­dures. In this context, it can be helpful to know and un­der­stand the typical course of an attack. Nowadays there is a great variety of possible attack scenarios, and each day criminals are coming up with new ways to obtain money that doesn’t belong to them. This means we can’t run through all possible cy­ber­crim­i­nal tricks, but we will explain the most typical frauds they carry out. The following ex­pla­na­tions are in reference to the TAN procedure.

In order to use the human factor to in­fil­trate an IT security system, ex­pe­ri­enced attackers don’t just use a selection of digital and technical tools, but above all a method­ol­o­gy: Social En­gi­neer­ing. They try to get their victim to behave in­cor­rect­ly in a security-critical situation. For example, a hacker could im­per­son­ate an employee of an external IT support company who was asked to solve ac­count­ing and online banking software problems. In this context, they then try to ask the in­ter­locu­tor for access or bank data.

The first step of a cy­ber­at­tack is often being in­fil­trat­ed by a Trojan. This is done, for example, by enticing the victim to click an infected link in an email. The more serious the email and email address appear, the more likely that this kind of phishing will work. Subject lines like “Reminder”, “Account blocked” or “Security check” are meant to stress the potential victim into opening the email.

1. No matter how a bank Trojan in­fil­trates a victim, once it has found your online banking device, it can spy and discover the cor­re­spond­ing access data. The hacker has overcome the first hurdle.
2. Now the attacker needs to foil the TAN procedure, and there are a number of options for doing this, including the following three:

• Stealing the mobile device is probably the most common method, but is also the most likely to be noticed im­me­di­ate­ly by the victim.
• Another strategy is to use the captured access data to transfer the device’s mobile number onto a second SIM card. The attacker then con­fig­ures it so that all SMS’s (and therefore trans­ac­tion numbers) are sent to their SIM card, while all other functions (like tele­phon­ing) remain on the victim’s device. This generally takes longer for a victim to notice.
• However, the man-in-the-middle attack is par­tic­u­lar­ly cunning, since it’s more or less invisible: the Trojan nests itself in the victim’s browser and simulates an online banking platform. They change or add certain elements to the platform. The un­sus­pect­ing victims enter their login in­for­ma­tion, including a cor­re­spond­ing TAN. In the back­ground, however, the attacker has already accessed the data and direct bank transfers into their own account. Depending on how clever they are, it can take weeks or even months to discover the damage.

How a criminal in­di­vid­ual obtains your TAN details is not really relevant to you as a consumer. Instead, you should con­cen­trate on arming yourself against the first steps of a cy­ber­at­tack (social en­gi­neer­ing, use of bank Trojans). For example, you need to pay attention to the typical signs of phishing and you don’t have to output sensitive data to third parties, even if they act like a reliable service provider (IT support, ac­count­ing service provider etc.)