Security of online banking - TAN procedures
 

My bank is ending the normal iTAN procedure (using paperlists with codes) soon, and demands customers to switch to either mobile TAN (mTAN) using a cellphone, or TAN generators (in Germany called "chipTAN comfort").

Which one is considered to be more safe, and/or "better"?

Plenty of opinions and material pro and contra are in the web, it is difficult to form an opinion without insider knowledge.

If you cannot get an adequate answer from your bank, exercise your individualism, remember you are the customer. Change banks.

Good question. I'm not sure what to choose myself, especially since my bank doesn't bother to give any information about the advantages /disadvantages of the system, let alone how they actually work.....:shifty:

So
mTAN is that you would get a text on your phone when you purchase
Not my cup of tea, since I barely keep my phone handy/charged

TAN generators are little better than Security Cards, and are quite worthless

There are 3 types of security commonly used:
1. What you know(password etc)
2. what you have (keys etc)
3. Who you are (fingerprints etc)

Both mTAN and TAN are "what you have" security
personally I prefer "Who you are" security

iTAN:
- uses PIN to enter your bank account where you prepare and send a transaction
- you get asked online via a code for a corresponding individual code-number that is valid for only one transaction, than becomes invalid
- you reply with a 6-digit answering code from a list you have been send via post/paper mail, usually a list with 100 pairs of request-answer-codes

This is the method being withdrawn now.

mTAN:
- uses PIN to enter your bank account where you prepare and send a transaction
- you get asked online via a code for a corresponding individual code-number that is valid for only one transaction, than becomes invalid
- the answering code you need to enter online is send to you via SMS/cellphone, is actiove for only some min utes, and then becomes invalid. No printed, post-delivered paper-list.

chipTAN:
- uses PIN to enter your bank account where you prepare and send a transaction
- online you get shown five flickering fields with an encoded blinking sequence. You then take your chipped credit card, put it into a small hand-reader, and hold the optical sensor to the flickering signal fields. The device decodes the information basing on the transaction data, shows the receiver's banking number and the money transferred, calcuates a reply code for which transaction data and information on the card chip are being used, and displays that code. You then enter the code online.

Man-in-the-middle attacks and trojans as well as phisihing shoiuld not work with the latter two, the banks say. But banks always only say the best things about their ways and things. I live by the motto: my bank and my insurance company are amongst my worst enemies. It has been shown last year already that man-in-the-middle attacks are still possible, Google-research revealed .

None of these methods is fail-safe, but I wonder whichz gives me the best chances? And I wonder why the paper-list for iTAN is considered to unsafe now. Since every code gets used for one transaction only, and assuming the printed list has not been stolen by someone, I would assume it to be "safe". I also wonder whether it all maybe has not so much to do with safety, but with making it for customers harder to gain and keep black-on-white evidence for failures during transaction procedures so that the bank needs to claim responsibility and have to compensate - a comment I found posted quite often when researchiung the issue via Google (German sites).

I certainly will not trust in what the bank or the manufacturert of the TAN generators say. If I would believe the advertisement, then we all would live in a perfect world, under a golden sky.

TAN-generators look a bit like pocket-calculators the size of a credit card, they cost around 12-15 Euros.



Tyrant,

I think you mistake the PIN with TAN, because you talk of identification of yourself in principle, not of authorisation for an individual, single transaction. the TAN is a code individualised for the single transaction, it chnages with every transaction, and the new methods use not never-changing identity features but ever-changing transaction-characteristics for generating a valid reply code. If your biometric data gets stolen, you are screwed, becasue they are what they are. The new sort of TANs are individually generated for just the single transaction.

In the end biometric data are sets of data which could be stolen and used like any PIN.

I think what we talk opf, is data transaction safety via internet, and the legitimation of data at both ends of the transmission line.

Anyways, All these tricks only work on casual low level attempts to steal your password

Any you know what going to happen?
You would probably leave the generator on your desk anyways(probably next to the piece of paper you write your password on)
And these devices turn into a huge hassle that doesn't really increase your security that much

but if you would really have to choose one, pick the TAN generators

http://de.wikipedia.org/wiki/Transaktionsnummer

Section 1.4 and 1.5 .

Have you really understood how TAN generators work? It does not pose any risk at all if your generator gets stolen - they all are identical and encode information only depending on the data on the chip of your credit card, and the individual data encoded and transferred via the flickering fields on your screen. No need to hide the generator, without your credit card it cannot do any harm.

http://www.youtube.com/watch?v=GOQeZGe83YM

I'm only asking because I'm pissed of needing to use my cellphone for banking. I hate those things and mostly have it hidden deep inside a locker. I do not wish to find it, activate it, waiting for connection, doing the transaction, then wait again for an SMS, not to mention that I need a loaded battery and a charged prepayed card. I only want to know if I compromise security or risk anything vital if using a generator instead. Which method has the higher risk/likelihood of turning me into a victim of online crime? Rates of online crime are exploding. Possible that Europeans in general are more sensitised to that than Americans. Wouldn't be the only thing. :)

Change banks....how hard is that?

For what it is worth Sky, I don't trust online banking myself. Unfortunately, it is the future, and wiring it in to your cell or smartphone is already on the way to being the next big thing.

Thats why I said pick the TAN generators
Cell phone viruses are quite nasty
I was hit with a "Bluetooth spy"
allowing other people to steal text messages etc
the problem is that cellphones are not that safe(especially with people banking and making purchases on their phones)

A good TAN generator is almost uncrackable
but i have seen really bad cheap ones that are really bad
my dad had some really unpleasant experiences from his TAN generator from the China Merchants bank

Almost every bank does this now

Thanks. After some searching I've even found that stuff on my bank's website. Shouldn't they have included a link there when they asked me what new system I would like to use?:-?

Maybe they will do that when the old scheme is running out with them, too. I am with Postbank, and had gotten a minor note on mTAN some longer time ago, and today I had a seperate sheet of paper in my printouts saying in all clearness that I need to decide on any of the two new methods, since the old is running out at any time during first half 2011, with last mail-list being to order until later this month.

All banks offering online banking seem to abandon the old iTAN system now. It seems all leave oyu the choice between mTAN and TANgenerator (sometimes called "flickering").

How to crack a TAN generator? And why? It does not matter with which devioce, yours or mine, I use my credit card to generate the reply code. The card is the decisive item, not the generator. And the generator is not connected to the PC or the internet - it is completely isolated, getting it'S input from the card's chip and the optical sensor scanning the five flickering squares on the screen, producing an output that is shown on its display and must be entered into the PC manually via the keyboard. This is none of the regular card-reader devices that get connected to the PC via wire. It stays seperate like that cup of tea on my table. ;) There is no sense in wanting to crack these devices. You get no benefit from that alone. You can buy it legally and freely. They are not equipped with anything that makes them encoded in themselves, or "individual" units.

Check the video on this site, a bit down there. The video is almost self-explaining, no matter the language.

On cellphones, I use a simple this one. Prepayed card 15 Euros, last 2 years and becomes invalid with most money not used. Not much nonsense on it, just an emergency sender and receiver. No blue tooth. No virusses. No problems with costs exploding when it gets stolen. Plus it looks elegant, is robust, has long standby and talking time. Life is simplier without smart phones! ;)

Simple cheap cellphone, that i agree with you:yep:


The only thing that i have against TAN generators is that it is not actually better than a TAN list
Because it preforms the same function, and that it doesn't do it that much better

by the way, the old tan generators were simply a flashdrive with a list of TANs on it and a small software to automatically pick TANs for you. those were worse than a TAN list

Another reason not to have a cell phone, smart or otherwise.

I went down the chipTAN road and ordered one device. I agree, the paper-list with iTAN codes would have worked well enough if people just don't let them getting stolen. But if they abvandon the procedure now, then there is little you can do, except quitting online banking.

I maybe would have stopped it if I needed to depend on a cellphone for it. I don't like more and more things being delegated to cellphones, and paying with cellphones via bluetooth is one of the things I hate most. It'S even more a dematerialisation of people'S sense for money, than plastic-cards are. Not to mention security concerns.

Regarding the issue of security I would prefer the TANgenerator, they key is strong enough. When you have encrypted data sent over a secure line it's the best choice. However secure line is the key word. Whenever data is transported there is always the püossibility of man-in-the-middle attacks.

One advantade of the phone mTAN system is that you use two different lines to transport the data, but you have to keep in mind that the data sent to you is also sent over the net first, before it is transported via GSM.
GSM has no strong encryption for a variety of reasons, so there's one vunerability. The vunerability of your cell OS against bad code is another issue, so it is more secure to use an older one with a proprietary, enclosed operating system.In terms of usability however I would prefer the mTan system, as it is more likely that you carry your cell when you travel as that you pack your generator every time you load your suitcase.

I had a collegue who worked in a bank that issued the fist generators back in 2004/5. He enlighted me a bit about the security and cryptology system they used. It was a really big advantage over the standard tan system that was used at that time. Of course it wasn't just a list with tans on it - like tyrant thinks. You can conclude that the encryption standards are even better today.

The banks of course provide no big data regarding fraud, but at least at the moment, they are very customer friendly in terms of compensation.

This souldn't read like I praise the banks - the opposite is quite true: I hate'em, but I must admit they are quite aware nowadays regarding security issues - due to a viral self-interest of course.