Security of online banking - TAN procedures
 

My bank is ending the normal iTAN procedure (using paperlists with codes) soon, and demands customers to switch to either mobile TAN (mTAN) using a cellphone, or TAN generators (in Germany called "chipTAN comfort").

Which one is considered to be more safe, and/or "better"?

Plenty of opinions and material pro and contra are in the web, it is difficult to form an opinion without insider knowledge.

If you cannot get an adequate answer from your bank, exercise your individualism, remember you are the customer. Change banks.

Good question. I'm not sure what to choose myself, especially since my bank doesn't bother to give any information about the advantages /disadvantages of the system, let alone how they actually work.....:shifty:

So
mTAN is that you would get a text on your phone when you purchase
Not my cup of tea, since I barely keep my phone handy/charged

TAN generators are little better than Security Cards, and are quite worthless

There are 3 types of security commonly used:
1. What you know(password etc)
2. what you have (keys etc)
3. Who you are (fingerprints etc)

Both mTAN and TAN are "what you have" security
personally I prefer "Who you are" security

iTAN:
- uses PIN to enter your bank account where you prepare and send a transaction
- you get asked online via a code for a corresponding individual code-number that is valid for only one transaction, than becomes invalid
- you reply with a 6-digit answering code from a list you have been send via post/paper mail, usually a list with 100 pairs of request-answer-codes

This is the method being withdrawn now.

mTAN:
- uses PIN to enter your bank account where you prepare and send a transaction
- you get asked online via a code for a corresponding individual code-number that is valid for only one transaction, than becomes invalid
- the answering code you need to enter online is send to you via SMS/cellphone, is actiove for only some min utes, and then becomes invalid. No printed, post-delivered paper-list.

chipTAN:
- uses PIN to enter your bank account where you prepare and send a transaction
- online you get shown five flickering fields with an encoded blinking sequence. You then take your chipped credit card, put it into a small hand-reader, and hold the optical sensor to the flickering signal fields. The device decodes the information basing on the transaction data, shows the receiver's banking number and the money transferred, calcuates a reply code for which transaction data and information on the card chip are being used, and displays that code. You then enter the code online.

Man-in-the-middle attacks and trojans as well as phisihing shoiuld not work with the latter two, the banks say. But banks always only say the best things about their ways and things. I live by the motto: my bank and my insurance company are amongst my worst enemies. It has been shown last year already that man-in-the-middle attacks are still possible, Google-research revealed .

None of these methods is fail-safe, but I wonder whichz gives me the best chances? And I wonder why the paper-list for iTAN is considered to unsafe now. Since every code gets used for one transaction only, and assuming the printed list has not been stolen by someone, I would assume it to be "safe". I also wonder whether it all maybe has not so much to do with safety, but with making it for customers harder to gain and keep black-on-white evidence for failures during transaction procedures so that the bank needs to claim responsibility and have to compensate - a comment I found posted quite often when researchiung the issue via Google (German sites).

I certainly will not trust in what the bank or the manufacturert of the TAN generators say. If I would believe the advertisement, then we all would live in a perfect world, under a golden sky.

TAN-generators look a bit like pocket-calculators the size of a credit card, they cost around 12-15 Euros.



Tyrant,

I think you mistake the PIN with TAN, because you talk of identification of yourself in principle, not of authorisation for an individual, single transaction. the TAN is a code individualised for the single transaction, it chnages with every transaction, and the new methods use not never-changing identity features but ever-changing transaction-characteristics for generating a valid reply code. If your biometric data gets stolen, you are screwed, becasue they are what they are. The new sort of TANs are individually generated for just the single transaction.

In the end biometric data are sets of data which could be stolen and used like any PIN.

I think what we talk opf, is data transaction safety via internet, and the legitimation of data at both ends of the transmission line.

Anyways, All these tricks only work on casual low level attempts to steal your password

Any you know what going to happen?
You would probably leave the generator on your desk anyways(probably next to the piece of paper you write your password on)
And these devices turn into a huge hassle that doesn't really increase your security that much

but if you would really have to choose one, pick the TAN generators

http://de.wikipedia.org/wiki/Transaktionsnummer

Section 1.4 and 1.5 .

Have you really understood how TAN generators work? It does not pose any risk at all if your generator gets stolen - they all are identical and encode information only depending on the data on the chip of your credit card, and the individual data encoded and transferred via the flickering fields on your screen. No need to hide the generator, without your credit card it cannot do any harm.

http://www.youtube.com/watch?v=GOQeZGe83YM

I'm only asking because I'm pissed of needing to use my cellphone for banking. I hate those things and mostly have it hidden deep inside a locker. I do not wish to find it, activate it, waiting for connection, doing the transaction, then wait again for an SMS, not to mention that I need a loaded battery and a charged prepayed card. I only want to know if I compromise security or risk anything vital if using a generator instead. Which method has the higher risk/likelihood of turning me into a victim of online crime? Rates of online crime are exploding. Possible that Europeans in general are more sensitised to that than Americans. Wouldn't be the only thing. :)

Change banks....how hard is that?

For what it is worth Sky, I don't trust online banking myself. Unfortunately, it is the future, and wiring it in to your cell or smartphone is already on the way to being the next big thing.

Thats why I said pick the TAN generators
Cell phone viruses are quite nasty
I was hit with a "Bluetooth spy"
allowing other people to steal text messages etc
the problem is that cellphones are not that safe(especially with people banking and making purchases on their phones)

A good TAN generator is almost uncrackable
but i have seen really bad cheap ones that are really bad
my dad had some really unpleasant experiences from his TAN generator from the China Merchants bank

Almost every bank does this now

Thanks. After some searching I've even found that stuff on my bank's website. Shouldn't they have included a link there when they asked me what new system I would like to use?:-?

Maybe they will do that when the old scheme is running out with them, too. I am with Postbank, and had gotten a minor note on mTAN some longer time ago, and today I had a seperate sheet of paper in my printouts saying in all clearness that I need to decide on any of the two new methods, since the old is running out at any time during first half 2011, with last mail-list being to order until later this month.

All banks offering online banking seem to abandon the old iTAN system now. It seems all leave oyu the choice between mTAN and TANgenerator (sometimes called "flickering").