Quote:
Originally Posted by Skybird
iTAN:
- uses PIN to enter your bank account where you prepare and send a transaction
- you get asked online via a code for a corresponding individual code-number that is valid for only one transaction, than becomes invalid
- you reply with a 6-digit answering code from a list you have been send via post/paper mail, usually a list with 100 pairs of request-answer-codes
This is the method being withdrawn now.
mTAN:
- uses PIN to enter your bank account where you prepare and send a transaction
- you get asked online via a code for a corresponding individual code-number that is valid for only one transaction, than becomes invalid
- the answering code you need to enter online is send to you via SMS/cellphone, is actiove for only some min utes, and then becomes invalid. No printed, post-delivered paper-list.
chipTAN:
- uses PIN to enter your bank account where you prepare and send a transaction
- online you get shown five flickering fields with an encoded blinking sequence. You then take your chipped credit card, put it into a small hand-reader, and hold the optical sensor to the flickering signal fields. The device decodes the information basing on the transaction data, shows the receiver's banking number and the money transferred, calcuates a reply code for which transaction data and information on the card chip are being used, and displays that code. You then enter the code online.
Man-in-the-middle attacks and trojans as well as phisihing shoiuld not work with the latter two, the banks say. But banks always only say the best things about their ways and things. I live by the motto: my bank and my insurance company are amongst my worst enemies. It has been shown last year already that man-in-the-middle attacks are still possible, Google-research revealed .
None of these methods is fail-safe, but I wonder whichz gives me the best chances? And I wonder why the paper-list for iTAN is considered to unsafe now. Since every code gets used for one transaction only, and assuming the printed list has not been stolen by someone, I would assume it to be "safe". I also wonder whether it all maybe has not so much to do with safety, but with making it for customers harder to gain and keep black-on-white evidence for failures during transaction procedures so that the bank needs to claim responsibility and have to compensate - a comment I found posted quite often when researchiung the issue via Google (German sites).
I certainly will not trust in what the bank or the manufacturert of the TAN generators say. If I would believe the advertisement, then we all would live in a perfect world, under a golden sky.
TAN-generators look a bit like pocket-calculators the size of a credit card, they cost around 12-15 Euros.
|
Anyways, All these tricks only work on casual low level attempts to steal your password
Any you know what going to happen?
You would probably leave the generator on your desk anyways(probably next to the piece of paper you write your password on)
And these devices turn into a huge hassle that doesn't really increase your security that much
but if you would really have to choose one, pick the TAN generators