Security of online banking - TAN procedures

Skybird · 11-16-10, 04:39 PM

iTAN:
- uses PIN to enter your bank account where you prepare and send a transaction
- you get asked online via a code for a corresponding individual code-number that is valid for only one transaction, than becomes invalid
- you reply with a 6-digit answering code from a list you have been send via post/paper mail, usually a list with 100 pairs of request-answer-codes

This is the method being withdrawn now.

mTAN:
- uses PIN to enter your bank account where you prepare and send a transaction
- you get asked online via a code for a corresponding individual code-number that is valid for only one transaction, than becomes invalid
- the answering code you need to enter online is send to you via SMS/cellphone, is actiove for only some min utes, and then becomes invalid. No printed, post-delivered paper-list.

chipTAN:
- uses PIN to enter your bank account where you prepare and send a transaction
- online you get shown five flickering fields with an encoded blinking sequence. You then take your chipped credit card, put it into a small hand-reader, and hold the optical sensor to the flickering signal fields. The device decodes the information basing on the transaction data, shows the receiver's banking number and the money transferred, calcuates a reply code for which transaction data and information on the card chip are being used, and displays that code. You then enter the code online.

Man-in-the-middle attacks and trojans as well as phisihing shoiuld not work with the latter two, the banks say. But banks always only say the best things about their ways and things. I live by the motto: my bank and my insurance company are amongst my worst enemies. It has been shown last year already that man-in-the-middle attacks are still possible, Google-research revealed .

None of these methods is fail-safe, but I wonder whichz gives me the best chances? And I wonder why the paper-list for iTAN is considered to unsafe now. Since every code gets used for one transaction only, and assuming the printed list has not been stolen by someone, I would assume it to be "safe". I also wonder whether it all maybe has not so much to do with safety, but with making it for customers harder to gain and keep black-on-white evidence for failures during transaction procedures so that the bank needs to claim responsibility and have to compensate - a comment I found posted quite often when researchiung the issue via Google (German sites).

I certainly will not trust in what the bank or the manufacturert of the TAN generators say. If I would believe the advertisement, then we all would live in a perfect world, under a golden sky.

TAN-generators look a bit like pocket-calculators the size of a credit card, they cost around 12-15 Euros.

Tyrant,

I think you mistake the PIN with TAN, because you talk of identification of yourself in principle, not of authorisation for an individual, single transaction. the TAN is a code individualised for the single transaction, it chnages with every transaction, and the new methods use not never-changing identity features but ever-changing transaction-characteristics for generating a valid reply code. If your biometric data gets stolen, you are screwed, becasue they are what they are. The new sort of TANs are individually generated for just the single transaction.

In the end biometric data are sets of data which could be stolen and used like any PIN.

I think what we talk opf, is data transaction safety via internet, and the legitimation of data at both ends of the transmission line.

11-16-10, 04:39 PM	#5
Skybird Soaring Join Date: Sep 2001 Location: the mental asylum named Germany Posts: 42,696 Downloads: 10 Uploads: 0	iTAN: - uses PIN to enter your bank account where you prepare and send a transaction - you get asked online via a code for a corresponding individual code-number that is valid for only one transaction, than becomes invalid - you reply with a 6-digit answering code from a list you have been send via post/paper mail, usually a list with 100 pairs of request-answer-codes This is the method being withdrawn now. mTAN: - uses PIN to enter your bank account where you prepare and send a transaction - you get asked online via a code for a corresponding individual code-number that is valid for only one transaction, than becomes invalid - the answering code you need to enter online is send to you via SMS/cellphone, is actiove for only some min utes, and then becomes invalid. No printed, post-delivered paper-list. chipTAN: - uses PIN to enter your bank account where you prepare and send a transaction - online you get shown five flickering fields with an encoded blinking sequence. You then take your chipped credit card, put it into a small hand-reader, and hold the optical sensor to the flickering signal fields. The device decodes the information basing on the transaction data, shows the receiver's banking number and the money transferred, calcuates a reply code for which transaction data and information on the card chip are being used, and displays that code. You then enter the code online. Man-in-the-middle attacks and trojans as well as phisihing shoiuld not work with the latter two, the banks say. But banks always only say the best things about their ways and things. I live by the motto: my bank and my insurance company are amongst my worst enemies. It has been shown last year already that man-in-the-middle attacks are still possible, Google-research revealed . None of these methods is fail-safe, but I wonder whichz gives me the best chances? And I wonder why the paper-list for iTAN is considered to unsafe now. Since every code gets used for one transaction only, and assuming the printed list has not been stolen by someone, I would assume it to be "safe". I also wonder whether it all maybe has not so much to do with safety, but with making it for customers harder to gain and keep black-on-white evidence for failures during transaction procedures so that the bank needs to claim responsibility and have to compensate - a comment I found posted quite often when researchiung the issue via Google (German sites). I certainly will not trust in what the bank or the manufacturert of the TAN generators say. If I would believe the advertisement, then we all would live in a perfect world, under a golden sky. TAN-generators look a bit like pocket-calculators the size of a credit card, they cost around 12-15 Euros. Tyrant, I think you mistake the PIN with TAN, because you talk of identification of yourself in principle, not of authorisation for an individual, single transaction. the TAN is a code individualised for the single transaction, it chnages with every transaction, and the new methods use not never-changing identity features but ever-changing transaction-characteristics for generating a valid reply code. If your biometric data gets stolen, you are screwed, becasue they are what they are. The new sort of TANs are individually generated for just the single transaction. In the end biometric data are sets of data which could be stolen and used like any PIN. I think what we talk opf, is data transaction safety via internet, and the legitimation of data at both ends of the transmission line. __________________ If you feel nuts, consult an expert. Last edited by Skybird; 11-16-10 at 04:50 PM.