Security of online banking - TAN procedures - Page 2

Skybird · 11-16-10, 08:04 PM

Quote:

Originally Posted by the_tyrant

Thats why I said pick the TAN generators
Cell phone viruses are quite nasty
I was hit with a "Bluetooth spy"
allowing other people to steal text messages etc
the problem is that cellphones are not that safe(especially with people banking and making purchases on their phones)

A good TAN generator is almost uncrackable
but i have seen really bad cheap ones that are really bad
my dad had some really unpleasant experiences from his TAN generator from the China Merchants bank

How to crack a TAN generator? And why? It does not matter with which devioce, yours or mine, I use my credit card to generate the reply code. The card is the decisive item, not the generator. And the generator is not connected to the PC or the internet - it is completely isolated, getting it'S input from the card's chip and the optical sensor scanning the five flickering squares on the screen, producing an output that is shown on its display and must be entered into the PC manually via the keyboard. This is none of the regular card-reader devices that get connected to the PC via wire. It stays seperate like that cup of tea on my table.

There is no sense in wanting to crack these devices. You get no benefit from that alone. You can buy it legally and freely. They are not equipped with anything that makes them encoded in themselves, or "individual" units.

Check the video on this site, a bit down there. The video is almost self-explaining, no matter the language.

On cellphones, I use a simple this one. Prepayed card 15 Euros, last 2 years and becomes invalid with most money not used. Not much nonsense on it, just an emergency sender and receiver. No blue tooth. No virusses. No problems with costs exploding when it gets stolen. Plus it looks elegant, is robust, has long standby and talking time. Life is simplier without smart phones!

the_tyrant · 11-16-10, 09:11 PM

Quote:

Originally Posted by Skybird

How to crack a TAN generator? And why? It does not matter with which devioce, yours or mine, I use my credit card to generate the reply code. The card is the decisive item, not the generator. And the generator is not connected to the PC or the internet - it is completely isolated, getting it'S input from the card's chip and the optical sensor scanning the five flickering squares on the screen, producing an output that is shown on its display and must be entered into the PC manually via the keyboard. This is none of the regular card-reader devices that get connected to the PC via wire. It stays seperate like that cup of tea on my table.

There is no sense in wanting to crack these devices. You get no benefit from that alone. You can buy it legally and freely. They are not equipped with anything that makes them encoded in themselves, or "individual" units.

Check the video on this site, a bit down there. The video is almost self-explaining, no matter the language.

On cellphones, I use a simple this one. Prepayed card 15 Euros, last 2 years and becomes invalid with most money not used. Not much nonsense on it, just an emergency sender and receiver. No blue tooth. No virusses. No problems with costs exploding when it gets stolen. Plus it looks elegant, is robust, has long standby and talking time. Life is simplier without smart phones!

Simple cheap cellphone, that i agree with you

The only thing that i have against TAN generators is that it is not actually better than a TAN list
Because it preforms the same function, and that it doesn't do it that much better

by the way, the old tan generators were simply a flashdrive with a list of TANs on it and a small software to automatically pick TANs for you. those were worse than a TAN list

August · 11-16-10, 10:32 PM

Quote:

Originally Posted by Takeda Shingen

For what it is worth Sky, I don't trust online banking myself. Unfortunately, it is the future, and wiring it in to your cell or smartphone is already on the way to being the next big thing.

Another reason not to have a cell phone, smart or otherwise.

Skybird · 11-17-10, 05:45 AM

I went down the chipTAN road and ordered one device. I agree, the paper-list with iTAN codes would have worked well enough if people just don't let them getting stolen. But if they abvandon the procedure now, then there is little you can do, except quitting online banking.

I maybe would have stopped it if I needed to depend on a cellphone for it. I don't like more and more things being delegated to cellphones, and paying with cellphones via bluetooth is one of the things I hate most. It'S even more a dematerialisation of people'S sense for money, than plastic-cards are. Not to mention security concerns.

Penguin · 11-17-10, 06:23 AM

Regarding the issue of security I would prefer the TANgenerator, they key is strong enough. When you have encrypted data sent over a secure line it's the best choice. However secure line is the key word. Whenever data is transported there is always the püossibility of man-in-the-middle attacks.

One advantade of the phone mTAN system is that you use two different lines to transport the data, but you have to keep in mind that the data sent to you is also sent over the net first, before it is transported via GSM.
GSM has no strong encryption for a variety of reasons, so there's one vunerability. The vunerability of your cell OS against bad code is another issue, so it is more secure to use an older one with a proprietary, enclosed operating system.In terms of usability however I would prefer the mTan system, as it is more likely that you carry your cell when you travel as that you pack your generator every time you load your suitcase.

I had a collegue who worked in a bank that issued the fist generators back in 2004/5. He enlighted me a bit about the security and cryptology system they used. It was a really big advantage over the standard tan system that was used at that time. Of course it wasn't just a list with tans on it - like tyrant thinks. You can conclude that the encryption standards are even better today.

The banks of course provide no big data regarding fraud, but at least at the moment, they are very customer friendly in terms of compensation.

This souldn't read like I praise the banks - the opposite is quite true: I hate'em, but I must admit they are quite aware nowadays regarding security issues - due to a viral self-interest of course.

11-17-10, 05:45 AM	#19
Skybird Soaring Join Date: Sep 2001 Location: the mental asylum named Germany Posts: 42,660 Downloads: 10 Uploads: 0	I went down the chipTAN road and ordered one device. I agree, the paper-list with iTAN codes would have worked well enough if people just don't let them getting stolen. But if they abvandon the procedure now, then there is little you can do, except quitting online banking. I maybe would have stopped it if I needed to depend on a cellphone for it. I don't like more and more things being delegated to cellphones, and paying with cellphones via bluetooth is one of the things I hate most. It'S even more a dematerialisation of people'S sense for money, than plastic-cards are. Not to mention security concerns. __________________ If you feel nuts, consult an expert.

11-17-10, 06:23 AM	#20
Penguin Ocean Warrior Join Date: Mar 2010 Location: Rheinische Republik Posts: 3,322 Downloads: 92 Uploads: 0	Regarding the issue of security I would prefer the TANgenerator, they key is strong enough. When you have encrypted data sent over a secure line it's the best choice. However secure line is the key word. Whenever data is transported there is always the püossibility of man-in-the-middle attacks. One advantade of the phone mTAN system is that you use two different lines to transport the data, but you have to keep in mind that the data sent to you is also sent over the net first, before it is transported via GSM. GSM has no strong encryption for a variety of reasons, so there's one vunerability. The vunerability of your cell OS against bad code is another issue, so it is more secure to use an older one with a proprietary, enclosed operating system.In terms of usability however I would prefer the mTan system, as it is more likely that you carry your cell when you travel as that you pack your generator every time you load your suitcase. I had a collegue who worked in a bank that issued the fist generators back in 2004/5. He enlighted me a bit about the security and cryptology system they used. It was a really big advantage over the standard tan system that was used at that time. Of course it wasn't just a list with tans on it - like tyrant thinks. You can conclude that the encryption standards are even better today. The banks of course provide no big data regarding fraud, but at least at the moment, they are very customer friendly in terms of compensation. This souldn't read like I praise the banks - the opposite is quite true: I hate'em, but I must admit they are quite aware nowadays regarding security issues - due to a viral self-interest of course.