Security of online banking - TAN procedures

Skybird · 11-16-10, 02:13 PM

My bank is ending the normal iTAN procedure (using paperlists with codes) soon, and demands customers to switch to either mobile TAN (mTAN) using a cellphone, or TAN generators (in Germany called "chipTAN comfort").

Which one is considered to be more safe, and/or "better"?

Plenty of opinions and material pro and contra are in the web, it is difficult to form an opinion without insider knowledge.

11-16-10, 02:25 PM

If you cannot get an adequate answer from your bank, exercise your individualism, remember you are the customer. Change banks.

Schroeder · 11-16-10, 02:26 PM

Good question. I'm not sure what to choose myself, especially since my bank doesn't bother to give any information about the advantages /disadvantages of the system, let alone how they actually work.....

the_tyrant · 11-16-10, 04:13 PM

So
mTAN is that you would get a text on your phone when you purchase
Not my cup of tea, since I barely keep my phone handy/charged

TAN generators are little better than Security Cards, and are quite worthless

There are 3 types of security commonly used:
1. What you know(password etc)
2. what you have (keys etc)
3. Who you are (fingerprints etc)

Both mTAN and TAN are "what you have" security
personally I prefer "Who you are" security

Skybird · 11-16-10, 04:39 PM

iTAN:
- uses PIN to enter your bank account where you prepare and send a transaction
- you get asked online via a code for a corresponding individual code-number that is valid for only one transaction, than becomes invalid
- you reply with a 6-digit answering code from a list you have been send via post/paper mail, usually a list with 100 pairs of request-answer-codes

This is the method being withdrawn now.

mTAN:
- uses PIN to enter your bank account where you prepare and send a transaction
- you get asked online via a code for a corresponding individual code-number that is valid for only one transaction, than becomes invalid
- the answering code you need to enter online is send to you via SMS/cellphone, is actiove for only some min utes, and then becomes invalid. No printed, post-delivered paper-list.

chipTAN:
- uses PIN to enter your bank account where you prepare and send a transaction
- online you get shown five flickering fields with an encoded blinking sequence. You then take your chipped credit card, put it into a small hand-reader, and hold the optical sensor to the flickering signal fields. The device decodes the information basing on the transaction data, shows the receiver's banking number and the money transferred, calcuates a reply code for which transaction data and information on the card chip are being used, and displays that code. You then enter the code online.

Man-in-the-middle attacks and trojans as well as phisihing shoiuld not work with the latter two, the banks say. But banks always only say the best things about their ways and things. I live by the motto: my bank and my insurance company are amongst my worst enemies. It has been shown last year already that man-in-the-middle attacks are still possible, Google-research revealed .

None of these methods is fail-safe, but I wonder whichz gives me the best chances? And I wonder why the paper-list for iTAN is considered to unsafe now. Since every code gets used for one transaction only, and assuming the printed list has not been stolen by someone, I would assume it to be "safe". I also wonder whether it all maybe has not so much to do with safety, but with making it for customers harder to gain and keep black-on-white evidence for failures during transaction procedures so that the bank needs to claim responsibility and have to compensate - a comment I found posted quite often when researchiung the issue via Google (German sites).

I certainly will not trust in what the bank or the manufacturert of the TAN generators say. If I would believe the advertisement, then we all would live in a perfect world, under a golden sky.

TAN-generators look a bit like pocket-calculators the size of a credit card, they cost around 12-15 Euros.

Tyrant,

I think you mistake the PIN with TAN, because you talk of identification of yourself in principle, not of authorisation for an individual, single transaction. the TAN is a code individualised for the single transaction, it chnages with every transaction, and the new methods use not never-changing identity features but ever-changing transaction-characteristics for generating a valid reply code. If your biometric data gets stolen, you are screwed, becasue they are what they are. The new sort of TANs are individually generated for just the single transaction.

In the end biometric data are sets of data which could be stolen and used like any PIN.

I think what we talk opf, is data transaction safety via internet, and the legitimation of data at both ends of the transmission line.

the_tyrant · 11-16-10, 04:47 PM

Quote:

Originally Posted by Skybird

iTAN:
- uses PIN to enter your bank account where you prepare and send a transaction
- you get asked online via a code for a corresponding individual code-number that is valid for only one transaction, than becomes invalid
- you reply with a 6-digit answering code from a list you have been send via post/paper mail, usually a list with 100 pairs of request-answer-codes

This is the method being withdrawn now.

mTAN:
- uses PIN to enter your bank account where you prepare and send a transaction
- you get asked online via a code for a corresponding individual code-number that is valid for only one transaction, than becomes invalid
- the answering code you need to enter online is send to you via SMS/cellphone, is actiove for only some min utes, and then becomes invalid. No printed, post-delivered paper-list.

chipTAN:
- uses PIN to enter your bank account where you prepare and send a transaction
- online you get shown five flickering fields with an encoded blinking sequence. You then take your chipped credit card, put it into a small hand-reader, and hold the optical sensor to the flickering signal fields. The device decodes the information basing on the transaction data, shows the receiver's banking number and the money transferred, calcuates a reply code for which transaction data and information on the card chip are being used, and displays that code. You then enter the code online.

Man-in-the-middle attacks and trojans as well as phisihing shoiuld not work with the latter two, the banks say. But banks always only say the best things about their ways and things. I live by the motto: my bank and my insurance company are amongst my worst enemies. It has been shown last year already that man-in-the-middle attacks are still possible, Google-research revealed .

None of these methods is fail-safe, but I wonder whichz gives me the best chances? And I wonder why the paper-list for iTAN is considered to unsafe now. Since every code gets used for one transaction only, and assuming the printed list has not been stolen by someone, I would assume it to be "safe". I also wonder whether it all maybe has not so much to do with safety, but with making it for customers harder to gain and keep black-on-white evidence for failures during transaction procedures so that the bank needs to claim responsibility and have to compensate - a comment I found posted quite often when researchiung the issue via Google (German sites).

I certainly will not trust in what the bank or the manufacturert of the TAN generators say. If I would believe the advertisement, then we all would live in a perfect world, under a golden sky.

TAN-generators look a bit like pocket-calculators the size of a credit card, they cost around 12-15 Euros.

Anyways, All these tricks only work on casual low level attempts to steal your password

Any you know what going to happen?
You would probably leave the generator on your desk anyways(probably next to the piece of paper you write your password on)
And these devices turn into a huge hassle that doesn't really increase your security that much

but if you would really have to choose one, pick the TAN generators

Skybird · 11-16-10, 05:02 PM

Quote:

Originally Posted by the_tyrant

Anyways, All these tricks only work on casual low level attempts to steal your password

Any you know what going to happen?
You would probably leave the generator on your desk anyways(probably next to the piece of paper you write your password on)
And these devices turn into a huge hassle that doesn't really increase your security that much

but if you would really have to choose one, pick the TAN generators

Have you really understood how TAN generators work? It does not pose any risk at all if your generator gets stolen - they all are identical and encode information only depending on the data on the chip of your credit card, and the individual data encoded and transferred via the flickering fields on your screen. No need to hide the generator, without your credit card it cannot do any harm.

Skybird · 11-16-10, 04:51 PM

Quote:

Originally Posted by Schroeder

Good question. I'm not sure what to choose myself, especially since my bank doesn't bother to give any information about the advantages /disadvantages of the system, let alone how they actually work.....

http://de.wikipedia.org/wiki/Transaktionsnummer

Section 1.4 and 1.5 .

Schroeder · 11-16-10, 06:02 PM

Quote:

Originally Posted by Skybird

http://de.wikipedia.org/wiki/Transaktionsnummer

Section 1.4 and 1.5 .

Thanks. After some searching I've even found that stuff on my bank's website. Shouldn't they have included a link there when they asked me what new system I would like to use?

Skybird · 11-16-10, 07:53 PM

Quote:

Originally Posted by Schroeder

Thanks. After some searching I've even found that stuff on my bank's website. Shouldn't they have included a link there when they asked me what new system I would like to use?

Maybe they will do that when the old scheme is running out with them, too. I am with Postbank, and had gotten a minor note on mTAN some longer time ago, and today I had a seperate sheet of paper in my printouts saying in all clearness that I need to decide on any of the two new methods, since the old is running out at any time during first half 2011, with last mail-list being to order until later this month.

All banks offering online banking seem to abandon the old iTAN system now. It seems all leave oyu the choice between mTAN and TANgenerator (sometimes called "flickering").

11-16-10, 02:13 PM	#1
Skybird Soaring Join Date: Sep 2001 Location: the mental asylum named Germany Posts: 42,630 Downloads: 10 Uploads: 0	Security of online banking - TAN procedures My bank is ending the normal iTAN procedure (using paperlists with codes) soon, and demands customers to switch to either mobile TAN (mTAN) using a cellphone, or TAN generators (in Germany called "chipTAN comfort"). Which one is considered to be more safe, and/or "better"? Plenty of opinions and material pro and contra are in the web, it is difficult to form an opinion without insider knowledge. __________________ If you feel nuts, consult an expert.

11-16-10, 02:26 PM	#3
Schroeder Navy Seal Join Date: Apr 2008 Location: Banana Republic of Germany Posts: 6,170 Downloads: 62 Uploads: 0	Good question. I'm not sure what to choose myself, especially since my bank doesn't bother to give any information about the advantages /disadvantages of the system, let alone how they actually work..... __________________ Putting Germ back into Germany.

11-16-10, 04:39 PM	#5
Skybird Soaring Join Date: Sep 2001 Location: the mental asylum named Germany Posts: 42,630 Downloads: 10 Uploads: 0	iTAN: - uses PIN to enter your bank account where you prepare and send a transaction - you get asked online via a code for a corresponding individual code-number that is valid for only one transaction, than becomes invalid - you reply with a 6-digit answering code from a list you have been send via post/paper mail, usually a list with 100 pairs of request-answer-codes This is the method being withdrawn now. mTAN: - uses PIN to enter your bank account where you prepare and send a transaction - you get asked online via a code for a corresponding individual code-number that is valid for only one transaction, than becomes invalid - the answering code you need to enter online is send to you via SMS/cellphone, is actiove for only some min utes, and then becomes invalid. No printed, post-delivered paper-list. chipTAN: - uses PIN to enter your bank account where you prepare and send a transaction - online you get shown five flickering fields with an encoded blinking sequence. You then take your chipped credit card, put it into a small hand-reader, and hold the optical sensor to the flickering signal fields. The device decodes the information basing on the transaction data, shows the receiver's banking number and the money transferred, calcuates a reply code for which transaction data and information on the card chip are being used, and displays that code. You then enter the code online. Man-in-the-middle attacks and trojans as well as phisihing shoiuld not work with the latter two, the banks say. But banks always only say the best things about their ways and things. I live by the motto: my bank and my insurance company are amongst my worst enemies. It has been shown last year already that man-in-the-middle attacks are still possible, Google-research revealed . None of these methods is fail-safe, but I wonder whichz gives me the best chances? And I wonder why the paper-list for iTAN is considered to unsafe now. Since every code gets used for one transaction only, and assuming the printed list has not been stolen by someone, I would assume it to be "safe". I also wonder whether it all maybe has not so much to do with safety, but with making it for customers harder to gain and keep black-on-white evidence for failures during transaction procedures so that the bank needs to claim responsibility and have to compensate - a comment I found posted quite often when researchiung the issue via Google (German sites). I certainly will not trust in what the bank or the manufacturert of the TAN generators say. If I would believe the advertisement, then we all would live in a perfect world, under a golden sky. TAN-generators look a bit like pocket-calculators the size of a credit card, they cost around 12-15 Euros. Tyrant, I think you mistake the PIN with TAN, because you talk of identification of yourself in principle, not of authorisation for an individual, single transaction. the TAN is a code individualised for the single transaction, it chnages with every transaction, and the new methods use not never-changing identity features but ever-changing transaction-characteristics for generating a valid reply code. If your biometric data gets stolen, you are screwed, becasue they are what they are. The new sort of TANs are individually generated for just the single transaction. In the end biometric data are sets of data which could be stolen and used like any PIN. I think what we talk opf, is data transaction safety via internet, and the legitimation of data at both ends of the transmission line. __________________ If you feel nuts, consult an expert. Last edited by Skybird; 11-16-10 at 04:50 PM.

11-16-10, 02:25 PM	#2
The Third Man Stowaway Posts: n/a Downloads: Uploads:	If you cannot get an adequate answer from your bank, exercise your individualism, remember you are the customer. Change banks.

11-16-10, 04:13 PM	#4
the_tyrant Admiral Join Date: Jun 2010 Location: Canada Posts: 2,272 Downloads: 58 Uploads: 0	So mTAN is that you would get a text on your phone when you purchase Not my cup of tea, since I barely keep my phone handy/charged TAN generators are little better than Security Cards, and are quite worthless There are 3 types of security commonly used: 1. What you know(password etc) 2. what you have (keys etc) 3. Who you are (fingerprints etc) Both mTAN and TAN are "what you have" security personally I prefer "Who you are" security