How secure are different Online Banking payment authorization methods?

I have worked in tech support for a big German bank before I started my work as a full time blogger. Back then, the bank only supported two payment authorization methods: transaction numbers on paper or HBCI.

Today with the rise of smartphones and applications, you get additional options in this regard.

I'd like to provide you with an overview of popular Internet Banking payment authorization methods. Instead of just describing each method, I will also look at set up and security, as they are the two most important aspects when it comes to payment authorization.

Please note that systems may differ from country to country. While some are fairly common, it is possible that I miss some that are not used in the country that I'm living in (Germany).

If that is the case, let me know about it in the comment section below and I will investigate and add it to the list to make it as complete as possible.

mobile-tan

TAN (Transaction Authentication Number) list

This is one of the first systems that came on the market. When you make online transactions, you are asked to enter a TAN from a list that the bank sent to you.

The TAN list usually contains 100 numbers that you can use to authorize payments. While it is very convenient to use, with the exception that the list is limited, it is not that secure.

If an attacker gets hold of the list, transactions can be made using that list provided that the username and password of the Internet banking account are known as well.

  • Convenience: 4 out of 5
  • Security: 1 out of 5

Indexed TAN list

The main difference between a regular TAN list and an indexed TAN list is that in the latter numbers are associated to the TANs. Instead of entering any TAN on the list for verification, you are asked to enter a specific TAN, e.g. number 44, instead.

Just like regular TANs, iTans are susceptible to man-in-the-middle attacks and not secure because of it.

  • Convenience: 4 out of 5
  • Security: 1 out of 5

Indexed TAN with Captcha

To address the man-in-the-middle issue, Indexed TANs with captchas were created. They are used widely in Germany. A code is associated with each TAN on the list which is called BEN (Bestätigungsnummber or Confirmation Number).

When you make a transaction, you confirm it with the TAN, but do get the captcha returned from the bank which needs to be identical to the one displayed on your list.

The idea here is that attackers don't have access to the captcha so that they cannot return the right code to the customer on the verification page.

  • Convenience: 4 out of 5
  • Security: 2 out of 5

Mobile TAN

This method moves away from TAN lists and sends transaction numbers to the customer's mobile phone when requested. The SMS often displays transaction details such as the amount of the transaction in addition.

The TAN is generated by the bank when a user initiates a transaction, and then sent to the user's phone.

The mTAN method offers several advantages over paper-based TAN systems. There is no list anymore that can fall into the hands of criminals. While your phone may be stolen, you have better options to secure it, for instance by encrypting it fully so that attackers cannot use it at all.

The method may be more secure than paper-based TANs, but it is still susceptible to attacks. Malware for instance can be planted on phones to grab the information in realtime.

  • Convenience: 4 out of 5
  • Security: 2 out of 5 (4 out of 5 with encryption)

TAN Generators

A TAN Generator is a small handheld device that will generate a TAN whenever it is used. It generates a single TAN whenever it is used and is comparable in convenience to the standard TAN list.

Unfortunately, it is also as secure, or not-secure, as those lists. TANs are not indexed and any can be used to confirm any payment made.

This means that it is susceptible to man-in-the-middle attacks, keyloggers and other forms of attacks.

  • Convenience: 4 out of 5
  • Security: 1 out of 5

photoTAN

photo-tan

The photoTAN method requires an app or standalone device. It works by capturing colorized QR codes using the application or device. The information are sent to the bank in encrypted form where they are processed.

The system is protected against man-in-the-middle attacks as a separate device is being used in the process.

  • Convenience: 3 out of 5
  • Security: 4  out of 5

chipTan

A handheld device is being used by this system in conjunction with the user's bank card. When a transaction is made, it is used for verification.

This works in modern devices in the following way: The customer enters the transaction online as usual, and uses the device then to read information on the computer screen so that the transaction details are displayed on the device.

These details need to be confirmed then by the user which results in a TAN being generated. The TAN is linked to this transaction, which means that attackers who may get hold of it cannot use it to change it in any way or use it for a different transaction.

  • Convenience: 3 out of 5
  • Security: 4  out of 5

finTS (formerly known as HBCI)

The finTS system is a German online banking standard. It is using electronic signatures (chip card or custom made RSA key file), as well as Pin and TAN.

It is as secure as it can get, but requires set up which may be too technical for some users.

  • Convenience: 2 out of 5
  • Security: 5  out of 5

Closing Words

If you are still using old TAN systems, like basic TAN, indexed TANS or indexed TANs with captchas, then it is time to move away from those systems to a system that is offering better security.

Mobile TAN is probably that system, as it is convenient and fairly secure at the same time, provided that you protect your phone by encrypting its data or at least locking it when it is not in use.

Are you using one of those systems, or another one? Let me know in the comments.

Summary
Please share this article

facebooktwittergoogle_plusredditlinkedinmail


Responses to How secure are different Online Banking payment authorization methods?

  1. Paul(us) May 8, 2014 at 2:13 pm #

    The Dutch banks are using the Random Reader witch allows customers to log in to Internet banking this method is expected to end 2014 with a new solution called the bank Scanner. This will replace the Random Reader Scanner which generates the bank code to log in and authorize transactions. This is done by scanning a color code on the screen of the computer or other device that is being used. Internet Banking

    "With the bank scanner to create a log-in and signing code on by the bank Scanner to stop your debit card and scan with the camera of the bank Scanner color code on the screen of the device you use for banking Internet Banking or Bank Mobile Banking, then the bank Scanner login code or signing code, on the screen of the bank Scanner describes what you sign when you put a signing code ", thus generates the description of the bank.

    • Paul(us) May 8, 2014 at 2:27 pm #

      I have also found this website about German online banking:
      http://www.kobil.com/kobil-security-made-in-germany.html

      Do I understand it correctly than the German Tan method has five sensors on the back that you have to hold the screen? And that there are, however, no color, but brightness changes at five points?

      • Martin Brinkmann May 8, 2014 at 2:44 pm #

        There is no single German TAN method. Most banks support a variety of systems, but most favor mobile Tan right now. You do get the newer photoTAN as well which uses color QR codes for verification.

  2. fokka May 8, 2014 at 3:29 pm #

    i use mobile TAN since it's convenient and seems quite secure as long as nobody steals my phone. you're right though about malware theoretically being able to sniff the TAN, but then the attacker would still need my bank login, right?

    it's a bit of a conundrum. on the one hand, i want to be as safe as possible, but on the other hand the safer practices are seldom as convenient as the "safe enough" techniques. i hate to say it, but in the end convenience wins.

    • Martin Brinkmann May 8, 2014 at 3:34 pm #

      Right, the attacker needs your account information. They may have them already however if you use your phone or tablet for online banking.

  3. Tom May 8, 2014 at 5:08 pm #

    I don't think that banks in Canada use these methods. I can pay by simply logging in with my card and a trusted computer and do whatever transfers I want (up to a point).

    • Martin Brinkmann May 8, 2014 at 5:40 pm #

      You don't verify transactions at all?

      • Blue May 8, 2014 at 8:29 pm #

        Nope we don't, ultimately our fine print agreement (depending on which bank we use) can include such things as, "the card holder is responsible for each and every transaction on the card", while other banks allow us to dispute transactions, some call us when we have suspicious activity, and some simply ignore us. The ones that call, only call when an odd pattern breaking transaction appears like if we suddenly get transactions as if we were in a different country, or used in a venue never used before ie: online payment, gas station instant transfers etc...

        Our newest cards don't even require a PIN code, simply swipe or wave the card across the reader and we're good to go. Yes no security there but with those banks those ones allow debating transactions as their layer of protection. Some only allow a maximum amount when using that banking method ($20-$50).

    • berttie May 8, 2014 at 11:43 pm #

      It's much the same in Australia. Just log in with a card or customer number and a 6-16 character long pin and you're good to go. The smart phone apps are even simpler, once set up you only enter a 4 number pin.

      However, the banks will almost always refund your money in the event of fraud. But then the interest rate on credit cards is around 12-20% so they can afford to be generous,

  4. Alastair Breingan May 9, 2014 at 12:30 am #

    Some of the European online banks here in Australia are using some sort of transaction security, and the major banks will issue you with a RSA SecurID if you ask them to (mainly for business accounts).

    For example RaboDirect (an online savings bank) uses a Digipass 250 to provide two factor authentication on login and a transaction auth which is described at http://www.vasco.com/Images/Rabobank_ENG.pdf. At first glance this seems quite a comprehensive solution.

Leave a Reply