I have worked in tech support for a big German bank before I started my work as a full time blogger. Back then, the bank only supported two payment authorization methods: transaction numbers on paper or HBCI.
Today with the rise of smartphones and applications, you get additional options in this regard.
I'd like to provide you with an overview of popular Internet Banking payment authorization methods. Instead of just describing each method, I will also look at set up and security, as they are the two most important aspects when it comes to payment authorization.
Please note that systems may differ from country to country. While some are fairly common, it is possible that I miss some that are not used in the country that I'm living in (Germany).
If that is the case, let me know about it in the comment section below and I will investigate and add it to the list to make it as complete as possible.
TAN (Transaction Authentication Number) list
This is one of the first systems that came on the market. When you make online transactions, you are asked to enter a TAN from a list that the bank sent to you.
The TAN list usually contains 100 numbers that you can use to authorize payments. While it is very convenient to use, with the exception that the list is limited, it is not that secure.
If an attacker gets hold of the list, transactions can be made using that list provided that the username and password of the Internet banking account are known as well.
Indexed TAN list
The main difference between a regular TAN list and an indexed TAN list is that in the latter numbers are associated to the TANs. Instead of entering any TAN on the list for verification, you are asked to enter a specific TAN, e.g. number 44, instead.
Just like regular TANs, iTans are susceptible to man-in-the-middle attacks and not secure because of it.
Indexed TAN with Captcha
To address the man-in-the-middle issue, Indexed TANs with captchas were created. They are used widely in Germany. A code is associated with each TAN on the list which is called BEN (Bestätigungsnummber or Confirmation Number).
When you make a transaction, you confirm it with the TAN, but do get the captcha returned from the bank which needs to be identical to the one displayed on your list.
The idea here is that attackers don't have access to the captcha so that they cannot return the right code to the customer on the verification page.
This method moves away from TAN lists and sends transaction numbers to the customer's mobile phone when requested. The SMS often displays transaction details such as the amount of the transaction in addition.
The TAN is generated by the bank when a user initiates a transaction, and then sent to the user's phone.
The mTAN method offers several advantages over paper-based TAN systems. There is no list anymore that can fall into the hands of criminals. While your phone may be stolen, you have better options to secure it, for instance by encrypting it fully so that attackers cannot use it at all.
The method may be more secure than paper-based TANs, but it is still susceptible to attacks. Malware for instance can be planted on phones to grab the information in realtime.
A TAN Generator is a small handheld device that will generate a TAN whenever it is used. It generates a single TAN whenever it is used and is comparable in convenience to the standard TAN list.
Unfortunately, it is also as secure, or not-secure, as those lists. TANs are not indexed and any can be used to confirm any payment made.
This means that it is susceptible to man-in-the-middle attacks, keyloggers and other forms of attacks.
The photoTAN method requires an app or standalone device. It works by capturing colorized QR codes using the application or device. The information are sent to the bank in encrypted form where they are processed.
The system is protected against man-in-the-middle attacks as a separate device is being used in the process.
A handheld device is being used by this system in conjunction with the user's bank card. When a transaction is made, it is used for verification.
This works in modern devices in the following way: The customer enters the transaction online as usual, and uses the device then to read information on the computer screen so that the transaction details are displayed on the device.
These details need to be confirmed then by the user which results in a TAN being generated. The TAN is linked to this transaction, which means that attackers who may get hold of it cannot use it to change it in any way or use it for a different transaction.
finTS (formerly known as HBCI)
The finTS system is a German online banking standard. It is using electronic signatures (chip card or custom made RSA key file), as well as Pin and TAN.
It is as secure as it can get, but requires set up which may be too technical for some users.
If you are still using old TAN systems, like basic TAN, indexed TANS or indexed TANs with captchas, then it is time to move away from those systems to a system that is offering better security.
Mobile TAN is probably that system, as it is convenient and fairly secure at the same time, provided that you protect your phone by encrypting its data or at least locking it when it is not in use.
Are you using one of those systems, or another one? Let me know in the comments.
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.