Print this page
Tuesday, 11 August 2020 13:32

Online Banking TAN Security

Written by
Rate this item
(0 votes)

This research was started to understand the difference in the various TAN technologies used for online banking security.

The classic TAN system started as a list of 50 numbers provide to the client, which when the system asked for a TAN could be sequential selected from the list, and could only be used once. These could be used for any transaction, but were prone to phishing attacks where the user was tricked into providing the password/pin and several tans.

Indexed tans presented a CAPTCHA, which in the background shows the transaction data and data thought to be unknown to a potental hacker, including the user's birthday. This intended to make it hard, but not impossible, for the CAPTCHA to be forged. This variant is used by some German banks to stop man in the middle attacks. However, a recent study shows that these CAPTCHA-based TAN schemes are not secure against more advanced automated attacks, which include the iTANplus method.

Mobile TAN or mTAN is a system is where the TAN is generated by the bank when a user creates a transaction, and normally sent to the user via an SMS. This includes transaction data for the user to verify it has reached the bank without being altered. This really relies upon the security of the mobile phone system, and SIM swap fraud has been used, where an impersonator of the victim manages to obtain a replacement SIM card from the mobile network operator. The user credentials are then retrieved by other means, phishing, keylogging or malware..Also within the Signalling Systen no. 7, which is part of the mobile phone network, a weakness was found (2014) that allows the interception of a message, and has been used to fraudulently redirect fund transfers. Finally with the popular use of smartphones malware attacks have been used to try to infect the PC and the mobile as well as to break the mTan schema (Germany 2017).

A ChipTAN is generated from a specific bank card and the current transaction details. As this is valid only for the transaction confirmed on online, any modification of the transaction details causes the TAN to become invalid. Also as it uses an independent hardware it is not open to an attack via the user's computer, and because it is generic can be used for nultiple bank cards from different banks. Plus losing the generator is not a security risk as it contains no critical data. So the main vulnerability with this system is social engineering, where the person is persuaded to authorise a transfer for an invalid reason. This works as 2 factor authentication when using a separate key/token to generate a short lifetime pin, it is the same as a SMS TAN but is much more secure as SMS is vulnerable to porting scams. So this was a secure system, but use of the second device for some people in creating their transactions was inconvenient

The latest version is the pushTan created by Sparkasse banking group, which eliminates the SMS cost and stops SIM card fraud. It is an app-based TAN system which uses a special messaging application that sends data via an encrypted internet connection, and should not work if the mobile device is rooted or jailbroken. The system usually requires 2 apps, the first is for entering the transfer details. Once the data has been transferred to the bank a TAN is generated and sent to the 2nd app on the mobile device. After enterimg the TAN received into the first app, the transaction is complete. So everything is done via a single mobile device, which is supposed to be more secure than previous systems. However, researchers at FAU's Chair of Computer Science 1 (IT Infrastuctures), highlights a step backwards in security with this approach. Creating a more convenient approach means that the ChipTAN has a higher standard of security, than the pushTAN approach. The researchers hacked a new app-based system used by a large German financial services network, proving the lower security standard. The attack manipulated transactions being confirmed with the app, allowing the amount and recipient of the transaction to be altered without the user realising. It did require a high level of technical expertise and a few weeks of analysis. It also required execution of malicious code on the victim's mobile device for the hack to work, but the existing TAN systens protect against this. They believe this is not a programming issue, but a weakness of the design. As it cannot protect against banking trojans, which once running has higher rights than the app itself and therefore defeats the security mechanisms.

It seems then that the security level of smsTÁN and PushTAN are almost the same, howvever if the transaction app and authenication app of the PushTAN are run on the same network connection it would require additional security layers to be implemented. PushTAN requires two competing OS-Platforms: iOS and Android, and therefore are subject to the same general risks, phishing, keylogging or malware , as smsTAN is dependant on the mobile plaform providers. Another difference is that the security updates for the smsTAN are implemented directly by the bank's service provider processing the smsTAN, but the PushTAN requires interaction from the user who must actively download and install the updates. Costs and cluster risk (limited providers servicing a large number of people) could be impacted by increased dependencies, if the banks / payment service providers go in-house and in turn limit business opportunities for independant third party providers.

The fact that both smsTAN and PushTAN could allow online banking and TAN processing all on one device makes it very convenient but not very secure. A better level of security could be achieved by only using the mobile device for TAN processing, while transaction processing is dealt on a completely separate device. The most secure TAN processing is therefore still by using the ChipTAN, as the TANs are generated on a completely separate and indepentant device. It seems if you are serious about security then the ChipTAN is the best approach, here in Austria it seems that by next year the smsTAN is being withdrawn infavour of the PushTAN. When covenience overrides your security requirements, then smsTAN would be the more favourable option. When using a PushTAN approach though, you will need to make sure the latest version is always installed. Plus running the PushTAN apps on one device only then an extra layer of secruity should be installed, but better still only use the mobile device for TAN processing and a completely separate device for transaction processing. Further more the PushTAN approach introduces another passcode and pin requirement for users, so there is a risk that users could reuse pins from other services or even the debit card. This makes the use of a secure password / pin application for recording individual password / pin per application more of a necessity, which may reduce the convience.

Research in Austria in June 2019 showed that 69% of people considered the smsTAN was preferred, and 60% compared to 18% considered smsTAN safer than the PushTAN approach.

Read 156 times Last modified on Thursday, 29 October 2020 11:01

Right Click

No right click