iTAN, mTAN, chipTAN? An overview of all TAN procedures

First enter the username, then the PIN - and then a TAN at the end? For many online banking users, strict security precautions are a necessary evil they would like to do without. Since its introduction in 1976, the transaction number in particular has effectively helped protect people’s finances – provided of course that the account holder carries out the respective TAN procedures correctly and does not fall from cyber fraud schemes. Find out what procedures are out there, how secure they are, and what you can do to yourself to protect your hard-earned money from cyber criminals in this guide.

A TAN is a one-time password, usually consisting of six decimal digits. It is mainly used for bank transfers and changes to settings in online banking. TANs are one of the most frequently used two-factor authentication tools and they create an extra access layer in addition to the username and PIN: they should prevent criminals from gaining unauthorised control over foreign bank accounts. Even if they have already obtained your PIN using phishing or Trojans, transfers cannot be made without a TAN. This is guaranteed by the fact that each TAN is directly linked to sensitive data like the IBAN and transfer amount – in addition, a TAN is only valid for a single transaction and is only valid for a limited period of time (just a few minutes).

A TAN procedure is the method whereby a valid TAN is transmitted to its legitimate user and used for authentication purposes. There are several different methods – but the basic principle is very similar for all of them:

1. First, log into your bank’s internet portal through an online banking app or banking software, begin the transfer and then finalise and confirm.
2. The transfer information you entered will now be displayed again. Check them carefully to ensure that they are really your order and that they have not been manipulated in any way by third parties. Then confirm the transfer.
3. Now your bank will ask for a valid TAN. This is generated according to the procedure you have defined in advance. By entering the valid transaction number, you verify your transfer and it will be executed.

You may remember that in the past, personal TANs were only available in the form of a numbered list on paper that was sent to you by your bank. To legitimize transactions, all you had to do was enter a TAN from the list whilst online banking. When all the numbers were used up, a new one was ordered. The weaknesses of this kind of procedure are obvious: If the list were lost, all valid transaction numbers end up in the finders’ hand. For this reason, newer and safer procedures replaced the classic TAN list from 2005. Most of them use digital technologies. 

Individual processes differ in terms of requirements, user comfort and level of safety. Before deciding on a current account, it is therefore worth taking a critical look at the available TAN procedures on the market.

The “indexed TAN list” is the direct successor to the classic TAN list, and has long been the standard procedure in online banking for private customers. The most important innovation compared to their predecessor? The customer can no longer verify their transfer orders with any of the TAN selected from their list. Instead, the respective bank/financial institution specifies a very specific position number (called an index) that matches a transaction number on the lost and that cannot be foreseen in advance.

Although this small modification theoretically provides a higher level of security, it also has disadvantages. Since you never know in advance which TAN the bank will require, you always need to have the entire TAN list at hand for payment transactions. While in the classic version, you could write out individual TANs that were not directly recognizable as TANs (after all, they could theoretically also be telephone numbers), an iTAN list is practically always recognisable as such.

Cases where criminals have gotten a hold of these lists and used them for fraudulent activities also increased in this procedure. Therefore, the iTAN was not quickly considered to be one hundred percent secure. The iTANplus extension and the introduction of a confirmation number (BEN) only marginally increased security.

However, there are still some banks that continue to offer iTAN lists but just as “minimum protection”. Most providers will advise against relying on just iTANs and will refer you to more modern procedures. First and foremost, it is usually just existing customers that use this method because switching to other processes seems time-consuming or complicated. If you are still working with the analogue list, you should definitely choose another TAN procedures.

The concept of the mTAN procedure (also called smsTAN or mobileTAN procedure) is based on the use of a second device, which is usually used in addition to the laptop or computer that you are logging into for online banking. If you want to verify a transfer, the bank sends you a freshly generated TAN via SMS (mobile charges may apply) to the customers mobile phone or smartphone. The customer then enters the TAN in their online banking application. Although mTAN is not a widely used procedure in the USA, it is common practice in a number of countries, including: Austria, Czech Republic, Hungary, Bulgaria, Germany, the Netherlands, Russia, South Africa, Switzerland, Australia, New Zealand, Spain and the Ukraine.

Due to the widespread use of mobile phones, the mTAN procedure is considered the most popular TAN procedure in many European countries, where many banks offer it as standard. Since it is not necessary to store a paper list, mTAN is much more secure than the iTAN process due to its basic concept. Additionally, the customer can check his transfer data (especially target account number and transfer amount) again on a separate device in order to identify man-in-the-middle attacks (see point 5, “Which safety aspects need to be observed when handling TAN procedures?”).

Although it makes sense to run online banking and TAN reception through the same device, most banks prevent this with technical hurdles. If both were running a device, this would considerably reduce the security of transfer orders. Therefore, this kind of separation is also in the customer’s interest: If the user loses his smartphone, both authentication factors could fall into the hands of strangers without this separation. For this reason, you should always use a separate device for online banking.

When online banking and TAN devices are separated, the mTAN procedure offers a medium to high degree of security. However, his reputation has suffered somewhat recently: as mobile phones have evolved over time to multifunction devices with a constant internet connection, it has become easier for cyber criminals to obtain access data stored there using phishing and Trojans.

Although usually just a single mobile device (like a smartphone or tablet) is used in the pushTAN procedure, it still enables two-factor authentication. In this procedure, the mobile device uses two logically separate channels: on one channel, the customer access his bank’s web portal or banking app, and on the second channel a password-protected pushTAN app (available free of charge in the Apple Store or at Google Play) is installed, displaying the transfer data for verification and generates a valid TAN on request. These can then be entered in online banking, or, if the banking and pushTAN app are compatible, transferred directly to the transfer form. The advantage is obvious – with pushTAN you just need one device and you can also carry out your banking business on the move.

To run the chipTAN or smartTAN procedure, you will need additional hardware in the form of a chipTAN generator, or card reader. The small, wireless device is available either as a branded version from your bank as a dedicated product in specialist shops – inexpensive devices usually cost $12-17, and some banks will send their customers the devices free of charge. You can use them for several accounts and users without any problems. To activate the chipTAN generator, you need a chip card (usually your bank EC/Visa/Maestro card) granted by your bank. To generate a TAN, you then insert your chip card into the card reader. You can now issue a bank transfer through your online banking portal with a graphic code generated from the reader. It scans the chip in your card and outputs the TAN as a result. If the scan doesn’t work for some reason, you can also enter the transfer data manually.

Since the chipTAN generator is never connected to the internet, the procedure is considered to be very secure – after all, cybercriminals have no way of gaining access to the generator. This alone makes the procedure worthwhile, despite the possible purchase costs for the device and the additional handling effort. However, a potential risk is the loss of the chip card. If a criminal gets their hands on it, they can theoretically create an infinite number of transaction number with any chipTAN generator. So, if you lose your card, be sure to have it blocked immediately to prevent misuse. This is generally recommended anyway because criminals can use your bank card to pay for items online without needing to know your bank details.

The individual devices differ in design and functionality more than anything. Some are similar to a commercial calculator with a multi-line display, and some are the size of a USB stick without any displays. The longest possible battery life and Bluetooth capability (for transferring bank transfer data and TAN) are also useful.

The relatively new photoTAN procedure is basically similar to the chipTAN procedure described above, in that it uses special hardware, a photoTAN reader (price: $17-35). As an alternative, you can use a free photoTAN app using your smartphone’s internal camera. However, instead of a chip, the photoTAN process scans a colored mosaic graphic.

This procedure offers the same advantages as pushTAN and chipTAN, but also the same risks: first and foremost, losing the chip card or smartphone that has the photoTAN app installed. Since the procedure is still not widely used, experts consider a high fraud rate with the photoTAN procedure to be very unlikely, even if hacking is technically possible when using a smartphone instead of a reader. Regardless, the card reader is still the recommended verification method.

Strictly speaking, the standard HBCI (Home Banking Computer Interface), which was developed back in 1998, is not a TAN procedure at all. Instead, it’s a security mechanism for banking transactions on the internet. It was primarily designed for companies and users with several accounts at different financial institutions. Although the process was effectively renamed FinTS (Financial Transaction Services) after its further development in 2002, it is still known as HBCI.

Similar to chipTAN and photoTAN, this procedure requires a card reader (price is approx. $70) to be used with your chip card. In addition, users also need a PIN and special financial software. The latter can be obtained in specialist shops or directly from your bank for approx. $23-$117 (depending on the version and range of functions), or used for a monthly fee.

The process’s complex registration ensures a high level of security for HBCI:

1. First, start your financial software and login with your access data. During the first use, the program automatically generates two digital keys – a “signature key” for the chip card and an “encryption key” for the bank server – as an electronic signature for all transactions.
2. After you have done your transfer, connect the HBCI card reader to your computer, verify your PIN and insert your HBCI chip card into the device.
3. The signing key on the chip card now authorises the transfer, which is coded with the encryption key and sent to the bank server through a multi-secured line. As soon as they have checked the encryption key, the transfer is executed.

Due to the high acquisition costs and the complex process, HBCI is unattractive for most private users. However, it is undoubtedly the safest TAN procedure currently on the market. Since cyber criminals tend to focus on common operating systems and web browsers instead of developing attack methods for rarely used home banking programs in order to maximise efficiency, no cases of fraud are yet known.

All TAN procedures have their advantages and disadvantages. To find the right one for you, you should carefully weigh up the costs, usability and level of security. Be sure not to take unnecessary risks out of convenience.

TAN procedures guarantee the highest possible safety, but can never guarantee 100% security when it comes to online banking – even if some financial institutions claim this to be true. The sobering truth is: with the exception of HBCI, which is not actually a TAN procedure itself, every procedure has at some point been successfully hacked. Although procedural vulnerabilities have played an important role in every fraud case, a completely different weakness was usually the decisive factor: the customer. Isolated from the bank’s internal security infrastructure, often unfamiliar with IT issues and sometimes impulsive, they are the weakest link in the chain for many criminals.

This is also the reason why cyberattacks on bank accounts always target the owner first. For this reason, it’s up to the customer to deal with account security and develop an awareness for the secure handling of online banking and TAN procedures. In this context, it can be helpful to know and understand the typical course of an attack. Nowadays there is a great variety of possible attack scenarios, and each day criminals are coming up with new ways to obtain money that doesn’t belong to them. This means we can’t run through all possible cybercriminal tricks, but we will explain the most typical frauds they carry out. The following explanations are in reference to the TAN procedure.

In order to use the human factor to infiltrate an IT security system, experienced attackers don’t just use a selection of digital and technical tools, but above all a methodology: Social Engineering. They try to get their victim to behave incorrectly in a security-critical situation. For example, a hacker could impersonate an employee of an external IT support company who was asked to solve accounting and online banking software problems. In this context, they then try to ask the interlocutor for access or bank data.

The first step of a cyberattack is often being infiltrated by a Trojan. This is done, for example, by enticing the victim to click an infected link in an email. The more serious the email and email address appear, the more likely that this kind of phishing will work. Subject lines like “Reminder”, “Account blocked” or “Security check” are meant to stress the potential victim into opening the email.

1. No matter how a bank Trojan infiltrates a victim, once it has found your online banking device, it can spy and discover the corresponding access data. The hacker has overcome the first hurdle.
2. Now the attacker needs to foil the TAN procedure, and there are a number of options for doing this, including the following three:

• Stealing the mobile device is probably the most common method, but is also the most likely to be noticed immediately by the victim.
• Another strategy is to use the captured access data to transfer the device’s mobile number onto a second SIM card. The attacker then configures it so that all SMS’s (and therefore transaction numbers) are sent to their SIM card, whilst all other functions (like telephoning) remain on the victim’s device. This generally takes longer for a victim to notice.
• However, the man-in-the-middle attack is particularly cunning, since it’s more or less invisible: the Trojan nests itself in the victim’s browser and simulates an online banking platform. They change or add certain elements to the platform. The unsuspecting victims enter their login information, including a corresponding TAN. In the background, however, the attacker has already accessed the data and direct bank transfers into their own account. Depending on how clever they are, it can take weeks or even months to discover the damage.

How a criminal individual obtains your TAN details is not really relevant to you as a consumer. Instead, you should concentrate on arming yourself against the first steps of a cyberattack (social engineering, use of bank Trojans). For example, you need to pay attention to the typical signs of phishing and you don’t have to output sensitive data to third parties, even if they act like a reliable service provider (IT support, accounting service provider etc.)