iTAN — An Obituary
Here lies iTAN.
Alas, poor iTAN, we knew you.
In your brief existence of only 14 years, you have put your mark on the whole banking industry. And on myriads of printed lists. Precious times we have spent on your behalf, poring over papers, grubbing for that one golden number to end our insecurity — and get those funds transferred from our budget account to our savings account.
You, iTAN, have managed to rise above its forebears, ending the whateverism of the old TAN dynasty. And yet, you had trouble keeping a stiff upper lip in the face of all those hyperactive neo banking millenials. You passed with dignity.
Farewell, iTAN. We will miss you.
The Problems with iTAN
But, will we though?
Don’t speak ill about the dead aside, the deceased in question didn’t live up to today’s requested standards in digital banking. Mostly in two areas, iTAN (short for “indizierte Transaktionsnummer” or “indexed transaction number”) has been falling out of time. And it’s this area which the EU commission deems crucial for the future of online banking: Usability and security.
The goal behind PSD2 for the EU is to make digital monetary transactions both more fraud-proof and resistant against illegal access, as well as more comfortable to use at the same time. It’s a balancing act, and one in which iTAN tipped over the edge for various reasons.
iTANs Security Issues
As iTAN lists are physical lists, they lay around for quite a while until all TANs are exhausted. This means that the handling of those lists by the user is the breaking point in the system. Besides losing the list to thieving hands (who would need your PIN, too), cybercriminals are even more inventive when going after your TANs. There would be social engineering and phishing, where the criminals try to convince you to share your TANs under false pretenses. Common means for this are fake emails leading to false websites, where you must enter the TAN. Even more dangerous are Trojans. Criminals smuggle malware on your device (via email, i.e.). This malware intercepts with the transaction, stealing the TAN to use it for the criminals’ own transactions.
No matter which method the criminals use: Once the TANs are out there it’s difficult to control the damage. It’s however, a problem, that applies to any data entered online: From passwords to mTAN.
iTANs Usability Deficiencies
Not at all an inducement for the EU commission to weed out iTAN, but still a nuisance for users: It is quite a stationary solution. Customers need a physical list to move money in iTAN-based online banking. And this means that their online banking activities are confined to their own four walls. Carrying around one’s iTAN list can turn into a security risk. Leaving it at home puts severe restrictions on online banking. Today’s definition of “mobile” is synonymous with “everything, everywhere”. iTAN’s mode of operation cannot cope here.
The New Generation
PSD2 requires banks to provide strong customer authentication for their services. This means, that the means through which we verify our identity as eligible owners of a transaction will gain some additional steps. Every customer must prove their identity by proving at least two of these three elements to be true:
- The customer must be who he claims to be as he has information only he can know, like passwords or PINs => The Knowledge Element
- The customer must be who he claims to be as he is has one of the devices at hand, which authenticate the transaction, like the original credit card, his smartphone to which receives a SMS TAN, a TAN generator, etc. => The Possession Element
- The customer must be who he claims to be as he has the biometric traits that identify him, like a fingerprint or the right face for face recognition => The Inherence Element
iTAN systems are compliant in theory. At least they draw on the Knowledge Element and the Possession Element for identification. You must combine your PIN which you know with the TAN number on a printed list, which you own.
But the risk for security breaches is too high with iTAN (see above). The new regulations demand that TANs must be generated dynamically. Thus, they are only applicable within a short timeframe, after having been distributed via apps or generated by special devices.
Alternative TAN Procedures
But even after iTAN’s demise, it all stays in the family. The general principle behind TANs will largely remain untouched and still used for authentication in German online banking. Alternate TAN procedures are:
mTAN / SMS TAN
In this procedure, the bank sends the TANs to users via SMS, once requested. This method has been more secure in times, when mobile phones weren’t yet web-enabled. But now, cybercriminals are increasing their attacks on smartphones. And using the web browser for online banking on the same device the SMS opens — a major security loophole. The BSI (Bundesamt für Sicherheit in der Informationstechnik, engl. Federal Ministry for Security in Information Technology) thus recommends that users refrain from using SMS TAN.
A more secure alternative would be chipTAN. It relies on a small device, a TAN generator. Once the user requests a transaction on his online banking platform, flickering code is displayed on the screen. The TAN generator can read this code and generates a TAN for the transaction. This method is easily the most secure of the ones mentioned here. Yet, it’s also the most impractical, forcing you to carry your TAN device around with you.
QR TAN and photoTAN
These methods act kind of a compromise between mTAN and chipTAN, without the high vulnerability of SMS TANs. Both methods require special apps on your phone. The photoTAN procedure draws on pictures displayed on the online banking website which the app scans and turns into TANs. QR TAN procedures work exactly the same, just with QR codes instead of pictures.
This take on TAN generation completely does away with scanning anything on the banking portal. Instead, you install a third-party authenticator app (like authy, for example), which in some cases is protected by its own password. Both, the bank’s server and this authenticator app (Google Authenticator, authy) generate one-time codes independent from each other. To do so, they use a secret key which was generated by the server and then shared with the app. Then, you fetch the one-time code from the authenticator app by login in with your password. As the final step, you enter it on your online banking platform, which compares the code to the internal one-time password. As the codes refresh after a short period of time, this method comes with an additional level of security.
In a way, this variant of verifying transactions is the truest to the spirit of Open Banking, as banks must cooperate with external providers to make their online banking services work. With regard to APIs, the banks still have to catch up on their delay.
iTAN’s Not Dead
And we must keep this delay in mind. iTAN is not dead just yet. Existing customers are may use this method a little longer by regulators. In addition, some banks are not ready for the change. Targobank, for example, faces a delay in delivery for photoTAN authentication devices. They prolonged the deadline for iTAN until October.
So even if there are plenty of alternatives to succeed after iTAN, the world of banking moves at a slower pace than we might have expected. Open Banking is still late for the deadline. It looks like there is some life in the old dog iTAN yet.
Originally published at https://trimplement.com on September 20, 2019.