Hubbry Logo
Transaction authentication numberTransaction authentication numberMain
Open search
Transaction authentication number
Community hub
Transaction authentication number
logo
7 pages, 0 posts
0 subscribers
Be the first to start a discussion here.
Be the first to start a discussion here.
Transaction authentication number
Transaction authentication number
Transaction authentication number
View on Wikipedia
from Wikipedia

A transaction authentication number (TAN) is used by some online banking services as a form of single use one-time passwords (OTPs) to authorize financial transactions. TANs are a second layer of security above and beyond the traditional single-password authentication.

TANs provide additional security because they act as a form of two-factor authentication (2FA). If the physical document or token containing the TANs is stolen, it will be useless without the password. Conversely, if the login data are obtained, no transactions can be performed without a valid TAN.

Classic TAN

[edit]

TANs often function as follows:

  1. The bank creates a set of unique TANs for the user.[1] Typically, there are 50 TANs printed on a list, enough to last half a year for a normal user; each TAN being six or eight characters long.
  2. The user picks up the list from the nearest bank branch (presenting a passport, an ID card or similar document) or is sent the TAN list through mail.
  3. The password (PIN) is mailed separately.
  4. To log on to their account, the user must enter user name (often the account number) and password (PIN). This may give access to account information but the ability to process transactions is disabled.
  5. To perform a transaction, the user enters the request and authorizes the transaction by entering an unused TAN. The bank verifies the TAN submitted against the list of TANs they issued to the user. If it is a match, the transaction is processed. If it is not a match, the transaction is rejected.
  6. The TAN has now been used and will not be recognized for any further transactions.
  7. If the TAN list is compromised, the user may cancel it by notifying the bank.

However, as any TAN can be used for any transaction, TANs are still prone to phishing attacks where the victim is tricked into providing both password/PIN and one or several TANs. Further, they provide no protection against man-in-the-middle attacks, where an attacker intercepts the transmission of the TAN, and uses it for a forged transaction, such as when the client system becomes compromised by some form of malware that enables a malicious user. Although the remaining TANs are uncompromised and can be used safely, users are generally advised to take further action, as soon as possible.

Indexed TAN (iTAN)

[edit]

Indexed TANs reduce the risk of phishing. To authorize a transaction, the user is not asked to use an arbitrary TAN from the list but to enter a specific TAN as identified by a sequence number (index). As the index is randomly chosen by the bank, an arbitrary TAN acquired by an attacker is usually worthless.

However, iTANs are still susceptible to man-in-the-middle attacks, including phishing attacks where the attacker tricks the user into logging into a forged copy of the bank's website and man-in-the-browser attacks[2] which allow the attacker to secretly swap the transaction details in the background of the PC as well as to conceal the actual transactions carried out by the attacker in the online account overview.[3]

Therefore, in 2012 the European Union Agency for Network and Information Security advised all banks to consider the PC systems of their users being infected by malware by default and use security processes where the user can cross-check the transaction data against manipulations like for example (provided the security of the mobile phone holds up) mTAN or smartcard readers with their own screen including the transaction data into the TAN generation process while displaying it beforehand to the user (chipTAN).[4]

Indexed TAN with CAPTCHA (iTANplus)

[edit]

Prior to entering the iTAN, the user is presented a CAPTCHA, which in the background also shows the transaction data and data deemed unknown to a potential attacker, such as the user's birthdate. This is intended to make it hard (but not impossible) for an attacker to forge the CAPTCHA.

This variant of the iTAN is method used by some German banks adds a CAPTCHA to reduce the risk of man-in-the-middle attacks.[5] Some Chinese banks have also deployed a TAN method similar to iTANplus. A recent study shows that these CAPTCHA-based TAN schemes are not secure against more advanced automated attacks.[6]

Mobile TAN (mTAN)

[edit]

mTANs are used by banks in Austria, Bulgaria, Czech Republic, Germany, Hungary, Malaysia, the Netherlands, Poland, Russia, Singapore, South Africa, Spain, Switzerland and some in New Zealand, Australia, UK, and Ukraine. When the user initiates a transaction, a TAN is generated by the bank and sent to the user's mobile phone by SMS. The SMS may also include transaction data, allowing the user to verify that the transaction has not been modified in transmission to the bank.

However, the security of this scheme depends on the security of the mobile phone system. In South Africa, where SMS-delivered TAN codes are common, a new attack has appeared: SIM Swap Fraud. A common attack vector is for the attacker to impersonate the victim, and obtain a replacement SIM card for the victim's phone from the mobile network operator. The victim's user name and password are obtained by other means (such as keylogging or phishing). In-between obtaining the cloned/replacement SIM and the victim noticing their phone no longer works, the attacker can transfer/extract the victim's funds from their accounts.[7] In 2016 a study was conducted on SIM Swap Fraud by a social engineer, revealing weaknesses in issuing porting numbers.

In 2014, a weakness in the Signalling System No. 7 used for SMS transmission was published, which allows interception of messages. It was demonstrated by Tobias Engel during the 31st Chaos Communication Congress.[8] At the beginning of 2017, this weakness was used successfully in Germany to intercept SMS and fraudulently redirect fund transfers.[9]

Also the rise of smartphones led to malware attacks trying to simultaneously infect the PC and the mobile phone as well to break the mTAN scheme.[10]

pushTAN

[edit]

pushTAN is an app-based TAN scheme by German Sparkassen banking group reducing some of the shortcomings of the mTAN scheme. It eliminates the cost of SMS messages and is not susceptible to SIM card fraud, since the messages are sent via a special text-messaging application to the user's smartphone using an encrypted Internet connection. Just like mTAN, the scheme allows the user to cross-check the transaction details against hidden manipulations carried out by Trojans on the user's PC by including the actual transaction details the bank received in the pushTAN message. Although analogous to using mTAN with a smartphone, there is the risk of a parallel malware infection of PC and smartphone. To reduce this risk the pushTAN app ceases to function if the mobile device is rooted or jailbroken.[11] In late 2014 the Deutsche Kreditbank (DKB) also adopted the pushTAN scheme.[12]

TAN generators

[edit]

Simple TAN generators

[edit]

The risk of compromising the whole TAN list can be reduced by using security tokens that generate TANs on-the-fly, based on a secret known by the bank and stored in the token or a smartcard inserted into the token.

However, the TAN generated is not tied to the details of a specific transaction. Because the TAN is valid for any transaction submitted with it, it does not protect against phishing attacks where the TAN is directly used by the attacker, or against man-in-the-middle attacks.

ChipTAN / Sm@rt-TAN / CardTAN

[edit]
ChipTAN generator (optical version) with bank card attached. The two white arrows mark the borders of the barcode on the computer screen.

ChipTAN is a TAN scheme used by many German and Austrian banks.[13][14][15] It is known as ChipTAN or Sm@rt-TAN[16] in Germany and as CardTAN in Austria, whereas cardTAN is a technically independent standard.[17]

A ChipTAN generator is not tied to a particular account; instead, the user must insert their bank card during use. The TAN generated is specific to the bank card as well as to the current transaction details. There are two variants: In the older variant, the transaction details (at least amount and account number) must be entered manually. In the modern variant, the user enters the transaction online, then the TAN generator reads the transaction details via a flickering barcode on the computer screen (using photodetectors). It then shows the transaction details on its own screen to the user for confirmation before generating the TAN.

As it is independent hardware, coupled only by a simple communication channel, the TAN generator is not susceptible to attack from the user's computer. Even if the computer is subverted by a Trojan, or if a man-in-the-middle attack occurs, the TAN generated is only valid for the transaction confirmed by the user on the screen of the TAN generator, therefore modifying a transaction retroactively would cause the TAN to be invalid.

An additional advantage of this scheme is that because the TAN generator is generic, requiring a card to be inserted, it can be used with multiple accounts across different banks, and losing the generator is not a security risk because the security-critical data is stored on the bank card.

While it offers protection from technical manipulation, the ChipTAN scheme is still vulnerable to social engineering. Attackers have tried to persuade the users themselves to authorize a transfer under a pretext, for example by claiming that the bank required a "test transfer" or that a company had falsely transferred money to the user's account and they should "send it back".[2][18] Users should therefore never confirm bank transfers they have not initiated themselves.

ChipTAN is also used to secure batch transfers (Sammelüberweisungen). However, this method offers significantly less security than the one for individual transfers. In case of a batch transfer the TAN generator will only show the number and total amount of all transfers combined – thus for batch transfers there is little protection from manipulation by a Trojan.[19] This vulnerability was reported by RedTeam Pentesting in November 2009.[20] In response, as a mitigation, some banks changed their batch transfer handling so that batch transfers containing only a single record are treated as individual transfers.

See also

[edit]

References

[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

Transaction authentication number

View on Grokipedia
from Grokipedia
A Transaction Authentication Number (TAN) is a one-time password, typically consisting of a sequence of digits, used in to authorize specific financial transactions such as transfers or account changes, acting as an additional layer of beyond a user's primary login credentials like a PIN or password. This procedure is particularly prominent in German-speaking countries such as , , and . TANs function by generating a unique, dynamic tied to the details of a particular transaction, which must be entered by the user into the banking interface to confirm approval; this is valid only for a limited time, often a few minutes, in compliance with regulations like the EU's 2 (PSD2). The process typically requires a separate device or channel for code delivery, enhancing security through two-factor authentication (2FA) by separating knowledge-based factors (password) from possession-based or inherence-based ones (device or token). Originally distributed as pre-printed lists provided by banks, TANs have evolved to digital formats to counter fraud risks like , where attackers might intercept static codes. Several types of TAN procedures exist, each balancing usability and security levels, and are commonly implemented in European countries like Germany where they are mandated for high-risk online banking activities. These include:
  • mTAN (Mobile TAN or SMS TAN): A code sent via SMS to the user's registered mobile phone, convenient but vulnerable to interception through SIM swapping or malware; as of 2025, increasingly phased out by major banks in favor of app-based alternatives.
  • ChipTAN or eTAN: Generated using a dedicated hardware device like a card reader or TAN generator combined with a bank card, offering high security without relying on communication networks.
  • PhotoTAN or QR-TAN: Involves scanning a QR code displayed on the banking interface with a smartphone app or optical reader to produce the TAN, requiring two separate devices for added protection.
  • PushTAN: Delivered through a mobile banking app via push notification, where the user confirms the transaction details on their device, often with biometric verification for enhanced security.
  • iTAN (Indexed TAN): An older method using a printed list where the bank specifies an index number for the user to select the corresponding TAN, now largely phased out due to phishing risks.
The adoption of TANs significantly reduces unauthorized access and in , though ongoing advancements address vulnerabilities such as man-in-the-middle attacks, with regulatory bodies recommending the use of app-based or hardware-generated methods over for optimal protection.

Introduction

Definition and Purpose

A Transaction Authentication Number (TAN) is a single-use, (OTP) that functions as the second factor in two-factor (2FA) for authorizing electronic fund transfers in systems. It serves to confirm the user's intent and identity for a specific transaction, adding a layer of beyond initial login credentials such as usernames and passwords. The primary purpose of a TAN is to verify the authenticity of high-risk actions, thereby preventing unauthorized access and reducing the of even if an attacker obtains the user's primary details. By requiring a unique code for each transaction, TANs mitigate threats like man-in-the-middle attacks or credential theft, ensuring that only the legitimate account holder can complete sensitive operations. Key characteristics of TANs include their typical length of 6 digits, consisting of numeric characters only, which are generated or provided by the upon request and remain valid only for a single, designated transaction. Unlike static personal identification numbers (PINs), TANs are transaction-specific and disposable, designed to counter replay attacks where a captured code could otherwise be reused. TANs are commonly employed in for authorizing wire transfers, bill payments, and other high-value transactions that involve moving funds or altering account settings.

Historical Background

The concept of the transaction number (TAN) emerged in during the mid-1970s as part of early efforts to secure electronic banking transactions. Alfred Richter, technical director at Verbraucherbank, developed the PIN/TAN procedure in 1976 initially for internal bank employee access, which was then adapted for customer use in 1977 with the introduction of SB-Terminal banking systems at Verbraucherbank. This innovation responded to the growing need for secure remote access amid the rollout of early via the Bildschirmtext (BTX) network, launched nationally in 1983, where PIN/TAN served as a foundational two-factor method to prevent unauthorized transfers. By the mid-1990s, as surged in response to rising fraud risks, banks like Sparkasse standardized TAN lists—printed sheets of one-time codes—as a compliant measure under emerging supervisory guidelines from the Zentraler Kreditausschuss (ZKA), the central body for German banking associations, to meet BaFin precursors' security expectations. The early marked a pivotal shift in TAN procedures driven by escalating threats, which exposed vulnerabilities in static TAN lists. A notable epidemic in , involving organized gangs targeting German online banking users to steal credentials and TANs, prompted rapid innovation; authorities arrested a major ring that had compromised thousands of accounts, highlighting the need for transaction-linked methods. This led to the development of indexed TAN (iTAN) systems around 2005-, where codes were selected based on a displayed index to mitigate man-in-the-middle attacks, followed by the introduction of chipTAN in , which tied TAN generation to specific transaction details via hardware. These changes were formalized through ZKA guidelines, ensuring and standards across German banks while addressing regulatory pressures from the newly established BaFin in 2002. In the , EU-wide harmonization accelerated TAN evolution amid broader directives on payment security. The 2 (PSD2), adopted in 2015 and effective from 2018, mandated for electronic payments, pushing German banks toward mobile (mTAN) and app-based (pushTAN) variants, as well as advanced hardware solutions, to comply with two-factor requirements and reduce reliance on vulnerable lists. ZKA's ongoing standardization efforts influenced neighboring systems in and , where similar German-speaking banking networks adopted compatible TAN procedures, initially limited to these regions before integration expanded their use. This progression reflected a reactive yet structured response to real-world threats, transitioning from paper-based simplicity to dynamic, device-integrated .

List-Based TAN Procedures

Classic TAN

The Classic TAN procedure, the earliest form of transaction authentication in German online banking, relies on a pre-printed paper list of disposable codes. Users receive a booklet or sheet containing approximately 100 unique TANs, each typically 6 digits long, delivered securely by mail or collected at a bank branch; these are kept separate from the user's login PIN to enable two-factor authentication. For each financial transaction, such as a transfer, the user manually selects and enters any unused TAN from the list into the banking software, after which it becomes invalid. Issuance occurs periodically, with banks providing a new list upon request or automatically when the previous one nears exhaustion, often after about 10 TANs remain; the lists lack expiration dates but are designed for replacement within months based on usage frequency. Each TAN authorizes only a single transaction and must be entered within a short window, usually a few minutes, to prevent reuse. This method requires no digital devices, making it accessible for basic setups. Key advantages include its straightforward , requiring minimal user or , and low operational costs for banks since production involves only and mailing. It served as an effective initial barrier against unauthorized access in the when emerged. Despite these benefits, the procedure carries major security drawbacks, including vulnerability to physical or loss of the list, which exposes all remaining TANs to compromise, and the absence of binding to specific transaction details, allowing a stolen TAN to authorize unintended actions. attacks exploit this by tricking users into revealing multiple codes. Owing to these flaws, Classic TAN usage declined sharply after 2005 as banks transitioned to more secure variants, and paper lists were fully prohibited under the EU's starting September 14, 2019, mandating dynamic authentication. As of 2025, it is fully obsolete and no longer permitted.

Indexed TAN (iTAN)

The Indexed TAN (iTAN), also known as "indizierte Transaktionsnummer," represents an evolution of the classic list-based TAN procedure designed to enhance security in transactions. In this method, users receive a printed list of one-time-use TANs, each assigned a unique numerical index, typically ranging from 1 to 100. When initiating a transaction via the bank's online portal, the system generates and displays a random index number specific to that transaction—such as the 47th position—along with key details like the amount and recipient. The user must then reference their physical list to locate and enter the corresponding TAN at that index, thereby authorizing the transaction. This indexing ensures the TAN is dynamically linked to the exact transaction context, preventing reuse for unrelated activities. The list format for iTAN mirrors the structure of traditional TAN lists but incorporates sequential numbering to facilitate quick lookup without sequential depletion. Banks issue these lists in a compact, paper booklet format, often containing 100 six-digit TANs, which users store securely at home or in a safe. Unlike the classic TAN, where any unused code could be applied broadly, the iTAN's indexed selection ties each code to a precise prompt, reducing the risk of generic code interception during phishing attempts where attackers cannot predict or forge the index in advance. This visual matching of index to transaction data requires no additional hardware, making it accessible for users with basic online banking setups. iTAN was introduced by German banks around 2005 as a response to rising threats, with early adoption by institutions like to provide a low-cost upgrade over sequential TAN lists. The procedure gained widespread use across major banks, including Sparkassen and Volksbanken, by requiring users to visually verify the index against displayed transaction elements before inputting the TAN. Security analyses at the time highlighted its improvement over classic methods by mitigating man-in-the-middle attacks, as the transaction-specific index renders captured TANs ineffective for forged transfers. However, vulnerabilities persist, including physical of the list—allowing bulk compromise if stolen—or real-time that could overlay fake indices to extract valid codes during active sessions, as demonstrated in early proof-of-concept exploits. As of 2025, iTAN has been fully phased out in following the enforcement of the EU's Revised (PSD2), which mandates (SCA) and prohibits static paper-based lists since September 14, 2019, to address escalating cyber risks. Banks transitioned users to dynamic alternatives like app-based or hardware-generated TANs.

iTAN with CAPTCHA (iTANplus)

iTAN with CAPTCHA, also known as iTANplus, enhances the indexed TAN procedure by integrating a visual CAPTCHA challenge that embeds critical transaction details for user verification. In this method, the bank generates a CAPTCHA image during the transaction authorization phase, which displays key elements such as the recipient's name, transfer amount, and a random index number corresponding to a position in the user's printed TAN list. The user must carefully inspect the image to ensure the details match the intended transaction before retrieving and entering the TAN associated with the specified index. This approach maintains the paper-based nature of iTAN while adding a layer of human-verified data integrity. Introduced in the early as part of efforts to strengthen security in , iTANplus was developed under standards set by the Zentraler Kreditausschuss (ZKA), the German Banking Industry Committee, and adopted by select institutions like Volksbank Freiburg eG. Similar -integrated transaction verification systems have been deployed by some Chinese banks to authenticate online transfers. The process begins when the user submits transaction details in their banking portal; the server then creates the image using a shared or to encode the data, displays it alongside the index, and awaits the user's confirmation and TAN input. If the verification succeeds and the TAN matches, the transaction proceeds. The primary security benefit of iTANplus lies in its ability to thwart blind relay and man-in-the-middle attacks by forcing the user to actively confirm transaction specifics before authorizing with the TAN, thereby linking the one-time password to observable data rather than relying solely on indexing. This reduces the risk of unauthorized modifications going unnoticed, as the embedded details in the CAPTCHA serve as a tamper-evident check. However, iTANplus depends heavily on user diligence to detect discrepancies in the displayed information, and it offers limited protection against advanced malware capable of intercepting and altering the CAPTCHA image in real-time on the compromised device, such as through man-in-the-browser techniques. Like other paper-based TAN procedures, iTANplus has been fully phased out in following the enforcement of PSD2's requirements on September 14, 2019, as it does not provide dynamic linking compliant with SCA. As of 2025, banks have transitioned to electronic alternatives.

App and Mobile-Based Procedures

Mobile TAN (mTAN)

Mobile TAN (mTAN), also known as smsTAN, is a two-factor authentication method used in where the bank generates and sends a one-time transaction number (TAN) via to the user's registered number immediately upon transaction initiation. The user must then enter this TAN into the banking interface within a short validity period, typically a few minutes, to authorize the transaction. Unlike list-based methods, mTAN involves dynamic TAN generation for each specific event, eliminating the need for pre-printed lists and ensuring the code is unique to the transaction details, such as amount and recipient. This procedure integrates with German online banking standards like FinTS (formerly HBCI), facilitating secure electronic transfers in protocols commonly used by banks in . mTAN has been widely adopted in and several EU countries, including and the , since the early 2000s as expanded, serving as a convenient alternative to hardware tokens. The method offers advantages such as ease of use, requiring no additional hardware beyond a standard , and compatibility with international , allowing users to receive TANs while traveling abroad, though roaming fees may apply. It enhances security through the "something you have" factor by leveraging the user's as a separate channel from the banking session. However, mTAN is vulnerable to SIM swap fraud, where attackers impersonate the user to transfer the phone number to a new SIM card, intercepting TANs for unauthorized access. Additionally, vulnerabilities in the SS7 signaling protocol have enabled interception of SMS messages, with exploits demonstrated by researchers in 2014 and real-world attacks targeting German bank accounts in 2017, leading to significant financial losses. These risks have prompted many German banks to phase out or restrict mTAN in favor of more secure app-based alternatives since 2019, with ongoing transitions as of 2025—for example, Deutsche Bank discontinued it in August 2025—though some banks continue to support it, and disclosure of SMS TANs is now considered grossly negligent.

pushTAN

pushTAN is an app-based transaction authentication method employed primarily by German savings banks (Sparkassen) for securing operations. Developed in the mid-2010s, it emerged as a response to the limitations of SMS-dependent systems, eliminating carrier fees and network vulnerabilities while enhancing user convenience through dedicated mobile applications. The core mechanism relies on a specialized banking app, such as the S-pushTAN application, installed on the user's or tablet. When a user initiates a transaction via on a computer or another device, the bank sends a push notification to the app containing key transaction details, including amount, recipient, and purpose. The user reviews this information and confirms approval directly on the app's interface, often by tapping an on-screen button, or by entering a dynamically generated TAN displayed within the app. This ensures the is tied exclusively to the presented transaction . Prior to confirmation, the app authenticates the user using biometric verification—such as fingerprint or facial recognition—or a personal identification number (PIN) for added security. The TAN is then generated server-side based on the transaction parameters and verified in real-time within the app environment, intended to support standards like the EU's Payment Services Directive 2 (PSD2) for strong customer authentication, though a 2023 German court decision (Heilbronn Regional Court) ruled that single-device pushTAN does not fully meet PSD2 requirements, sparking ongoing debate. This closed-loop verification prevents interception during transmission. Key advantages of pushTAN include its real-time notification delivery, which allows immediate transaction approval, and its inherent binding to specific transaction elements, reducing the risk of unauthorized use. Unlike SMS-based methods, it circumvents SIM fraud vulnerabilities by operating over secure app channels independent of infrastructure. As of 2025, pushTAN is a standard procedure for Sparkassen banks in , supporting millions of customers in daily activities.

Hardware-Based TAN Generators

Simple TAN Generators

Simple TAN generators are compact hardware devices, often resembling keychain dongles, designed to produce one-time passwords (OTPs) for authorizing transactions without requiring connectivity to the bank's systems. These devices typically feature a small LCD screen and one or more ; when the user presses a , the generator computes and displays a pseudo-random numeric code, known as a Transaction Authentication Number (TAN), which is entered into the banking interface to confirm the transaction. The core functionality relies on cryptographic algorithms such as HOTP (HMAC-based One-Time Password), an event-counter based method standardized in RFC 4226, or time-based variants like TOTP, where the device and bank server share a secret key to independently generate matching codes at synchronized intervals or counters. No direct communication link is needed between the device and the bank during use, making it fully offline after initial setup. These generators produce TANs that are valid for a single transaction, similar to pre-printed TAN lists, ensuring each code can only be used once to prevent reuse. Banks issue these devices to customers upon account setup or request, pre-configuring them with a unique key tied to the user's account for synchronization. The portability of these keychain-sized units allows easy carrying, and their offline nature provides resistance to remote interception attacks, such as those targeting channels. However, simple TAN generators lack binding to specific transaction details, meaning a generated TAN can authorize any pending transfer if entered promptly, increasing to shoulder-surfing or of the physical device. Physical possession of the generator enables unauthorized TAN generation, posing risks if lost or stolen.

ChipTAN and Variants

ChipTAN is a hardware-based method developed for secure in , where users insert their into a dedicated TAN generator device that reads the card's chip to compute a transaction-specific TAN. The process begins when the user initiates a transfer in the bank's online portal, which generates a challenge—typically a or flicker code containing encrypted transaction details such as the amount and recipient—displayed on the user's computer screen. The user then scans or inputs this challenge into the generator, which verifies it against the card's secure chip and produces a unique TAN tied exclusively to that transaction data, ensuring the TAN cannot be reused or applied to altered transactions. This challenge-response protocol forms the core of ChipTAN's security, providing high resistance to man-in-the-middle and attacks by displaying and verifying transaction details in a trusted hardware environment separate from the potentially compromised PC. The method complies with standards set by the Zentraler Kreditausschuss (ZKA), the Central Credit Committee of the German banking industry, which introduced specifications for ChipTAN handheld devices in 2010 to standardize dynamic TAN generation across banks. Several variants of ChipTAN extend its functionality while maintaining the chip-based verification. CardTAN simplifies the process by allowing manual entry of a numeric challenge code from the screen into the generator, which then computes the TAN using the card chip, suitable for users without optical scanning capabilities.

Security and Regulatory Aspects

Vulnerabilities and Risks

Transaction authentication numbers (TANs) in various implementations, particularly list-based and SMS-delivered variants, are susceptible to and man-in-the-middle (MitM) attacks, where attackers impersonate legitimate banking interfaces to capture user-entered TANs. In classic TAN lists and indexed TAN (iTAN) systems, sites trick users into revealing TANs from pre-printed lists, enabling unauthorized transactions since the TAN lacks transaction-specific binding. Challenge-response methods like chipTAN offer greater resistance to such attacks by generating TANs tied to unique transaction details, though early variants were vulnerable to MitM interception of challenge before user processing. Malware and Trojans pose significant threats across TAN types, with keyloggers and screen-capture tools intercepting entered or displayed TANs on compromised devices. For mobile TAN (mTAN), variants exploit SS7 protocol weaknesses in telecom networks to intercept SMS-delivered TANs, allowing attackers to redirect messages and authorize fraudulent transfers. In , such SS7 attacks in 2017 enabled hackers to drain online bank accounts by bypassing mTAN authentication, highlighting vulnerabilities in SMS-based systems reliant on mobile carrier security. PhotoTAN procedures, involving scanning for (OCR), are particularly exposed to that modifies displayed QR codes or captures screens before verification, as demonstrated in attacks where altered transaction details evade user detection. Overlay attacks on pushTAN apps further enable to superimpose fake approval prompts, tricking users into confirming malicious transactions. Physical and social threats amplify risks for hardware- and app-based TANs, including of printed lists or devices that compromises entire authentication sets. Stolen classic TAN lists allow immediate exploitation of all contained codes, while loss of simple TAN generators or chipTAN hardware enables repeated unauthorized TAN production if not secured by PINs. For mTAN, SIM swapping attacks—where fraudsters socially engineer mobile carriers to port a victim's number—permit interception of SMS TANs, facilitating account takeovers. PushTAN systems face social engineering risks, such as campaigns mimicking bank notifications to elicit user approvals for fraudulent pushes, as seen in cases where attackers provision digital payment methods via deceptive prompts. Historical incidents underscore these vulnerabilities: the 2017 SS7 exploits in compromised mTAN for multiple victims, leading to direct financial losses through intercepted authentication codes. Similarly, targeting PhotoTAN via screen manipulation, as analyzed in 2016 security research, revealed how QR code alterations could facilitate undetected , echoing earlier threats like the 2012 Eurograbber campaign that stole over €36 million by intercepting similar banking data. Basic mitigations include user education on recognizing and verifying transaction details, alongside separating devices (e.g., using offline TAN generators apart from sessions) to limit compromise scope. No single TAN method is entirely foolproof, as evolving threats like advanced persistent continue to challenge even multi-factor implementations.

Compliance and Future Developments

The Revised Payment Services Directive (PSD2), effective from 2018, mandates (SCA) for electronic payments in the to enhance security and reduce fraud. SCA requires two distinct factors—such as , possession, and —with TAN procedures qualifying if they incorporate dynamic linking, which ties the authentication code to the specific transaction amount, payee, and other details, and ensure independence between the authentication elements to prevent compromise of multiple factors simultaneously. In , the (BaFin) and the Central Credit Committee (ZKA), now integrated into the German Banking Industry Committee, have established standards for TAN procedures since the early 2000s to align with national and EU regulations. These standards prioritize secure, dynamic TAN generation on separate devices, leading to the abolition of insecure iTAN lists under PSD2 in , with a continued emphasis on transitioning to app-based (e.g., pushTAN) and hardware-based (e.g., chipTAN) methods for compliance and risk mitigation. Adoption of TAN procedures remains predominantly European, with limited implementation outside the region; for instance, mobile TAN (mTAN) via is used in as part of the Reserve Bank of India's additional factor requirements for digital payments, and similar SMS-based one-time passwords support in . Efforts to align TANs with global standards, such as FIDO2 for phishing-resistant using , are emerging to facilitate cross-border . Future developments in TAN usage reflect a broader shift toward biometric-enhanced SCA alternatives, combining factors like fingerprint or facial recognition with possession-based apps, as permitted under PSD2's flexible framework to improve while maintaining security. Vulnerable methods, including classic TAN lists, have been phased out, while others like mTAN continue with recommendations to supplement against threats such as SS7 protocol vulnerabilities. As of November 2025, the Digital Operational Resilience Act (DORA), effective from January 17, 2025, complements PSD2 by enhancing ICT risk management and resilience in financial entities, supporting the adoption of secure authentication systems including hybrid SCA methods with or FIDO2. The continues to refine PSD2 guidelines through ongoing Q&As, with no major changes to TAN procedures reported, while emphasizing flexibility for banks to offer multiple compliant SCA options.

References

  1. https://www.investopedia.com/terms/t/transaction-authentication-number-tan.asp
  2. https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Informationen-und-Empfehlungen/Online-Banking-Online-Shopping-und-mobil-bezahlen/Online-Banking/Sicherheitsmassnahmen/sicherheitsmassnahmen.html
  3. https://www.nevis.net/en/blog/how-secure-are-tan-procedures
  4. https://www.ionos.com/digitalguide/server/security/tan-procedures/
  5. https://www.deutsche-bank.de/pk/service-und-kontakt/services/neues-banking/new-banking.html
  6. https://www.moneyland.ch/en/tan-definition
  7. https://www.creditcards.com/glossary/term-transaction-authentication-number-tan/
  8. https://monierate.com/blog/transaction-authentication-number-what-it-is-and-how-it-works
  9. https://www.heise.de/hintergrund/Wie-das-Onlinebanking-in-deutsche-Haushalte-kam-6226223.html
  10. https://www.gabler-banklexikon.de/definition/onlinebanking-60244
  11. https://www.gdata.de/tipps-tricks/geschichte-des-online-banking
  12. https://www.postbank.de/themenwelten/wissen-leben/artikel-infografik-online-banking-die-geschichte-der-sicherheitsverfahren.html
  13. https://www.nbcnews.com/id/wbna12155809
  14. https://www.fau.eu/2015/11/news/research/an-easy-target-for-hackers/
  15. https://finance.ec.europa.eu/system/files/2023-06/110222-faq-transposition-psd_en.pdf
  16. https://www.innovations-report.de/globale-finanzen/wirtschaft-finanzen/bericht-47553/
  17. https://magazin.comdirect.de/finanzwissen/konto-und-karten/tan-verfahren-ueberblick-und-sicherheit
  18. https://www.ffb.de/api/public/formulare/hidden/f53d6a39d0d079c9e6b0a4fe5aace9d1e0b3e5d34d0b257aa853d59a6211281cf926
  19. https://www.kontofinder.de/ratgeber/tan-verfahren-ueberblick/
  20. https://www.allthingsgerman.net/blog/finance/what-are-the-different-types-of-tan/
  21. https://www.focus.de/finanzen/banken/ueberweisungen-das-aus-der-tan-liste-beim-online-banking-haben-sie-fuenf-alternativen_id_10645719.html
  22. https://www.verbraucherzentrale.de/wissen/geld-versicherungen/sparen-und-anlegen/schutz-vor-betrug-tipps-fuer-sicheres-onlinebanking-21921
  23. https://www.finextra.com/newsarticle/14093/deutsche-postbank-introduces-anti-phishing-system
  24. https://www.redteam-pentesting.de/en/advisories/rt-sa-2005-014/
  25. https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Informationen-und-Empfehlungen/Online-Banking-Online-Shopping-und-mobil-bezahlen/Online-Banking/smsTAN/sms-tan_node.html
  26. https://www.reiner-sct.com/en/wiki-en/mtan-smstan-online-banking-procedure-explained/
  27. https://www.helpnetsecurity.com/2019/07/12/german-banks-sms-tan/
  28. https://www.securityweek.com/hackers-exploit-ss7-flaws-loot-bank-accounts/
  29. https://www.linkedin.com/posts/the-future-of-banking_deutsche-bank-tightens-online-banking-activity-7366054321840394240-AbLp
  30. https://www.pkf.de/en/pkf-magazine/issues/2025/issue-10-25/disclosure-of-sms-tans
  31. https://www.reiner-sct.com/en/wiki-en/pushtan-online-banking-procedure-explained/
  32. https://www.twobirds.com/en/insights/2023/germany/decision-of-the-heilbronn-regional-court-the-end-for-pushtan-apps
  33. https://www.protectimus.com/blog/the-evolution-of-two-step-authentication-means/
  34. https://stackoverflow.com/questions/25248989/how-do-hardware-token-devices-work
  35. https://www.tspi.at/2019/04/17/tanmethods.html
  36. https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Informationen-und-Empfehlungen/Online-Banking-Online-Shopping-und-mobil-bezahlen/Online-Banking/Sicherheitsmassnahmen/sicherheitsmassnahmen_node.html
  37. https://www.reiner-sct.com/en/tan-generators/
  38. https://www.reiner-sct.com/en/wiki-en/chiptan-the-online-banking-procedure-explained/
  39. https://www.onespan.com/resources/digipass-836/datasheet
  40. https://www.redteam-pentesting.de/publications/2009-11-23-MitM-chipTAN-comfort_RedTeam-Pentesting_EN.pdf
  41. https://download.hrz.tu-darmstadt.de/pub/FB20/Dekanat/Publikationen/CDC/attack.1.76.-finalSAM05.pdf
  42. https://owasp.org/www-chapter-belgium/assets/2013/2013-03-05/Owasp13bankingsecurity.pdf
  43. https://securelist.com/attacks-on-banks/36229/
  44. https://news.sophos.com/en-us/2017/05/05/bank-accounts-raided-after-crooks-exploit-huge-flaw-in-mobile-networks/
  45. https://www.gdatasoftware.com/blog/2017/05/29739-attacks-on-ss7
  46. https://www.mn.uio.no/ifi/english/research/groups/psy/completedmasters/2016/Marius_Portaas_Haugen/ocr-baseddataauthenticationforonlinebanking.pdf
  47. https://www.sentinelone.com/cybersecurity-101/threat-intelligence/what-is-sim-swapping/
  48. https://efri.io/phishing-in-germany-what-upper-courts-say/
  49. https://www.eba.europa.eu/single-rule-book-qa/qna/view/publicId/2020_5366
  50. https://www.visa.co.uk/content/dam/VCOM/regional/ve/unitedkingdom/PDF/sca/visa-psd2-sca-regulatory-guide-v1-december-2020.pdf
  51. https://www.khaitanco.com/thought-leadership/RBI-Authentication-Mechanisms-for-Digital-Payments-Transactions-Directions
  52. https://www.researchgate.net/publication/358558477_Multi-Factor_Authentication_Method_for_Online_Banking_Services_in_South_Africa
  53. https://fidoalliance.org/specifications-overview/
  54. https://www.eba.europa.eu/publications-and-media/press-releases/eba-publishes-its-work-programme-2025
  55. https://www.usd.de/en/security-consulting/information-security-in-finance/bafin-requirements/
  56. https://www.jdsupra.com/legalnews/eba-publishes-three-new-q-as-in-6233407/
  57. https://www.eiopa.europa.eu/digital-operational-resilience-act-dora_en
Add your contribution
Related Hubs
User Avatar
No comments yet.