Transaction authentication number


Transaction authentication number

A Transaction authentication number or TAN is used by some online banking services as a form of "single use" passwords to authorize financial transactions. TANs are a second layer of security above and beyond the traditional single-password authentication.

An outline of how TANs function:
# The bank creates a set of unique TANs for the user. Typically, there are 50 TANs printed on a list, each 8 characters long, which is enough to last half a year for a normal user.
# The user picks up the list from the nearest bank branch. The user must typically identify him/herself through presenting a passport, an ID card or similar document.
# A few days later, the user receives a 5 digit password by mail to the user's home address. The user is requested to memorise the password, destroy the notice and keep the TAN list in a safe place near the PC.
# To log on to his/her account, the user must enter user name and password. This may give access to account information but the ability to process transactions is disabled.
# To perform a transaction, the user enters the request and "signs" the transaction by entering an unused TAN. The bank verifies the TAN submitted against the list of TANs they issued to the user. If it is a match, the transaction is processed. If it is not a match, the transaction is rejected.
# The TAN has now been consumed and will not be recognized for any further transactions.
# If the TAN list is compromised, the user may cancel it by notifying the bank.

In the Netherlands and Germany, customers of the Postbank can get the TAN codes sent by SMS. The advantage is that users only get a TAN code when they are initiating a (real) transaction. Several banks use TAN codes sent by SMS in Hungary and South Africa.

TANs are believed to provide additional security because they act as a form of two-factor authentication. Should the physical document containing the TANs be stolen, it will be of little use without the password; conversely, if the login data are obtained, no transactions can be performed without a valid TAN.

In South Africa, where SMS-delivered TAN codes are common, a new attack has appeared: SIM Swap Fraud". A common attack vector is for the attacker to impersonate the victim, and obtain a replacement SIM card for the victim's phone from the mobile network operator. The victim's user name and password are obtained by other means (such as keylogging or phishing). In-between obtaining the cloned/replacement SIM and the victim noticing their phone no longer works, the attacker can transfer/extract the victim's funds from their accounts. [http://www.iol.co.za/index.php?art_id=vn20080112083836189C511499 IOL: "Victim's SIM swop fraud nightmare"]

Should the client system become compromised by some form of malware that enables a malicious user to obtain both the login data and a TAN number (in some systems, a TAN is usable for some minutes after the initial insertion), the possibility of an unauthorized transaction is high. It should be noticed that the remaining TANs remain uncompromised and can be used safely, even though action should be taken by the user as soon as possible.

Key-lock TAN query

Since a single TAN can be compromised, some banks require a TAN both for the log in and to authorize a set of transactions. For additional security, these have to be non-sequantial and retrieved by using a security challenge. There have been cases of fraud where two consecutive TAN's have been phished from a user. To protect against this, each TAN is associated with a "lock number" and randomly selected from a list. The bank server randomly selects a lock number as a challenge; the user then enters the corresponding TAN from the list. Since the order of the TAN's is randomly selected, an attacker can't acquire two consecutive TAN's. Also, because a TAN is associated with a lock number, the attacker can't just randomly select a position on the list — the only thing an attacker can do to steal a TAN is to guess lock numbers. In practice, the attacker should coax the user to write down the whole list of lock numbers and corresponding TAN's, which is clearly implausible.

References


Wikimedia Foundation. 2010.

Look at other dictionaries:

  • Two-factor authentication — (TFA, T FA or 2FA) is an approach to authentication which requires the presentation of two different kinds of evidence that someone is who they say they are. It is a part of the broader family of multi factor authentication, which is a defense in …   Wikipedia

  • Chip Authentication Program — A GemAlto EZIO CAP Device Whitelabeled as Barclays PINSentry The Chip Authentication Program (CAP) is a MasterCard initiative and technical specification for using EMV banking smartcards for authenticating users and transactions in online and… …   Wikipedia

  • Secure electronic transaction — (SET) is a standard protocol for securing credit card transactions over insecure networks, specifically, the Internet. SET is not itself a payment system, but rather a set of security protocols and formats that enables users to employ the… …   Wikipedia

  • Electronic authentication — (E authentication) is the process of establishing confidence in user identities electronically presented to an information system. E authentication presents a technical challenge when this process involves the remote authentication of individual… …   Wikipedia

  • Derived unique key per transaction — In cryptography, Derived Unique Key Per Transaction (DUKPT) is a key management scheme in which for every transaction, a unique key is used which is derived from a fixed key. Therefore, if a derived key is compromised, future and past transaction …   Wikipedia

  • Digest access authentication — HTTP Persistence · Compression · HTTPS Request methods OPTIONS · GET · HEAD · POST · PUT · DELETE · TRACE · CONNECT Header fields Cookie · ETag · Location · Referer DNT · …   Wikipedia

  • Authentification Forte — En sécurité des systèmes d information, une authentification forte est une procédure d identification qui requiert concaténation d au moins deux éléments ou « facteurs » d authentification. Sommaire 1 Les éléments de l authentification… …   Wikipédia en Français

  • Authentification forte — En sécurité des systèmes d information, une authentification forte est une procédure d identification qui requiert la concaténation d au moins deux éléments ou « facteurs » d authentification. Sommaire 1 Les éléments de l… …   Wikipédia en Français

  • Tan — can mean several things:* Tan (color), the color * Tangent, a mathematical trigonometric function tan(x) * Tanning, the process of making leather from hides * Sun tanning, the darkening of skin in response to ultraviolet light * Sunless tanning,… …   Wikipedia

  • One-time password — A one time password (OTP) is a password that is valid for only one login session or transaction. OTPs avoid a number of shortcomings that are associated with traditional (static) passwords. The most important shortcoming that is addressed by OTPs …   Wikipedia