Online Banking: How Secure Are TAN Procedures?

The security of TAN procedures has greatly improved over many years. You can find all current TAN procedures and alternatives here.

Mar 24, 2022 - 4 min.

Do you appreciate being able to transfer money quickly online and then resume your daily routine without the stress of driving to the bank during its limited opening hours? This is a luxury to which we have long since become accustomed. Online banking has become the norm and the TAN procedure provides us with optimum protection for this. But what do TAN procedures actually involve, and are our transactions really protected against attack? Read more here.

What is a TAN procedure?

The abbreviation TAN stands for transaction number and is usually a seven-digit combination of numbers that is used to authorise online banking transactions. In the past, traditional TAN lists were used. Bank customers who wanted to transfer funds from the comfort of their own homes needed to have one of these lists as well as their personal identification number (PIN). They then had to enter one of these TAN numbers during the transaction. This reassured the bank that the actual account holder was issuing the instruction. That’s because banks treat a correct TAN in the same way as a personal signature. However, the problem with TAN procedures is their vulnerability to phishing attacks, which is why the traditional TAN list was replaced with the indexed TAN list in 2005. 

Overview of the different TAN procedures

When the traditional TAN list was no longer secure enough and fell victim to criminality, other more secure procedures to give bank customers greater protection were developed. Below is a list of applications currently available. 

Indexed TAN list (iTAN)

This is the successor of the TAN list and was the standard procedure used for money transfers for many years. Unlike the traditional TAN list, users of the iTAN procedure are given a very specific position number that tells them which TAN number the bank is looking for. This means that customers must always have the complete list to hand. The introduction of the iTANplus procedure and the confirmation number (BEN) only marginally improved security for customers. Here too, criminal attacks became more frequent.

mTAN procedure

This procedure is one of the most popular and is often referred to as smsTAN or mobileTAN. A customer wishing to transfer money must first enter their telephone number in the online banking portal and then receives the TAN number from their bank via SMS directly to their smartphone. This procedure always requires two devices. For instance, the user may start off by logging on to an online banking account on a laptop. The user then receives the TAN required to complete the money transfer as an SMS on their smartphone. Although it is possible to combine everything on a single device, the security of the transaction would be significantly reduced. However, even the mTAN procedure is no longer 100 per cent secure. That’s because permanent access to the Internet makes it easy for hackers to deploy phishing or Trojan attacks to intercept and exploit the data. 

pushTAN procedure 

Although the pushTAN procedure only requires a single device, such as a laptop, two different channels are used to generate the TAN. The user’s online banking portal acts as the first channel. The second channel is the password-protected pushTAN app, which is available free of charge from the main app stores. The advantage of the pushTAN lies in its flexibility. Since only one user device is required, money can be transferred anytime and anywhere. Its only drawback is the danger of the smartphone being stolen, which would also cause the user to lose access to the app. 

chipTAN procedure

In this case, the user requires a chipTAN generator, which is either provided by the bank itself or can be purchased from retailers. Those wishing to use it to transfer money must log into their bank portal on their laptop or smartphone. After entering the details of the transfer, they receive a graphical barcode. This is then scanned using the generator. In order for the generator to work, the debit card must be inserted into it beforehand. Once the barcode is scanned, a TAN is generated. Since the chipTAN generator is not connected to the Internet at any time, the procedure is particularly secure because cybercriminals have virtually no way of accessing the generator.

photoTAN procedure

The photoTAN procedure is the newest procedure and is very similar to the chipTAN procedure described above because a special reading device must be used for both applications. In this instance, the user requires a photoTAN reading device. Alternatively, a free photoTAN app can be used as well. To complete a money transfer and to generate an associated TAN in this procedure, a coloured mosaic graphic is scanned. Since only a few banks offer this application, experts believe it is less likely to be targeted by hackers. 

TAN? Certainly! But not always secure

The overview of the different TAN procedures shows that each has its own vulnerabilities. The greatest risk involves losing the devices on which the applications are installed to transfer money. However, attacks by hackers can become a problem for all users. Those currently least at risk are the users of the photoTAN procedure simply because the application is not yet in widespread use. Despite everything, TAN procedures still offer users the highest possible level of security, but with no guarantee. In reality, the customers themselves remain the greatest vulnerability when it comes to hacker attacks. Ignorance or impulsive actions on their part provide cybercriminals with many opportunities to access sensitive data. 

One of the tactics widely used by hackers is social engineering. This is where hackers pretend to be employees of an external IT support team that has been hired to solve an alleged problem with the account. The person illicitly posing as an employee will then request the user to provide access details or banking details. However, hackers can also use phishing emails or trojans to gain access to banking data on a smartphone or a laptop. As a result, it is important to remain alert and contact your bank directly to check that any unusual email requests you receive are genuine. 

Biometry as an alternative to the TAN procedure

Multifactor authentication (MFA) is a security mechanism that uses more than two necessary security and validation procedures to authenticate people. After all, authentication that relies solely on usernames and passwords is not secure and is vulnerable to hacker attacks. Generally speaking, a distinction is made between four types of authentication procedures. They are based on the factors of possession, knowledge, location and biometric characteristics. For example, a user can ‘possess’ an identified device, have ‘knowledge’ of a password, logs in from a specific ‘location’ and IP address and have a unique fingerprint. Combining at least two of these means of identification features largely ensures that the person trying to access online resources is actually who they claim to be. This is why MFA offers powerful protection, especially in the area of online banking. The more sophisticated the MFA, the more secure the system. But what about ease of use? Multifactor authentication also solves this problem because biometric factors such as fingerprints or the analysis of typing behaviour require neither time nor effort and are always available.


Using (C)IAM to Comply Safely With Legislative Changes in 2022