A transaction authentication number (TAN) is a one-time use code involved in processing online transactions. It offers additional security on top of a password to log in to an account or make transactions. To decrease chances of fraud in transactions, some companies may require a TAN as a form of multi-factor authentication (MFA), in addition to a PIN number or CVV. New TANs may be provided with each interaction, or a list of trusted TANs may be provided to an individual that they can choose from when conducting business.
If the document or token containing a TAN is stolen, it is useless without the original password. Conversely, if one logged in without a valid TAN, they would not be able to gain access.
Types of Transaction Authentication Numbers
Institutions offer a variety of forms of delivering TANs to users. Each institution has its own preference based on what it requires and what its users desire. Below are several types of TANs, and the vulnerabilities they each have.
Classic TAN
Financial institutions provide a list of about 50 TANs, usually enough to last about half a year for each user. These TANs comprise of six- to eight-digit unique codes for a user to enter to verify online transaction activity and identity. Users obtain this list at their financial institution or receive it by mail, separate from their login credentials. When a user logs into their account and verifies a transaction, the TAN they use becomes defunct and unusable for future transactions. If someone steals a TAN list or disposes of it by accident, the user can obtain a new list from their institution. All codes on the old list are unusable for that particular user.
Unfortunately, scammers successfully engage in phishing attacks with these TANs. A scammer prompts users to enter both their PIN and TAN (or several TANs) into fraudulent login pages. They then use those credentials to authorize fraudulent transactions. Further, TANS provide little to no protection against man-in-the-middle attacks (MitM). In these, scammers intercept the TAN and use it for their own purposes, especially in compromised or vulnerable systems.
Indexed TAN (iTAN) and iTAN with CAPTCHA (iTANplus)
Users enter a specific tan identified with a sequence number, or “index”. These are randomly chosen by the bank, so if a scammer obtains a TAN, it is worthless without the index. However, scammers are still able to conduct MitM attacks, including phishing and man-in-the-browser (MitB) attacks. Scammers conduct these attacks by swapping transaction details in the background and concealing fraudulent transactions in account overviews.
Some organizations combat this with the use of CAPTCHA. Users complete a challenge before, after, or during entry of their TAN. If they cannot complete it, the page denies access. CAPTCHA provides further protection through embedding transaction information, so scammers spoofing this would have their transactions flagged. Despite added protection, scammers still successfully conduct automated attacks like distributed denial-of-service (DDoS).
Mobile TAN (mTAN)
These TANs are more recognizable to common users than TAN lists. Users conducting transactions enter a code sent by SMS or phone call to access the service and verify transactions. Sometimes, the SMS itself includes transaction data so users can verify details before the transaction transmits to the bank.
This form of authentication is also vulnerable to fraud. Scammers use SIM Swap Fraud to obtain TAN numbers for fraudulent transactions. In SIM Swap, scammers impersonate victims, asking for replacement SIMs from their network operator. When the scammer logs in using the user’s credentials, obtained through other means, they receive the TAN message and gain access to the account. The victim often realizes too late, when they discover their phone has stopped working or see their accounts compromised.
Further, as smartphones act as mobile computers, attackers can more easily attack both the computer and phone. This leaves them both vulnerable to spoofing and phishing attempts.
TAN Generators
These provide a one-time use code through a token or keychain device. The token displays the TAN after a user logs in, or when a smart card is inserted. Unfortunately, these TANs do not contain specific transaction details, so scammers easily conduct phishing and MitM attacks.
pushTAN
Similarly to mTAN, when users log in to their accounts, they receive a single-use TAN from a third-party multi-factor authentication app like Duo Mobile. It does not incur text message charges. Therefore, it protects against SIM Swap Fraud, since messages are encrypted and do not rely on phone numbers. As an added precaution, the pushTAN app stops functioning if it detects a “rooted” or jailbroken phone.
ChipTAN/SmartTAN/CardTAN
One of the strongest forms of TAN generation, this type of TAN is generated when users insert their bank card into a handheld device. Each generated TAN is specific to that bank card and current transaction details. Nowadays, these devices generate TANs through verification of a flashing barcode on the computer screen. Users must then confirm the transaction on their TAN device.
Because the generator consists of independent hardware provided by tech companies and banks, this method protects against computer attacks. The generated TAN works only for transactions confirmed by the user on the generator screen itself. Furthermore, in case of device loss or theft, users can request new ones without worrying about fraud – specific TANs can only be obtained with a bank card. Despite added protections, scammers successfully persuade users to authorize “test transfers” or “return of falsely transferred money”, posing as a bank or company.
How Do I Prevent Banking Fraud?
Despite the added security of TANs, businesses and financial institutions commonly find themselves vulnerable to banking fraud attempts. To protect customers and institutions, implementing the strongest TAN methods and cybersecurity solutions will only prove beneficial.
Fraud.net offers a variety of cybersecurity solutions specifically engineered to protect commercial and financial institutions. Our products, powered by artificial intelligence and machine learning, keep your systems protected from phishing and spoofing attacks. With the automation that AI and machine learning provide, these products evolve with you, learning from previous attacks to suit your needs down the line. By protecting your transactions, you protect your customers, your business, and your bottom line.
To learn more about Fraud.net’s product offerings and request a demo, contact us today.