The classic TAN procedure in which bank customers can select any transaction number from a TAN list to confirm transfers or standing orders, already considered to be relatively safe. Weaknesses are phishing attacks, where fraudsters swindle the access to the checking account, including transaction numbers by email or fake bank sites and so-called man-in-the-middle attacks, in which chop the culprit in the system and transfer data in the background exchange. To close these gaps, the TAN method has been further improved. The result is iTAN and iTAN Plus.
The method iTAN
The “i” in iTAN is indexed. Therefore, one also speaks of indexed TAN procedure. The difference with the previous approach is that the transaction numbers not just listed, but are also provided with item numbers. The customer receives a numbered TAN list. Instead of a random transaction number to pick from the list, the Bank is now explicitly available, with TAN which the process must be verified. Accepted in the booking and confirmation mask the transaction number is 37 requires that leads to the TAN index number 27 in an error message. Consequence: The booking is not running. If you have fallen for a phishing email and have access to the next also revealed some TAN, should the perpetrators have been very lucky that exactly this transaction numbers are required. But still man-in-the-middle attacks are possible.
The iTAN Plus process
In order to overcome this shortcoming also, some banks even go a step further and use the iTAN Plus process. The basis is the iTAN method with the indexed TAN list. As a plus is added an image control, a so-called Captcha. Before the customer enters the desired transaction number, he can control the image on the details of the transfer once again in peace. The captcha shows all transaction data and also the birth of the customer. Since scammers usually do not know when an account holder’s birthday, incorrect data would immediately notice. It is therefore almost impossible to fake the check image to redirect a transaction to another account. Disadvantage of the spelling is their readability. The normal entry requirement is the iTAN is visually easier to grasp, since it is plain text. For this, the control image provides the security and data thieves makes life extremely difficult.