What are the different types of TAN?

Laptop with card reader - ©Can Stock Photo Inc. / MultiartMost banks in Germany that offer personal home banking use a system called PIN/TAN.  Account holders log into their accounts using either a username or their account number with a PIN (Persönliche Identifikationsnummer).

After that, to carry out any form of transactions, a TAN (Transaktionsnummer) is use.

Over the years, the system has tried to cope with the growing number of phishing attacks and security problems, meaning that there are a number of different TAN systems in use.

The original system that is probably no longer in use these days was the simple unnumbered TAN list.  Account holders received a printed sheet, sealed in an envelope much like a wage slip, of short numbers.  These are the TANs.  You could use them in any order you liked, which had the advantage of being able to take two or three on holiday with you or storing a couple in your phone for emergencies, without having to carry the entire list with you.

But because people fell for fake “please enter 2 TANs” pages, these were considered unsecure, and so iTAN was introduced.

iTANs are indexed, ie. each TAN has a number.  When you carry out a transaction, the bank asks you for a particular number from the list.  This means that the phishers cannot ask for just any TAN, they need the right one.  It also means taking the entire list with you when you travel, to be able to make payments, making it not that much safer in my opinion.

In fact, there was one case of people being asked to fax the entire sheet to a special number for it to be checked, except that the whole thing was a scam leaving the organisers with 100 numbers instead of 2.

mTANs tried to solve this problem, m standing for mobile.  You register your mobile phone number with your bank, and when you want to carry out a transaction on-line, the bank sends a single TAN to your phone as an SMS.  This is OK, as long as the SMS arrives within a certain time, but with modern smartphones the danger is that they can be hacked to pass the TAN on to the phishers, who by then have matched it up with the account details and use it before you do.

In addition to all those problems, both iTAN and mTAN can suffer from so-called “man-in-the-middle” attacks, where someone hacks into your computer and pretends to be the bank, whilst at the same time logging into to your account for real to make a transfer, except that they change the payee number and amount to fit their own purposes.

Which brings us up to the latest development called chipTAN.  chipTAN requires special hardware, which consists of a card reader where the normal ec-type payment card is inserted, and optical sensors on the front which are used to read a system of flashing black and white bars on the screen.  When a payment is to be made, the bars transmit data to the card reader, which then displays the account number of the payee and the amount to be transferred on its own small display.

Only once this has been confirmed does the card reader generate a one-time TAN for the user to enter in their web browser.

The system is not without its problems.  If the internet connection is too slow, or the screen not quite right, then the card reader may have problems reading the flashing bars.

But is the way forward and many banks have started converting their systems to use it, so that one by one they can start turning off the old iTAN access.  This will, at least, save paper and the need to carry the list around.  Whether taking a card reader on holiday is any better remains to be seen!

About Graham

Graham Tappenden is a British ex-pat who first came to Germany as a placement student in 1993, returning in 1995 to live there permanently. He has been writing for AllThingsGerman.net since 2006. When not writing blog posts or freelancing for the Oberurseler Woche and other publications he works as a self-employed IT consultant solving computer problems and designing websites. In 2016 he gained German citizenship.

Speak Your Mind

*

By continuing to use this website site, you agree to the use of cookies. [more information]

This website uses cookies to give you the best browsing experience possible. Cookies are small text files that are stored by the web browser on your computer. Most of the cookies that we use are so-called “Session cookies”. These are automatically deleted after your visit. The cookies do not damage your computer system or contain viruses. Please read our privacy information page for more details.

Close