Another Ratchet Up in the Phishing War

I must confess I’m not sure how it works, but it seems like an interesting, but potentially flawed, approach in the battle against phishing. German bank PostBank, IDG reports, has launched a new system to combat phishing, extending the existing German practice of using transaction numbers, or TANs:

Until now, Postbank customers transferring money from their account to another electronically have had to type in their PIN followed by a TAN from a list provided by the bank for each transaction. In Germany, most banks providing online services offer a similar PIN-TAN service.

Under Postbank’s new iTAN service, online customers are told by the computer which TAN to use, and only with this TAN can they complete a transaction at that very moment.

Alongside each five-digit TAN appears an index number, which the computer uses to point customers to the TAN they must use to activate the transaction.

The IDG piece doesn’t explain further how this works. I believe that banks in Europe that use transaction numbers either supply them as a printed list which customers select from when they do a transaction, or else they receive a transaction number via SMS for each transaction as it happens. This former approach has only limited safety, because phishers can and have been trying as part of their attacks to request not just PINs and passwords, but transaction numbers too. So although this is another layer of security, it remains as vulnerable to social engineering attacks as ordinary one-factor transactions.

So how are iTANs different? I’m guessing here, but it sounds as if the bank itself randomises the selection of TANs and then instructs the customer about which one to use (‘the second on the list’, I suppose, or pehaps ‘the one ending in X’). This certainly does make it harder for the phishers unless they already have the full list of TANs held by the customer.

If this is all correct, then expect the next round of phishing attacks in Germany to involve something like ‘we are sorry there has been a data error at our bank and we need to recall all your TANs. Please enter them into the form at this web page in the order they are listed on your sheet. We will then issue you a fresh list of TANs.’ And so the game continues.

09. August 2005 by jeremy
Categories: Phishing, Security | Tags: , , , , , , , , , , | 2 comments

Comments (2)

  1. My bank uses a special token that generates a one-time security code that you have to enter each time you log in:

    http://www.bendigobank.com.au/e-banking/e-banking_help/Customer_services/Security_options_order.shtml

    Can’t tell you how well it works but I’ve got one on order 🙂

  2. In Switzerland, the banks give out a physical mini-calculator type card for each bank account number. Everytime you need to access your account online, you just type in your account number in the calculator which will generate a pin code which you then use to access your online account. Each time you use the calculator, a new pin code is generated, and that code can only be used once. It is very effective against most kind of scams since whatever code a malfeasor can get hold of online through key loggin or such will automatically be void after the one initial use.