A transaction authentication number (TAN) is a type of single-use password used for an online banking transaction in conjunction with a standard ID and password.
TANs are often in a list made by a financial institution and sent to the owner of the account. The list contains unique single-use passwords or passphrases. Each time users authenticate, they use one of the passwords and then cross it off the list. The lists may operate in sequential order or include an index system for the TANs, in which case the bank asks for the TAN under a specific index. The financial institution maintains a database of users and their respective lists and tracks which number is currently slated next for use. Some TAN systems are smartphone-based. In these systems, the user receives an SMS message from their bank containing the TAN.
TAN systems work reasonably well to add a modicum of extra security in an inexpensive and relatively simple-to-implement way. Since the technology involved uses software that keeps server-side and client-side lists synchronized, it’s also easy for an institution to maintain. However, almost all TAN variants are vulnerable to man-in-the-middle or phishing attacks. Those that use out-of-band authentication, such as SMS messages on mobile phones, are more secure in that an attacker has to compromise two communication channels to steal the information needed to complete a transaction.
TAN systems were created to protect against these attack vectors. ChipTAN uses security data from a user’s bank card as read by a chipTAN generator (a type of security key fob), which generates a TAN. PhotoTAN is a system where the bank generates and sends an encrypted message containing a QR code image to a smartphone or standalone device. Both of these TAN methods make for a stronger two factor authentication along with standard login. Nevertheless, out-of-band authentication methods are not impervious to attack. The Zeus Trojan is just one example of malware designed to steal SMS authentication data for online banking.