eTAN procedure
eTAN is an identification procedure for online banking.
To use this procedure, the user needs a special TAN generator that does not require a chip card.
There is also the eTAN plus procedure, which uses a card reader instead of a TAN generator.
How does the eTan procedure work?
After the user has entered the transfer data, he receives a control number from the bank, which he must enter via the TAN generator. The device then calculates a TAN with which the transfer can be completed.
eTAN plus procedure
The eTAN plus procedure is even more secure. Here the user receives a card reader instead of the TAN generator. This involves using your own bank card for transactions, which conceals a secret key. This generates a valid TAN in conjunction with the bank’s control number. This depends on the respective transfer details and can no longer be determined by Trojan attacks.
Advantages of the eTAN procedure
- Secure: No phishing possible, as no transaction number can be generated without a valid bank control number
- In addition, a completely external device (TAN generator or card reader) is used for the eTAN procedure, which is neither connected to the Internet nor to the customer’s bank account.
Disadvantages of the eTAN procedure
The biggest disadvantage of eTAN and especially eTAN plus is the low practicability of the system. You always need two to three (in more modern variants) “devices” or things to be able to carry out transactions. Most people find this very time-consuming, especially when traveling.
Scanning the code on the screen can also be problematic. Depending on the lighting conditions, flickering speed of the graphics, etc., reading the code may take a long time or several attempts may be necessary.
In addition, using eTAN on the move is rather impractical.
Dangers of the eTAN procedure
Although the eTAN procedure makes online banking much more secure, there are still some dangers that should not be ignored. Under no circumstances should you keep the TAN generator and the bank card together. In the more modern version, where the customer needs a chip card, this should generally be carried with them.
It is also still possible to spy out access data using Trojans and pharming in the eTAN procedure.
Trojans, which are installed on the user’s PC when a link in an email is called up or an attachment is opened, can spy on sensitive data. The Trojan can read along, but it can also display a false website or form by asking the user to enter the TAN. If he does not notice this, the fraudsters filter out your usage data and the generated TAN.
In phishing attacks, users are shown a page that looks similar to that of their own bank. If the victim enters his user data and TAN there, they are intercepted.
