iTAN procedure: Farewell
The next PSD2 requirements have been implemented since September 2019, including the abolition of the iTAN for current accounts.
iTAN explanation
The iTAN list is a further development of the TAN list procedure. The “i” stands for “indexed”, which means “refer to”.
In this procedure, the customer received a list of numbered TANs from their bank.
How the iTAN procedure works
During an online transaction, the customer was asked to enter the TAN associated with the number displayed. After use, the TAN was crossed out. As soon as all of them have been used, the customer receives a new list.
Advantages
Difficult to crack without a list:
In order to make a transfer, the user needed the exact TAN behind the displayed number.
If the fraudster caught this, there was little chance that he could use it for his transfer, as the system would ask for a different number.
Dangers
Phishing
The fraudsters can use phishing attacks to obtain a TAN which, with a bit of luck, they can use for a subsequent transfer. However, this only works if exactly this TAN is requested. This probability is very low.
Example
Tanja follows the link to her bank that she received by e-mail. She has no idea that it is not your bank’s site, but a similar-looking site belonging to the fraudsters. As always, enter your transfer details and your TAN no. 45. However, the fraudsters intercept the TAN and start a new transfer. If they ask for the TAN 45, they can empty the account.
Trojan
This is why fraudsters usually rely on man-in-the-middle attacks. A Trojan is installed on the user’s computer, which intervenes during a transaction and transfers the data not to the bank, but to the fraudsters. They can change the amount or replace the account number with their own.
Example
Tanja enters the TAN with the number 45. After clicking on Send and the connection is interrupted, it tries again – this time with a different TAN. At the same time, the fraudsters now use their TAN 45, change the amount of money and the account remotely and thus empty their account.
