An overview of all TAN methods and how they work

iTAN, pushTAN, mTAN, photoTAN – atechbook explains what all the TAN procedures are about.

In online banking, every transaction must be verified with a TAN, a transaction number. This is created individually for each transaction. And there are various TAN procedures for this purpose.

Why do you need TAN numbers?

No online banking without the use of TANs. Although chip card readers or electronic signatures are also very popular for conducting banking transactions remotely, most banks work with at least one of the various TAN procedures.

The abbreviation TAN stands for transaction number. Such a number corresponds to a one-time password that consists only of digits and expires immediately after use. With the help of such a TAN, transactions are approved by the bank without having to provide a signature on the spot.

There are various ways to generate such a number and send it to the user, offering different levels of security and user-friendliness.

iTAN – the paper lists

The “i” stands for “indexed” and iTANs are the oldest of the variants mentioned here. Many people certainly still remember the lists that online banking users received by mail. If you wanted to make a transfer online, you were asked to enter a sequence of numbers from the list. iTANs replaced the original TAN procedure, which allowed users to decide for themselves which of the sequence of numbers on the list to enter. iTAN lists, in turn, number their TANs, which makes it possible to request a specific identification number.

TAN lists were the cheapest method because it did not require any additional technical equipment. However, the security gaps were comparatively large. That’s why paper TAN lists have been banned by EU regulation since September 14, 2019.

Also interesting: What you should know about smartphone banks like N26

mTAN – message via SMS

Among other things, the paper lists have been replaced by the mTAN procedure. In this case, the “m” stands for “mobile,” which is why SMS TANs are often mentioned. The bank then generates a TAN for each order, which is sent to the user as an SMS immediately after the order is placed. As a security measure, the number combination expires after ten to twelve minutes. Some banks also charge the user a small fee – around 12 cents per message. Incidentally, the procedure is not only used for banking. Many other online services, such as the messenger service “Telegram”, also use mTANs to verify the account, as they are relatively easy to generate and can be sent in a very short time using only the user’s telephone number.

However, the BSI (German Federal Office for Information Security) warns against sending TANs via SMS. On the one hand, the procedure is very user-friendly and practical to use. On the other hand, however, SMS are easier to intercept, which entails a not inconsiderable risk of misuse. Many banks therefore no longer offer SMS TANs or mTANs at all, or only at the explicit request of customers. Recently, for example, the Sparkassen and Volksbanken announced that they would abolish the mTAN procedure.

eTAN – TAN generator and chip card

With the eTAN procedure, on the other hand, a TAN generator and, if necessary, the bank’s chip card are used as a – to a certain extent – second source of authentication. This is why the procedure is sometimes also referred to as chipTAN. As a rule, the financial institution with which you are a customer provides the generator when you activate the procedure. These generators are not tied to a specific chip card – so one device per household is sufficient. If you are asked for transaction verification, you must insert the card into the generator and scan or enter the code flickering across the screen used. The generator then generates a TAN based on the chip in the card and the transmitted order data. The procedure can also be used without a bank card. However, this variant, in which the generator generates the TAN from the order data and internal keys, is less common.

Overall, eTANs are considered to be fairly secure because two independent devices are used. Especially in combination with the bank card, there are rarely any security concerns.

pushTAN – the app as a solution

Increasingly popular is the app-based version of pushTANs. The financial institutions can use their own app and send the TANs to the user in this way, similar to the mTAN version. The app responds to transactions and sends the requested TAN to the mobile device after a general password has been entered.

Security with this procedure is also very high, as users need both a specific terminal device and a personal password. The safest way to protect your account is to place the order from a device other than the one on which the app is installed, for example, via PC, while the TAN arrives on your smartphone. The disadvantage of the method is, of course, that users are forced to install the particular app of your bank. In addition, the apps usually stop working when the manufacturers stop providing the mobile device with security updates.

Also interesting: Caution with real-time transfers in online banking

photoTAN – graphic codes

The photoTAN procedure is very similar to the eTANs with the use of the chip card and it also works with the help of an app. This application is registered with the bank before it is used. To verify a bank order, an encrypted graphic or QR code appears on the screen, which is why photoTANs are sometimes also called QR-TANs. The app decodes the graphic and uses it to generate a TAN that is only valid for this order. Instead of an app, banks sometimes also offer special readout devices.

For security reasons, this method is also considered good because it again uses two separate devices. In addition, graphical data encryption does not offer hackers a large attack surface. The security gap in this case is the customer’s smartphone. The apps usually do not require a separate password, so photoTANs are potentially vulnerable to cell phone Trojans.

Which TAN procedure to use when

First of all, your bank usually determines which procedures it offers. Large institutions in particular, such as Commerzbank or Deutsche Bank, like to use mTANs (costing between 9 and 12 cents per SMS) because they are particularly user-friendly and quick to implement. Banks with an online focus, such as INGDiBa, work more with a so-called banking-to-go app, which either generate a number via pushTAN or require a password for approval.

The important criteria for classifying a TAN procedure are security, flexibility and user interface. In general, the versions of TAN generation used in Germany are secure for users. The comparatively insecure procedure of iTAN lists was abolished by EU decree, as already mentioned. Additional security is provided by a procedure that involves at least two devices, such as the generator and the chip card in the case of eTAN. However, this also increases the effort for the user.

General security tips

Do not use the same mobile device for placing the order and receiving the TAN. A risk here is of course the loss of the receiving device, which is why smartphones are more vulnerable here, because you also use them for many other activities. A TAN generator or a special reader for photoTANs is the safest solution.

General security precautions such as up-to-date anti-virus software on your PC and cell phone also increase the overall security of your online banking. In addition, do not place banking orders on public networks or from third-party devices and, when making transfers, check the order data before confirming by TAN.