Mobile TANs cannot fully guarantee two-factor authentication

These figures give banks food for thought, because the credit institution always bears the risk for misuse during online banking. Many institutions have therefore already reacted with improvements to their safety procedures and have started with the replacement of their previous TAN lists. But it is questionable whether changing to the mobile TAN will lead to the desired result. With this procedure, after logging on with the bank the customer receives a transaction-related TAN by SMS on his mobile phone, i.e. additional hardware is not required. Since the fraudster cannot simultaneously eavesdrop the customer's PC (customer to bank) and the mobile phone network (bank to customer), the mobile TAN method is regarded as relatively secure.

This may be true compared to the simple TAN list. However, both communication channels are subject to different security regulations and the banks have no influence on the infrastructure of the mobile phone network. This also includes the exact point in time at which the SMS is sent let alone that SMS-TAN distribution causes costs. Also, the PIN entry for authentication with smart phones is only optional, but it is relatively easy to obtain a replacement SIM card (carrier for the mobile phone number) from the provider in case of loss. Therefore it is doubtful in this case whether one can speak of two-factor authentication through possession (mobile phone number) and knowledge (PIN). Negative experience in mobile online banking has been documented, for example in South Africa.

A completely different alternative is protection via chip card using the HBCI (Home Banking Computer Interface) procedure. This method ensures a very high security standard – but the user needs his own software for this and a chip card reading device. These restrictions are responsible for this procedure receiving poor response on the market.

Finally, a third method of secure online banking is the TAN generator. At the press of a button these devices generate a TAN which is only valid for a short period of time and is shown on the device display. The method, which is also known as "Smart TAN", substantially impedes the interception and misuse of user data. With the more intelligent "Smart TAN Plus" method the customer enters certain transaction data into a special card reader, which generates a TAN in conjunction with the bank card. The bank computer then also computes the TAN and enables the transaction if there is a match. Since the calculated TAN can only be used for this transaction and the TAN is calculated with the aid of the bank card, this procedure is evaluated as being very secure. Only the entry of the transaction data using the keypad on the reader is sometimes regarded as inconvenient and involves the possibility of erroneous entries.