Online banking and safety: TAN Methods

Online Banking Computer safety

iTAN , mTAN , Photo- TAN – whenever a new process is launched , the banks declare it safe . However, hackers always find  loopholes and the current series of fraud with the mobile TAN procedure (also called SMS – TAN ) in online banking has left bank customers unsettled. One wonders if the mTAN is still safe and what method one might use to protect themselves against hackers. This article provides an overview of how various processes work and their benefits.



The classic TAN method is among the online banking method  which is almost extinct. The bank sends the customer a long list of transaction numbers by post. For each transfer the customer can use any of these TAN list. He types this number before the release of remittance data into the online form.


The advantage of this outdated method is that  customers they liked the fact that  the TAN list was portable. One could take the whole list anywhere or write down a single number and put it into their wallets.


There is a risk that the list or a single number could be stolen from the letterbox or if it was left lying around. Since the TAN number is not bound to a specific transfer, the hackers can divert and change it during the online transfer process.

How do I protect myself?

Make sure that the TAN is kept in a safe place.

Alternatively change to another method.



Is the “indexed transaction number“ (iTAN ). In contrast to the TAN list the numbers are numbered in this method, so that the customer can not decide freely, which TAN will be used to authorize a transfer. The online banking system asks specifically for a given TAN from the list. Except for the numbering of TAN, the iTAN offers no further advantages over the TAN. It has all the other disadvantages of TAN.



This is a mobile TAN that is delivered to your mobile phone as an sms. For a transfer via mobile TAN the customer needs a computer and a mobile phone. First, he gives his data for the transfer order on the PC into the online banking screen. Then the customer initiates the transfer process by retrieving a tan mouse click. These lands by SMS on his mobile phone whose phone number has been deposited at the bank. If this TAN now entered on the PC to the online banking site the bank performs the transfer.


The number expires after a few minutes. In addition to the text message data sent to the destination account number or amount transferred so that the customer can independently see where money is transferred.


The mobile phone can be stolen.

Fraudsters can hack into the computers of their victims and spy on mobile data and banking access online banking details. They can order a second SIM card with the same phone number and forward SMS to this new SIM card. So the mTAN ends up with the hackers without the victim noticing anything. This will be a problem especially if a clients phone is infected with a trojan the phone.

How do I stay safe?

Clients are advised to have the security software on their smartphone and PC (antivirus , firewall) up to date and regularly install updates for all the programs used .

One should keep an eye on their view the account activity and avoid making transfers from their mobile phones.

Clients should never install software updates from unknown sources .


Chip TAN

The chipTAN are available in different grades and with different names. Whether eTAN plus, chip or smart TAN – TAN plus – they all rely a chip card like a debit card among others to enable a transfer.

The card needs to be inserted into a special device called a the TAN generator. This TAN generator has  a keyboard in which the user enters the transfer data and gets a limited valid TAN for the transaction. A smart TAN flickering graphic appears on the PC screen and  instead of the keyboard input, the screen detects an optical sensor on the TAN device which reads the data and generated the TAN.


This method is safe because the communication data used by the client and the bank are stored in the card. Fraudsters cannot get any information from a hacked computer.


The chip – TAN procedure is mobile only partially suitable. Although the user can connect the generator to their smartphone so as to do mobile online banking, they would also have to carry the TAN generater with them.

How do I stay safe?

If you take care of your debit card the chip -TAN procedure is one of the safest methods.


Photo TAN

in the Photo- TAN a graph is created on the computer screen from the order data . This must scan with the smartphone of the customer . This is done with an app, which the client has previously activated with a personal code . Thus the mobile phone generates the transaction number that the client  types into the computer to facilitate the transaction.


It runs through two separate channels : PC and Smartphone. If one does not have a smartphone one can use a special reader .

The data transmitted is encrypted.


It is critical that the generated image code not only the TAN but also includes the order number .

If the image has only the TAN it is an invitation for hackers because can crack an app with a Trojan horse and access the TAN.

How do I stay safe?

Make sure that the picture next to the TAN shows your own inputs such as account number, amount of money to be transferred, the payee’s account and the reader or smart phone also accurately displays this data . Then the TAN is valid only for the pre-defined transaction.



Similar to mobile and Photo- TAN this method requires one to have a smartphone. The client has to first download an app on their smartphone and initiates an online banking request. This request redirects into the already downloaded app, which has to be activated with a personal access code. The client then checks the transaction and the TAN and proceeds as he would do in a normal online banking transaction.


A long access password for the app increases safety.

Each TAN generated with the push TAN is only valid for a particular ransaction.

Because another device is not necessary customers stay mobile- they can easily use the mobile banking app.


Since the entire process operates on smartphone there is a threat of being hacked.

How do I stay safe?

Clients should always check the displayed application order data (account number, recipient and amount).

One should never use the same password for the push TAN app and the Banking app .

Use updates for anti – malware only from trusted sources.



HBCI is the abbreviation for ” Home Banking Computer Interface”. This procedure is always evolving  and the latest and most reliable method is “HBCI 3” . Clients need a device connected to the PC reader, which has a card slot, a keyboard, a display and the appropriate banking software for the PC. As with the chipTAN process clients insert a chip equipped and PIN protected card into the device to authorize a referral. A so-called signing key is stored on this card which tquasi “signs” the transfer before it is sent to the bank where the system checks and confirms the signatures before the transaction can be executed.


The HBCI method is considered one of the safest ever. All relevant safety aspects are in the card and are protected by a PIN. The TAN doesn’t appear anywhere else on than in the device itself. This method is preferably used by companies . ”


The mobile use of this method is unfortunately similar cumbersome as the chip – Tan method.

How do I stay safe?

Clients should not store the PIN and smart card together.



NFC stands for “Near Field Communication” and combines the advantage of mTAN procedure with the safety of chip – Tan method. Unlike the chip TAN method no generator is required for NFC. During the online transaction the customer receives a 2D code displayed on the PC, which he scans via smartphone ” Bank app”. After confirmation of the transfer on the smartphone display the client simply holds his current account bank card to the smartphone. This is scans the chip in the card and sends the TAN via radio back to the smartphone .


The advantage of this method is that customers can still rely on a high level of security despite the high mobility comfort.


Not every phone and every bank card is activated to use NFC.

How do I stay safe?

The greatest danger is the theft of the card. Users should therefore keep an eye on their card and also on their smartphone.

Share with friends: