Definition

TAN (transaction authentication number)

Contributor(s): Matthew Haughn

A transaction authentication number (TAN) is a type of single-use password used for an online banking transaction in conjunction with a standard ID and password.

TANs are often in a list made by a financial institution and sent to the owner of the account. The list contains unique single-use passwords or passphrases. Each time users authenticate, they use one of the passwords and then cross it off the list. The lists may operate in sequential order or include an index system for the TANs, in which case the bank asks for the TAN under a specific index. The financial institution maintains a database of users and their respective lists and tracks which number is currently slated next for use. Some TAN systems are smartphone-based. In these systems, the user receives an SMS message from their bank containing the TAN.

TAN systems work reasonably well to add a modicum of extra security in an inexpensive and relatively simple-to-implement way. Since the technology involved uses software that keeps server-side and client-side lists synchronized, it’s also easy for an institution to maintain. However, almost all TAN variants are vulnerable to man-in-the-middle or phishing attacks. Those that use out-of-band authentication, such as SMS messages on mobile phones, are more secure in that an attacker has to compromise two communication channels to steal the information needed to complete a transaction.

TAN systems were created to protect against these attack vectors. ChipTAN uses security data from a user’s bank card as read by a chipTAN generator (a type of security key fob), which generates a TAN. PhotoTAN is a system where the bank generates and sends an encrypted message containing a QR code image to a smartphone or standalone device. Both of these TAN methods make for a stronger two factor authentication along with standard login. Nevertheless, out-of-band authentication methods are not impervious to attack. The Zeus Trojan is just one example of malware designed to steal SMS authentication data for online banking.

This was last updated in August 2014

Next Steps

As more and more users conduct their online banking transactions through their computers or mobile phones, the transaction authentication number is an important component that keeps users safe. Vulnerabilities in two-factor authentication can be compromised with SMS messages containing TAN for online banking but it does not mean multifactor authentication should not be used at all. To learn more about MFA, read our comparison of MFA tools to explore product choices, and, read about how to build a business case for MFA.

Continue Reading About TAN (transaction authentication number)

Dig Deeper on Web Authentication and Access Control

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

2 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Do you trust TAN systems?
Cancel
As of yet, no, my business is not completely sold on the TAN systems. In order for that trust to grow, there needs to be a longer record of service with more recommendations coming from other users of the tech setup. Our business is not averse to TAN systems, we just need more information and onsite reviews before we commit and fully trust TAN systems.
Cancel

-ADS BY GOOGLE

File Extensions and File Formats

Powered by:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close