Transaction Authentication Number - Classic TAN

Classic TAN

An outline of how TANs function:

1. The bank creates a set of unique TANs for the user. Typically, there are 50 TANs printed on a list, enough to last half a year for a normal user; each TAN being six or eight characters long.
2. The user picks up the list from the nearest bank branch (presenting a passport, an ID card or similar document) or is sent the TAN list through mail.
3. The password (PIN) is mailed separately.
4. To log on to his/her account, the user must enter user name (often the account number) and password (PIN). This may give access to account information but the ability to process transactions is disabled.
5. To perform a transaction, the user enters the request and authorizes the transaction by entering an unused TAN. The bank verifies the TAN submitted against the list of TANs they issued to the user. If it is a match, the transaction is processed. If it is not a match, the transaction is rejected.
6. The TAN has now been consumed and will not be recognized for any further transactions.
7. If the TAN list is compromised, the user may cancel it by notifying the bank.

However, as any TAN can be used for any transaction, TANs are still prone to phishing attacks where the victim is tricked into providing both password/PIN and one or several TANs. Further, they provide no protection against man-in-the-middle attacks where an attacker intercepts the transmission of the TAN and uses it for a forged transaction. Especially when the client system should become compromised by some form of malware that enables a malicious user, the possibility of an unauthorized transaction is high. It should be noticed that the remaining TANs remain uncompromised and can be used safely, even though action should be taken by the user as soon as possible.