TriNetre - Archive for March 06, 2005

(no longer updated)

« March 03, 2005 | Main | March 08, 2005 »


March 06, 2005
TAN - secure but user friendly?
[Security] @ 11:19 PM

Some banks use TANs (Transaction Numbers) to authenticate user transactions. Wikipedia explains how TAN work well:

  1. The bank creates a set of unique TANs for the user. Typically, there are 50 TANs printed on a list, each 8 characters long, which is enough to last half a year for a normal user.
  2. The user picks up the list from the nearest bank branch. The user must typically identify him/herself through presenting a passport, an ID card or similar document.
  3. A few days later, the user receives a 5 digit password by mail to the user's home address. The user is requested to memorise the password, destroy the notice and keep the TAN list in a safe place near the PC.
  4. To log on to his/her account, the user must enter user name and password. This may give access to account information but the ability to process transactions is disabled.
  5. To perform a transaction, the user enters the request and "signs" the transaction by entering an unused TAN. The bank verifies the TAN submitted against the list of TANs they issued to the user. If it is a match, the transaction is processes. If it is not a match, the transaction is rejected.
  6. The TAN has now been consumed and will not be recognized for any further transactions.
  7. If the TAN list is compromised, the user may cancel it by notifying the bank.

The usual practice is to suspend an account if the TAN has been entered wrongly a certain number of times. In short, TANs are used to provide two-factor authentication.

The problem is that TANs are very user unfriendly to use. You need to carry the TAN list around wherever you think you may want to use them. What if you want to go on a holiday, but you may want to pay your utilities bill overseas while you are on vacation? You need to pack your TAN and travel with it, increasing the chance of it getting soiled and even lost. You will also need to constantly take it with you from office to home and the other way around.

The e-dentifier system used in Netherlands is better, it is at least a sturdy piece that will not degenerate on constant use, unlike paper!


Link | Comments (0) |