My bank is abolishing the smsTAN – what now?

First of all, the planned abolition of the smsTAN procedure is no reason for alarm. Quite the opposite: Many banks are moving away from the smsTAN because alternatives are safer. However, your bank will still offer you the opportunity to create a TAN, which you need for online banking. For customers, this means that online banking will be better protected in the future, but they will have to get used to a new process.

With the smsTAN procedure (also called mTAN), your bank sends you a transaction number (TAN) via SMS to your smartphone when you, for example, initiate a transfer. This prevents criminals from moving money if they get hold of your password. Although the smsTAN is user-friendly and practical to use, SMS can be intercepted with appropriate technical knowledge.

Alternatives to the SMSTAN

If your bank informs you that the smsTAN procedure will be discontinued in the next few months, you have time to find out about alternative options. The bank will probably not let you choose the TAN procedure, but will provide you with explanations on how to use the new technology.

PushTAN/AppTAN: App on the smartphone

The PushTan process operates under different names at different banks. To use this procedure, you need a smartphone or tablet and the corresponding pushTAN app. After registering the procedure with the bank, customers receive the access code for the app. After entering the transaction data in the browser or the banking app, the entered data is displayed again in the pushTAN app for checking purposes. After the customer confirms this, the TAN is generated. This must then be entered in the browser or the banking app. Some apps also do this automatically. The security of the TAN process can be increased if two different devices are used for banking and TAN generation. Here too, the latest version of the app should always be installed.

eTAN/ChipTAN: TAN generator with girocard

The ChipTAN process uses two independent devices. First of all, a graphic code is created from the transaction data, which then has to be read out using the ChipTAN generator. This generator is activated beforehand with the corresponding bank card and creates a transaction number from the graphic. Since the generator itself is not connected to the internet, it cannot be attacked remotely. However, if the generated TANs fall into the hands of unauthorized persons, no other transactions can be carried out because they are dynamically linked to the respective transfer.

PhotoTAN/QR-TAN: Graphics on the PC, plus a reader or a smartphone app

This TAN process uses two separate devices. After entering the transaction data, a graphic appears on the screen, which is read out for the photoTAN using the corresponding app. The code contained in the graphic is converted into a TAN with which the transaction is approved. Graphical data encryption does not offer hackers a large attack surface. The app is also secured with a password. The customer's smartphone could be a security vulnerability if it is not regularly updated with app updates.

Which TAN procedure should be used?

Customers have only limited influence on which procedure their bank offers. The banks themselves determine which procedures they use. Most banks offer apps for mobile devices, so pushTAN is widely used. If used correctly, the process offers a good level of security for bank customers and the banks incur the lowest costs with pushTAN. Another secure method is available with the PhotoTAN, in which the data for generating the TAN is generated on another device. However, using an external TAN generator remains the safest because it is separate from the Internet and is used exclusively for online banking. In general, the versions of TAN generation used in Germany are secure as long as users always carry out banking and TAN creation on different devices.

Source: bsi

Related to the topic: Beware of phishing emails: How to recognize the scam