An easy target for hackers

New app-based TAN system for online banking less secure than previous systems, say FAU researchers

Several German banks, including Hypovereinsbank, Sparkasse, DKB and VR-Bank, are introducing a new system of mobile banking for smartphones. However, IT security researchers Vincent Haupert and Tilo Müller from FAU have shown through a hacker attack that the new app-based TAN system is considerably less secure than previous systems.

The more complex the system, the more vulnerable it is to viruses

As a system becomes more complex and more widely used, it also become more vulnerable to viruses and malware, including banking trojans. While ten years ago, viruses almost exclusively affected Windows systems, today mobile Android and iOS systems are becoming the most frequent targets for virus writers. With so many different systems and threats, it seems almost impossible for banks today to assume that their online banking customers are using clean, secure end devices.

Modern banking trojans can manipulate transfer data

For this reason, TAN systems are used in online banking to ensure that users are protected from financial losses even if they have carried out a transaction on an insecure device in the past. However, modern banking trojans are no longer simply able to record user names, passwords and TANs – they can now also secretly manipulate transfer data. When transfer data is manipulated, the victim confirms what appear to be the correct transaction using a TAN and does not notice that the transfer amount and recipient have been changed in the background.

TAN generators are more secure

While standard list-based TAN systems are unable to prevent this sort of attack, modern TAN systems are design to prevent this kind of hidden manipulation. The now well-established chipTAN system that links information on the recipient and amount to a specific TAN was introduced back in 2006. In the chipTAN system the user must enter their transfer data in a separate, secure TAN generator that generates a TAN using their bank card. The TAN that is generated in this manner is only valid for the transfer data that has been entered and cannot be misused for manipulated transactions.

Secure but inconvenient?

Although the chipTAN system is secure, many users find having to use a second device for their transactions inconvenient. For this reason, several German banks, including Hypovereinsbank, Sparkasse, DKB and VR-Bank, are introducing a new mobile banking system for smartphones. This system requires two apps. First the user enters the transfer data in the first app. This data is transferred to the bank and a TAN is generated which is sent to the second app on the smartphone. Then the user has to enter the TAN from the second app in the first app to complete the transaction. This means that online banking can be done using a single iOS or Android device – in a way that is supposed to be more secure compared to established systems.

Mobile banking: a step back for security

However, Vincent Haupert and Tilo Müller, researchers at FAU’s Chair of Computer Science 1 (IT Infrastructures), have shown that the new system has actually taken a step back in terms of security. The system sacrifices the high security standards of established systems such as chipTAN for the sake of convenience. While the researchers consider this is a legitimate decision, they believe that advertisements should not suggest that the system offers the same level of security as chipTAN.

Evidence from a hacker attack

To provide evidence to support their claim, Haupert and Müller hacked a new app-based system used by a large German financial services network. During the attack manipulated transactions were confirmed via the app. The researchers demonstrated that they are able to increase the transaction amount from EUR 0.10 to EUR 13.37 and change the recipient of the transaction as they please without the (fictitious) victim noticing. Due to the security mechanisms in the app, the hack was very technically challenging and required several weeks of analysis. The researchers also had to execute malicious code on the victim’s transfer device in order to hack it successfully. However, the researchers say, this is the exact scenario that current TAN systems protect against.

Security problems of app TANs unsolvable

The security problems of such app-based TAN systems cannot be solved with better programming as they are due to the structure of the system, more specifically the ‘two-factor authentication’, which is a weak concept. If a transaction is triggered on the same device that is responsible for generating and receiving TANs, it is not possible for the system to protect against banking trojans. If a banking trojan is running with system rights and therefore on a higher privilege level than the app itself, it will always be able to get around the security mechanisms. According to Haupert and Müller, what is even more worrying is that TÜV has classified the system as particularly secure and certified it, despite the clear weaknesses in its design.

Decide for yourself

The two IT security experts have come to the following conclusion: not all users of app-based TAN systems need to be worried about their savings being stolen, especially if they have good reason to assume that their is no malicious code running on their device. However, they should be given transparent information about the increased risk so that they can decide for themselves which TAN system they want to use for their online banking transactions.

Further information:

Dr. Tilo Müller
Phone: +49 9131 8569904
tilo.mueller@cs.fau.de

Vincent Haupert
vincent.haupert@cs.fau.de