PhotoTAN banking on mobile devices is not secure

Mobile Banking

FAU computer scientists manipulate smartphone transactions

Mobile banking is convenient – it can be used anywhere, any time, with a single device. More and more people are using this form of banking, and more and more banks are offering this service. The problem is that transactions made using smartphones are not secure. FAU computer scientists have demonstrated this by successfully hacking the photoTAN procedures of three banks. This comes just a year after they highlighted the flaws in the concept of single-device banking by manipulating Sparkasse’s pushTAN app.

What is the photoTAN app?

The photoTAN app is a popular method of authentication for mobile banking that has a particularly high number of users in Germany and Switzerland. In the photoTAN procedure the user must scan a matrix code shown on their PC, laptop or tablet screen; the smartphone app then generates a TAN from this. ‘This procedure is safe in principle as it involves two separate devices,’ says Vincent Haupert from FAU’s Chair of Computer Science 1 (IT Infrastructures). ‘In order to manipulate it, the hacker has to control both devices.’ However, this security concept breaks down in mobile photoTAN banking: because it is not possible to scan the matrix code displayed on the smartphone using the same device, the banking app accesses the TAN app directly in order to initiate the transaction.

PhotoTAN procedure manipulated successfully

Vincent Haupert and his colleague Dr. Tilo Müller have demonstrated for a second time that combining two-factor authentication on one device compromises security. The computer scientists hacked the photoTAN apps of Deutsche Bank, Commerzbank and Norisbank – selected as examples of the system, which is also offered by other banks – on a smartphone and manipulated both the recipient and the amount of the transaction in real time. ‘While a transaction of ten cents to the tax office was shown on the screen, we actually transferred 13 euros to a private account,’ Vincent Haupert explains. ‘The manipulated transaction wasn’t visible to the user at any time.’ The researchers were even able to copy the photoTAN app onto the hacker’s device. The replicated version of the app then generated the same TANs as the original. ‘If a hacker is able to get the log-in details for the banking app, they can make as many transactions from the victim’s account as they like,’ Vincent Haupert says.

All app-based mobile banking procedures affected

The FAU computer scientists’ findings are of concern in light of the revised Directive on Payment Services (PSD2), which entered into force in January 2016 and will become binding for all payment service providers after a two-year transitional period. The European Banking Authority (EBA) recently presented a draft for regulations on strong customer authentication that are to become binding as part of this Directive. The draft states that online payments must be authorised by means of two independent authentication elements categorised as knowledge (passwords, codes), possession (bank card, TAN generator, smartphone) and inherence (biometric features such as fingerprint or iris). In addition, it must be guaranteed that the elements used are independent of one another so that a breach of one authentication element does not also compromise the second. ‘Our study raises questions about the independence of the two authentication elements – in this case the banking app and the photoTAN app – if they are both operated on the same smartphone,’ Vincent Haupert explains. ‘This doesn’t just apply to the pushTAN and photoTAN procedures that we analysed but, in principle, can also be transferred to all app-based authentication procedures in online banking.’

TAN generator provides security

Nevertheless, the FAU researchers say that users do not have to give up the convenience of mobile banking; they should however use a dedicated photoTAN generator provided by their bank for their transactions. This type of generator fulfils the function of the smartphone photoTAN app, scanning the matrix code from the banking app and providing a TAN for the transaction – just like the standard chipTAN generator that is commonly used for online banking. ‘A photoTAN generator is small and compact and easy to take with you,’ says Vincent Haupert. ‘As it is only designed for generating TANs and does not have any other functions or interfaces, it cannot be hacked or infected with a virus. This increases the security of mobile banking considerably.’

Further information:

Vincent Haupert
Phone: +49 152 34701046