TAN procedures: All you need to know about TAN
3 min read
A quick guide to the six TAN procedures
TAN is short for transaction number and is the key to authorizing a transaction. Only after a user types in the six digit code, the money gets transferred to the receiver’s account. What started out as a simple analog list with codes turned into a large variety of digital TAN procedures.
These are the most widely used TAN procedures in Germany:
iTAN is the prototype of all TAN procedures. Distributed to users in form of a printed list, it contains a certain number of TAN codes. For every transaction the bank requests one code from the list. Once all codes are used up, the user receives a new list.
Expert comment: This is the most secure procedure on all devices and operation systems, because the authenticity of the TAN codes is guaranteed by the list.
For the chipTAN procedure users receive a TAN generator from their bank. It contains a slit where the card has to be inserted. Before a transaction can be kicked off, five flickering bars appear on the computer/phone screen. To generate the TAN the user needs to hold the generator in front of the marked area of the flicker code on the screen. That initiates the TAN generation. The TAN then appears in the window of the generator.
Similar to the optic chipTAN, the manual chipTAN also requires a TAN generator with card slit. Before a transaction gets authorized a start code appears on the screen. This code is the first thing to type in the generator, followed by the recipient’s account details and the amount. The generator creates a TAN from this information and displays the final TAN code in the window of the generator.
All transaction details necessary for generating a TAN is hidden behind a colored pixel graphic. To actually generate a TAN from this graphic, the user either needs to use an app provided by the bank or a photoTAN reader. Similar to a QR reader the app/reader decodes the graphic and generates the actual TAN. The user needs to copy the TAN and paste it into the TAN field in the transaction window.
Expert comment: All three TAN procedures are considered safe for iOS, macOS, Android and Windows, because they always involve two independent devices to generate a TAN. It is therefore almost impossible to compromise a TAN. Regarding photoTAN we advise to only use the procedure involving a reader, not with the app.
In this TAN procedure the bank sends the TAN per SMS to the provided mobile phone number.
Expert comment: Apple secures the integrity of SMS. So far, that security layer made it impossible to highjack messages on Apple devices. We can therefore say that mobileTAN is safe to use on iOS. However, we still advise users to go for a two-device option. Android users should always use two devices to generate a mobileTAN.
pushTAN requires an app. Before a transaction is authorized, the user receives a notification in the pushTAN app. The notification contains of certain transaction information which the user needs to verify. Once confirmed, the TAN gets generated.
Expert comment: Since the pushTAN procedure takes place entirely on one device, the chance of hackers to intercept is higher than in the other procedures. Apple follows rather strict rules in the App Store and only allows secure TAN generating apps. However, we advise Apple users to preferably use TAN procedures that require two separate devices. Android users should not use pushTAN.
Which TAN procedures are available to you is defined by your bank. Usually they offer 2-3 different options from which you can choose the one you’re most comfortable with. While Outbank can’t interfere with the TAN procedures, we provide additional safety precautions, for example by integrating a secure keyboard for Android users. That refrains a keylogger virus from illicit recording of keyboard entries. Read here about all the other security measures Outbank implemented to secure protection of user data at all times.