Many people have a smartphone nowadays. So the following idea is obvious: ''Make the smartphone of the bank customer the TAN-generator!''. This Online Banking method has many variants and many names, some call it App-TAN, we called it Smartphone-TAN here. Nearly all banks in Europe are offering such a Smartphone-TAN method or have it in their pipeline, examples are German Sparkassen Push-TAN or Deutsche Bank photoTAN (App version). Common to all Smartphone-TAN variants is that the secret key for the TAN generation is stored on the smartphone, usually it gets there via a 2D-code sent by paper letter from the bank.
The Smartphone-TAN method is very tempting for the banks, for two reasons:
The two main problems with Smartphone-TAN are:
Display-TAN does not have these two problems. Actually, Display-TAN was developed as a solution of the first problem of Smartphone-TAN (and as a by-product, also solves the second): Storage and processing of the secret key is moved out from the insecure smartphone to the secure bank card.
A Secure Element within the smartphone, like a SIM card or a hardware keychain, does not help much for the security of Smartphone-TAN (though it sounds like that): The secret key cannot be stolen/copied anymore by the trojan, that much is true. But the trojan can still execute - at any time - a secret abuse attack on the secret key: The trojan sends a malicious money transfer to the bank, and when the bank asks for the TAN for it the trojan contacts the Secure Element and asks for a TAN for the malicious money transfer. The Secure Element cannot distinguish this malicious request from a regular one and will generate the TAN, which is then forwarded by the trojan to the bank.
A security/usability comparison of Mobile Banking methods: pdf
With Smartphone-TAN there are no hardware costs for the bank. The current costs occur when the customer has a new smartphone and needs a re-initialisation. Postage etc. should be on average much less expensive than Display-TAN.