Kaay Display-TAN

Comparison with Smartphone-TAN (= App-TAN)

Many people have a smartphone nowadays. So the following idea is obvious: ''Make the smartphone of the bank customer the TAN-generator!''. This Online Banking method has many variants and many names, some call it App-TAN, we called it Smartphone-TAN here. Nearly all banks in Europe are offering such a Smartphone-TAN method or have it in their pipeline, examples are German Sparkassen Push-TAN or Deutsche Bank photoTAN (App version). Common to all Smartphone-TAN variants is that the secret key for the TAN generation is stored on the smartphone, usually it gets there via a 2D-code sent by paper letter from the bank.

The Smartphone-TAN method is very tempting for the banks, for two reasons:

  1. Costs: The bank does not have to provide a TAN-generator to the customer.
  2. Mobility: The customers can use it in a mobile fashion.

The two main problems with Smartphone-TAN are:

  1. Security: The smartphone is - like every computer - an insecure device. And the secret key for the TAN generation is stored on the smartphone! Most dangerous are smartphone trojans sitting secretly deep within the smartphone operating system: The Smartphone-TAN app of the bank has - like every app - only limited rights, and therefore the app will - in the end - loose the fight for the secret key against the mighty infiltrated operating system. That is, the trojan will finally get the secret key and then can execute any money transfer at any time with it (the same trojan has also tapped the bank account passwort when the customer has entered it into the smartphone). If the trojan is made well the Smartphone-TAN app will because of its limited rights not be able to detect the infiltration of the operating system.
  2. Usability: Smartphone change (smartphone lost/stolen/broken/new) means an annoying procedure for the customer concerning the re-initialisation of the new smartphone via paper letter from the bank. Another usability problem of Smartphone-TAN - also caused by the fact that the smartphone contains the secret key of the bank - is that it can usually only be used on that one mobile device, not on a second or third device (a second smartphone, tablet, etc.).

Display-TAN does not have these two problems. Actually, Display-TAN was developed as a solution of the first problem of Smartphone-TAN (and as a by-product, also solves the second): Storage and processing of the secret key is moved out from the insecure smartphone to the secure bank card.

A Secure Element within the smartphone, like a SIM card or a hardware keychain, does not help much for the security of Smartphone-TAN (though it sounds like that): The secret key cannot be stolen/copied anymore by the trojan, that much is true. But the trojan can still execute - at any time - a secret abuse attack on the secret key: The trojan sends a malicious money transfer to the bank, and when the bank asks for the TAN for it the trojan contacts the Secure Element and asks for a TAN for the malicious money transfer. The Secure Element cannot distinguish this malicious request from a regular one and will generate the TAN, which is then forwarded by the trojan to the bank.

A security/usability comparison of Mobile Banking methods: pdfDisplayTANS

With Smartphone-TAN there are no hardware costs for the bank. The current costs occur when the customer has a new smartphone and needs a re-initialisation. Postage etc. should be on average much less expensive than Display-TAN.

More InformationDemo AppsAPIMore FunctionalitiesLinksContact
Compar. App-TAN
More Information
Friendly Fraud
Business Partners
Android App
iOS App
Windows App
API Version 1
Seed Perso
Online Banking Demo
IoT Applications
YouTube Playlist ''Technology Cards''
Privacy Policy