The trouble with mTANs

Claudius van der Meulen|04 November 2015
The trouble with mTANs

A mobile transaction authentication number (mTAN) is a one-time password delivered to users of online systems using the SMS format. Millions of digital banking customers use them today to verify their online transactions with their bank. It is a system that most consumers believe to be secure, but that has been repeatedly compromised over the past years in a variety of ways.

Examples of successful attack types include mobile malware like ZitMo (Zeus-in-the-Mobile) and mobile SIM swaps.

The latter approach has been used in Germany, as recently reported by the Süddeutsche Zeitung. Criminals stole tens of thousands of euros after finding a way around the security systems that rely on mTANs. In a coordinated series of attacks, fraudsters first took control of users’ computers using malware, then stole their mobile numbers through social engineering at the mobile network operator. With these two actions accomplished, they were able to access mTANs and users’ banking login credentials. The losses are estimated to be over €1 million. (Read more on this scam in English here or the original report in German here.)

Successful fraud attacks are, understandably, a subject banks avoid speaking about publicly. It is important to maintain the image of being a safe repository for people’s money. How much banks lose annually to cybercrime is therefore not disclosed, but the amounts must be significant.

With the huge growth in remote banking and payments, the browser in particular becomes the place where fraudsters look for hacking opportunities. Despite the campaigns of the banking industry to educate their clients not to be careless and take the necessary precautions to protect themselves from fraud, consumers remain largely unconcerned about the particular technologies deployed to secure their transactions, believing that it is the banks’ responsibility to provide a safe process. Their focus is on convenience: they want a hassle-free method of transacting online.

To strike the right balance between security and ease of use, financial institutions should look beyond the one-time password and mTAN to solutions offering fully out-of-band, two-factor authentication.

Entersekt is the front-runner in this area, offering a combination of unique mobile device identification, end-to-end encrypted communication between the device and financial institution, digital transaction signing, SIM-swap and malware protection, and a no-fuss, push-based, mobile-centered authentication process that is extremely user-friendly. As specialists in online and mobile banking authentication, Entersekt has attracted a growing list of bank customers. Some originally thought they could develop their own solution but found that a proven, off-the-shelf solution, as offered by Entersekt, saved them time, money, and heartache.

For more information on the inherent vulnerability of one-time passwords and mTANs, please download our complimentary white paper, OTP: Security past its expiration date, now in its second edition.


About the author

Claudius van der Meulen

Claudius van der Meulen

SVP Europe

Claudius manages Entersekt’s European business from our offices in the Netherlands. He’s a seasoned salesperson with two decades’ experience working in information technology at companies like Sun Microsystems and ACI Worldwide, and has been fundamental to our success in the region.

Subscribe to our newsletter for our latest news, press releases and events

logo entersekt

Entersekt is an international software development company based just outside of Cape Town, South Africa.

We are leaders in authentication, app security, and payments enablement technology, offering a highly scalable solution set with a track record of success across multiple continents.