TAN procedures guarantee the highest possible safety, but can never guarantee 100% security when it comes to online banking – even if some financial institutions claim this to be true. The sobering truth is: with the exception of HBCI, which is not actually a TAN procedure itself, every procedure has at some point been successfully hacked. Although procedural vulnerabilities have played an important role in every fraud case, a completely different weakness was usually the decisive factor: the customer. Isolated from the bank’s internal security infrastructure, often unfamiliar with IT issues and sometimes impulsive, they are the weakest link in the chain for many criminals.
This is also the reason why cyberattacks on bank accounts always target the owner first. For this reason, it’s up to the customer to deal with account security and develop an awareness for the secure handling of online banking and TAN procedures. In this context, it can be helpful to know and understand the typical course of an attack. Nowadays there is a great variety of possible attack scenarios, and each day criminals are coming up with new ways to obtain money that doesn’t belong to them. This means we can’t run through all possible cybercriminal tricks, but we will explain the most typical frauds they carry out. The following explanations are in reference to the TAN procedure.
In order to use the human factor to infiltrate an IT security system, experienced attackers don’t just use a selection of digital and technical tools, but above all a methodology: Social Engineering. They try to get their victim to behave incorrectly in a security-critical situation. For example, a hacker could impersonate an employee of an external IT support company who was asked to solve accounting and online banking software problems. In this context, they then try to ask the interlocutor for access or bank data.
The first step of a cyberattack is often being infiltrated by a Trojan. This is done, for example, by enticing the victim to click an infected link in an email. The more serious the email and email address appear, the more likely that this kind of phishing will work. Subject lines like “Reminder”, “Account blocked” or “Security check” are meant to stress the potential victim into opening the email.
- No matter how a bank Trojan infiltrates a victim, once it has found your online banking device, it can spy and discover the corresponding access data. The hacker has overcome the first hurdle.
- Now the attacker needs to foil the TAN procedure, and there are a number of options for doing this, including the following three:
- Stealing the mobile device is probably the most common method, but is also the most likely to be noticed immediately by the victim.
- Another strategy is to use the captured access data to transfer the device’s mobile number onto a second SIM card. The attacker then configures it so that all SMS’s (and therefore transaction numbers) are sent to their SIM card, while all other functions (like telephoning) remain on the victim’s device. This generally takes longer for a victim to notice.
- However, the man-in-the-middle attack is particularly cunning, since it’s more or less invisible: the Trojan nests itself in the victim’s browser and simulates an online banking platform. They change or add certain elements to the platform. The unsuspecting victims enter their login information, including a corresponding TAN. In the background, however, the attacker has already accessed the data and direct bank transfers into their own account. Depending on how clever they are, it can take weeks or even months to discover the damage.
How a criminal individual obtains your TAN details is not really relevant to you as a consumer. Instead, you should concentrate on arming yourself against the first steps of a cyberattack (social engineering, use of bank Trojans). For example, you need to pay attention to the typical signs of phishing and you don’t have to output sensitive data to third parties, even if they act like a reliable service provider (IT support, accounting service provider etc.)