Outflanking and securely using the PIN/TAN-System
A. Wiesmaier, M. Fischer, M. Lippert, J. Buchmann
TL;DR
This paper analyzes the vulnerabilities of the PIN/TAN system in e-business, demonstrating how it can be easily outflanked by attacks and user behavior, and concludes it is unsuitable for high-security needs.
Contribution
It provides a classification of attacks, demonstrates real-world malicious code exploits, and offers behavioral and implementation insights to improve security.
Findings
PIN/TAN system is vulnerable to malicious code attacks
User behavior supports system outflanking
Implementation flaws aid attackers
Abstract
The PIN/TAN-system is an authentication and authorization scheme used in e-business. Like other similar schemes it is successfully attacked by criminals. After shortly classifying the various kinds of attacks we accomplish malicious code attacks on real World Wide Web transaction systems. In doing so we find that it is really easy to outflank these systems. This is even supported by the users' behavior. We give a few simple behavior rules to improve this situation. But their impact is limited. Also the providers support the attacks by having implementation flaws in their installations. Finally we show that the PIN/TAN-system is not suitable for usage in highly secure applications.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsUser Authentication and Security Systems · Advanced Authentication Protocols Security · Cryptographic Implementations and Security