Outflanking and securely using the PIN/TAN-System

A. Wiesmaier,M. Fischer,M. Lippert,J. Buchmann
2005-05-26
Abstract: The PIN/TAN-system is an authentication and authorization scheme used in e-business. Like other similar schemes it is successfully attacked by criminals. After shortly classifying the various kinds of attacks we accomplish malicious code attacks on real World Wide Web transaction systems. In doing so we find that it is really easy to outflank these systems. This is even supported by the users' behavior. We give a few simple behavior rules to improve this situation. But their impact is limited. Also the providers support the attacks by having implementation flaws in their installations. Finally we show that the PIN/TAN-system is not suitable for usage in highly secure applications.
Cryptography and Security
What problem does this paper attempt to address?
### Problems the paper attempts to solve This paper aims to explore and solve the security and vulnerability issues of the PIN/TAN system. Specifically, the authors achieve this goal through the following aspects: 1. **Classifying and evaluating various attacks**: The paper first classifies and describes different types of attacks against the PIN/TAN system, including Man - in - the - Middle, Spyware, and Phishing attacks. These attack methods demonstrate the vulnerability of the PIN/TAN system in practical applications. 2. **Conducting real - attack experiments**: In order to gain a deeper understanding of the weaknesses of the PIN/TAN system, the authors designed and carried out real - attack experiments. They successfully attacked multiple online bank accounts using simple tools and techniques, proving that even without advanced hacking skills, it is easy to bypass the protection of the PIN/TAN system. 3. **Analyzing the impact of user behavior**: The paper also studies the impact of user behavior on system security. It is found that users' reckless behaviors (such as downloading unknown codes, not paying attention to network security, etc.) and some normal input habits (such as entering information in sequence) inadvertently help attackers obtain sensitive information. 4. **Revealing implementation vulnerabilities of suppliers**: By testing the online services of several German banks, the authors discovered some serious vulnerabilities in the implementation of the PIN/TAN system by suppliers, such as no additional verification required for re - logging in after a transaction interruption, allowing concurrent sessions, and easy distinction of user input. 5. **Theoretical analysis of the inherent defects of the PIN/TAN system**: Finally, the author theoretically analyzes the fundamental problems of the PIN/TAN system, pointing out that its design deficiencies make it essentially unsuitable for highly secure application scenarios. ### Conclusion In summary, the problems that the paper attempts to solve are the security issues of the PIN/TAN system in e - commerce, online banking, and other fields. Through empirical research and theoretical analysis, it reveals various security risks and inherent vulnerabilities of this system. This indicates that the PIN/TAN system is not suitable for application environments requiring high - security guarantees, and more effective alternatives or improvement measures must be sought to enhance its security. --- If you have any other questions or need further assistance, please feel free to let me know!