First of all, the planned abolition of the smsTAN procedure is no cause for alarm. Instead many banks are moving away from the smsTAN, because alternative methods are more secure. Your bank will offer you another option to generate a TAN, which is required for online banking. For customers, this means that the security of online banking will be increased in the future, but they will have to get used to a new procedure.

With the smsTAN (also known as mTAN), your bank sends you a transaction number (TAN) by text message to your smartphone when you initiate a transfer, for instance. This prevents criminals from moving money, if for example they have obtained your password. Although the smsTAN is user-friendly and practical to use, SMS may be intercepted with the appropriate technical knowledge.

Alternatives to smsTAN

If your bank informs you that the smsTAN procedure will be discontinued in the next few months, you have time to find out about alternative options. However, the bank will probably not leave the choice of TAN method up to you, but will provide you with explanations on how to use the new technology.

PushTAN/AppTAN: App on the smartphone

The PushTan procedure operates under different names at the various banks. In order to use this procedure, a smartphone or tablet and the corresponding pushTAN app are required. After registering the procedure with the bank, customers will receive the access code for the app. Each time clients enter the transaction data into the browser or the banking app, the data entered is displayed again in the pushTAN app for confirmation. After the customer confirmed the transaction data, the TAN is generated. This number must then be entered in the browser or the banking app to complete the verification. Some apps do this automatically. The security of the TAN method can be increased by using two different devices for banking and TAN generation. It is recommended to always use the latest version of the banking apps.

eTAN/ChipTAN: TAN generator with girocard

With the ChipTAN method two independent devices are used. First, a graphical code will be generated from the transaction data and read out with the ChipTAN generator. This generator has to be activated with the corresponding bank card beforehand. It generates a transaction number from the graphic and since the generator is not connected to the Internet, it cannot be attacked remotely. If the generated TANs should fall into the hands of unauthorized persons, no other transactions can be processed with them, because they are dynamically linked to the respective transfer.

PhotoTAN/QR-TAN: Graphics on the PC plus a reader or smartphone app

For this TAN method two separate devices are used. After entering the transaction data, a graphic will appear on the screen and will be read out with the corresponding app for the photoTAN. The code contained in the graphic is converted into a TAN, which will be used to release the transaction. The graphic data encryption hardly offers a target for cyber attacks. In addition, the app is secured with a password. The customer’s smartphone could be vulnerable to cyber attacks, if apps are not updated regularly.

Which TAN method should be used?

Customers only have limited influence on which TAN method their bank offers. The banks themselves determine which procedures they use. Most banks offer apps for mobile devices, thus pushTAN is commonly used. For bank customers this method offers a good level of security when used correctly. For the banks pushTAN incurs the lowest costs. PhotoTAN is another secure method, because the data necessary for generating the TAN is displayed on an additional device. However, an external TAN generator remains the most secure method, as it is not connected to the Internet and is used exclusively for online banking. In general, the variety of TAN methods used in Germany is secure as long as users always execute banking and TAN generation on different devices.