E-banking: Attention mTAN & Co.

For some time now, the majority of banks have been using mobile authentication methods both for logging into e-banking and for authorizing payments via e-banking: With the mobileTAN (mTAN) procedure, for example, the bank sends a confirmation code to the customer via SMS. For some years now, criminals have been trying to intercept the SMS confirmation codes (mTAN) on the customer's smartphone using smartphone malware and then use them for e-banking fraud, as the Reporting and Analysis Center for Information Assurance (Melani) writes.

Alternative possibility: Safe in principle, but...

The industry has therefore developed alternative authentication methods to mTAN, which are already being used by various banks. In this case, a QR code or mosaic is displayed to the customer in the e-banking portal when logging in or for sighting a payment. The customer can scan this with an app on his smartphone or an independent (autonomous) device.

Depending on the product, the login or payment verification is confirmed directly in the app or the app generates a code that the customer must then enter in the e-banking portal. Products with such an authentication method that are used by Swiss banks include PhotoTAN, CrontoSign, SecureSign.

In principle, this authentication method is considered secure. In many cases, however, customers can be deceived by social engineering and visualize payments even when they could recognize the process as fraudulent, for example, if an obviously false recipient account is displayed in the app or if payment data is already displayed during the login process.

Beware of the Retefe malware

Melani is aware of current e-banking fraud attempts on authentication methods such as PhotoTAN, CrontoSign or SecureSign. In Switzerland, for example, the long-known malware Retefe is currently capable of using social engineering to encourage e-banking customers to make fraudulent payments via PhotoTAN, CrontoSign or SecureSign.

When dealing with authentication methods via smartphone, such as mTAN, PhotoTAN, CrontoSign or SecureSign, Melani recommends:

• Make sure that when you log in to e-banking on the mobile device (e.g. smartphone or dedicated PhotoTAN device), you really confirm the login and that it is not already the viz. of a payment.
• If you are sighting a payment, always read the full text on the mobile device and check the amount and recipient (name, IBAN) of the payment before releasing it.
• Install apps only from the official app store (Google Play Store or Apple iTunes). Never install apps from unknown sources, even if you are asked to do so. Do not modify your device in such a way that essential security mechanisms are undermined (e.g. rooting, jailbreaking).
• If you receive an unsolicited SMS confirmation code (mTAN), contact your bank immediately.
• If you notice any irregularities when logging into e-banking, contact your bank immediately.
• Such irregularities include:

1. Security message before logging into e-banking. For example, "In connection with the modernization of the security system, you may be asked to provide additional identification when logging into the user account. [...]"
2. Error message after logging into e-banking. For example, "Error! Due to a technical problem, we are unable to find the page you are looking for. Please try again in 2 minutes."
3. Security message after logging into e-banking (e.g. "Security measure"), prompting you to enter landline or cell phone number
4. Request to install a mobile app after logging into e-banking
5. After logging into e-banking, for example, the user is redirected to a website that is not associated with the bank (e.g., google.ch).
6. Timer after login to e-banking. For example (see Figure 2): "Please wait... (Please wait one minute, do not reload the page).

Source: Reporting and Analysis Centre for Information Assurance (Melani)