Researchers crack photoTAN procedures

“Safe, easy, fast”. With these words Commerzbank advertises the use of photoTAN in online banking. Scientists from Bavaria have now discovered a weak point in the process.

According to a report in the “Süddeutsche Zeitung”, two IT security researchers have managed to crack the photoTAN procedure used in mobile banking on manipulated Android smartphones. After the two researchers from the Friedrich-Alexander-Universität Erlangen-Nürnberg installed malware on the devices, they were able to redirect online transfers or create them themselves. However, the transactions could only be manipulated if the banking app and photoTAN app are installed on one device.

According to the researchers Vincent Haupert and Tilo Müller, the attacks could target the financial institutions Deutsche Bank , Norisbank and Commerzbank . “For us it is no problem at all to hide the actual transfer afterwards,” said Hauptert. As long as a customer conducts his banking transactions on the move, the manipulation remains undetected.

A one-time password is generated with the photoTAN. When the process was introduced, an image of approximately three by three centimeters was generated on the PC monitor from small dots that contains the transaction data. In this variant, this graphic is scanned with the smartphone or reader. After the photoTAN has been decrypted, the transaction data (amount and name of the recipient of a transfer) and a seven-digit transaction number with which the transfer can be approved can be seen on the screen for checking.

Apple in numbers

From the researchers’ point of view, it is critical if the banking application and the photoTAN app are on the same device and the two-way authentication that is actually intended is undermined. The researchers still consider the use of a photoTAN on the PC with an external reader to be safe. The attack by the two security researchers requires that a virus-infected app must already be installed on the victim’s smartphone.

“That makes the attack more difficult, but not impossible,” says Hauptert. This is indicated by malware such as “Godless” and “Hummingbad”. This made it into the official Google app store and would have worked on 90 percent of all Android smartphones. Ten million devices were affected.

What the new 5G mobile network should achieve

The attack scenario was demonstrated using the Google Android system. In principle, an attack is also conceivable with the iPhone system iOS. The iOS malware Pegasus showed that not only Android smartphones could be attacked. However, the security model of the Apple software is more restrictive, so that compared to Android there is less chance of catching malware.

When asked, press spokespeople from Deutsche Bank and Norisbank point out that security is being taken very seriously: “When used correctly, all legitimation procedures are secure.” Customers decide which procedure suits them best according to their own preferences. In an answer, Commerzbank will reimburse the full amount in the event of damage. The bank gives customers security instructions on its website. The bank is not aware of the attack carried out by the researchers.