Home Page Navigation Contents Contact Sitemap
Financial institutions are striving to make e-banking as secure as possible, using various different log-in processes and technologies. The following overview focuses on processes and technologies which are currently in use, and explains how they work.

TAN List

With the classic TAN process, customers receive a password or PIN from their financial institution plus a list of character strings (TANs) on paper.  During log-in and for any subsequent actions, customers then will have to use the first or next unused TAN on their list for entry into the login mask of their e-banking provider and cross this off the list afterwards, as each TAN may only be used once. TANs supplement password or PIN. Customer password or PIN, TAN and ID number are sent to the financial institution simultaneously for checking. After all TANs on a list have been used, customers receive a new list from their financial institution.

Tips:

  • Keep your character string (TAN) list in a safe place.
  • Don't save your character string (TAN) list in any electronic form.
  • Don't note down passwords and PINs, unless you can keep such notes under lock and key.
  • Only ever enter your password or PIN into your e-banking log-in mask.

iTAN

With the iTAN procedure, customers receive a list of indexed characters strings (iTANs) from their financial institution. During log-in, customers enter their ID number and their password or PIN into the log-in mask of their e-banking provider and transmit these data to the financial institution.

The financial institution confirms data they currently have on file (e. g. customer name and time of last log-in) back to the customer, and requests a certain iTAN. Customers then type in the requested iTAN and transmit it back to the financial institution by way of confirmation.

Customers therefore cannot just verify their log-in simply using the next valid TAN on their list, but are requested by the financial institution to enter a certain, random iTAN number, identified by a serial number, from their active list instead.

Tips:

  • Keep your iTAN list in a safe place.
  • Don't save your iTAN list in any electronic form.
  • Don't note down passwords and PINs, unless you can keep such notes under lock and key.
  • Only ever enter your password or PIN into your e-banking log-in mask.

 

The iTAN process - an overview

mTAN (mobile TAN or SMS TAN)

As you would already assume from the name, this process uses an additional communication channel in addition to the Internet, i.e. the mobile phone network. After customers log in with ID number and password or PIN, the financial institution transfers the access code (mTAN) by SMS. Only once this access code has been entered are customers permitted access to their account. In addition, potentially risky transactions must be confirmed by mTAN. A confirmation is not required for all remittances. Many systems remember recurring payment recipients of a customer, so you no longer have to confirm every single remittance.

The additional communication channel makes it more difficult for attackers to phish out TANs.

Tips:

  • When confirming transactions, always make absolutely sure that you check all data to be signed.
  • Don't keep your mobile phone and your access data together in the same place.
  • Don't use your mobile phone for e-banking.
  • Don't note down passwords and PINs, unless you can keep such notes under lock and key.
  • Only ever enter your password or PIN into your e-banking log-in mask.

 

The mTAN process - an overview

eTAN

With the eTAN process, customers receive a PIN or password and an electronic TAN generator from their financial institution. This shows the eTAN to be used on a display. TAN generators include a clock accurately synchronized with the financial institution's time, thus always showing the exact time and ensuring that the eTAN shown is synchronous with the server. Login procedures are identical to the TAN process in any other respect.

Tips:

  • Keep your electronic TAN generator in a safe place, and not together with your access data.
  • Don't note down passwords and PINs, unless you can keep such notes under lock and key.
  • Only ever enter your password or PIN into your e-banking log-in mask.

Chip TAN

For the Chip TAN process, customers will require a password or PIN, a card reader and a bank card from their financial institution. During log-in, customers first have to enter their ID number and their password or PIN. The financial institute’s website will then show a one-off code for entry into the card reader (challenge code) and asks for the associated access code for this customer (response code). This is generated with the help of the card reader and the bank card stating the one-off code (challenge code) shown.

Tips:

  • Keep your bank card in a safe place, and not together with your access data.
  • Don't note down passwords and PINs, unless you can keep such notes under lock and key.
  • Only ever enter your password or PIN into your e-banking log-in mask.

 

The Chip-TAN process - an overview

USB stick with hardened web browser

With the USB stick process, a hardened browser on a write-protected USB stick is used. This browser can be used the same as any browser installed on your computer, with the one difference that attackers cannot manipulate a hardened browser. This prevents the activation of any malicious software.

Hardened browsers usually start automatically when inserting the stick into the USB port.  Using this hardened browser, customers can then log into their e-banking as usual. To log in, one of the login procedures described above is used.

Tips:

  • Don't keep your USB stick together with your other secret elements in the same place.
  • Don't note down passwords and PINs, unless you can keep such notes under lock and key.
  • Only ever enter your password or PIN into your e-banking log-in mask.

USB stick with hardened web browser and certificate

This process is similar to the "USB stick with hardened browser" process described above. However, an additional personal certificate is used as well. This certificate is issued by the financial institution or a certification agency. In addition to your stick, you will need a password to log in.

Tips:

  • Don't keep your USB stick together with your other secret elements in the same place.
  • Don't note down passwords and PINs, unless you can keep such notes under lock and key.
  • Only ever enter your password or PIN into your e-banking log-in mask.

Zone Trusted Information Channel (ZTIC)

The  ZTIC process uses a USB device. This increases security by creating a secure connection to the financial institution’s server from the customer computer, and frees customers from the task of having to check the server’s authenticity themselves. The ZTIC device therefore only allows SSL/TLS connections with known, preconfigured servers.

Transaction data received from the financial institution’s server via their website are securely transferred to the ZTIC device, and are displayed to the customer in a 100% genuine manner (analogue mTAN) there. The transaction is only triggered once the customer has authorised it by pressing a key.

As described in the two methods using an USB stick above, malware is not currently able to attack an ZTIC device and infect it.

You will find a (YouTube) video introducing the ZTIC process here.

Tips:

  • Don't keep your USB device in the same place as your secret elements.
  • Don’t write down any passwords or PINs, unless you can keep such notes under lock and key.
  • Only ever enter your password or PIN into the login template for your e-banking service and/or your e-banking devices (TAN generator etc.).

 

The ZTIC process - an overview

Flicker TAN

To use the Flicker TAN method (optical TAN procedure), customers need a password or a PIN and a so-called Flicker TAN generator. A Flicker TAN generator differs from a standard TAN generator insofar that it incorporates 5 sensors which enable this device to capture optical information (the so-called flicker code). It is also fitted with a keypad or fingerprint reader.

Once a transaction has been registered, a graphic design consisting of five flickering black and white spaces appears on the customer’s PC screen. These flickering spaces serve to carry the information of the transaction just made in a manner which guarantees data authenticity. When you subsequently hold the Flicker TAN generator with the optical sensors pointing towards your screen, it can capture the information transmitted by the financial institution to then decode and display it (similar to the mTAN procedure). This allows customers to verify and then authorise the transaction just requested.

As long as bank customers check the transaction data displayed on the screen before confirming their accuracy, this process will protect from attacks attempting to manipulate transactions (e. g. man-in-the-browser attacks).

Tips:

  • Keep your Flicker TAN generator in a safe place, and separate from any other access data.
  • Don’t write down any of your passwords or PINs, unless you can keep such notes strictly under lock and key.
  • Make sure you only ever enter your password or PIN into the e-banking log-in screen.

 

The Flicker TAN process - an overview

Photo TAN

Customers require a password or a PIN and a smartphone so they can utilize the Photo TAN Method. You will need to install a Photo TAN app to capture optical information and decrypt it on your smartphone, or you can also use a stand-alone Photo TAN reader device instead.

Once a transaction has been captured, a static, coloured mosaic will appear on the customer screen, serving to transport the absolutely unadulterated information of the transaction just entered. This information can be recorded by the smartphone camera or the reader device to be then decrypted and displayed on the display of the terminal used (analogue to the mTAN method). This allows customers to verify and authorize any transactions undertaken.

As long as bank customers check the transaction data displayed on the screen before confirming their accuracy, this process will protect from attacks attempting to manipulate transactions (e. g. man-in-the-browser attacks).

Tips:

  • Store your Photo TAN reader in a secure place and not together with your additional access data. If you use your smartphone, ensure you follow all relevant security recommendations applicable, too.
  • Don’t ever write down any passwords or PINs, unless you can ensure these are kept under lock and key.
  • Only ever enter your password or PIN directly into your e-banking log-in screen.

 

The Photo TAN process - an overview

Mobile ID

At first glance, logging in with a Mobile ID seems to be very similar to doing so via mTAN - but it is in no way identical. With Mobile IDs, you will also use a mobile phone (all common devices and mobile operating systems such as Apple iOS, Google Android or Microsoft Windows Phone are supported), and data are transferred via an additional communication channel (mobile network), too. The crucial difference is the vital role your mobile’s SIM card plays in this process: The Mobile ID for encrypted data transmission is stored on your SIM card - the keys required to do so are only generated when activating the Mobile ID and are then stored on the actual SIM card. The additional encrypted communication channel to your Mobile ID SIM card prevents attackers from capturing log-in or transaction details. There may be a need to apply for a SIM card able to support Mobile IDs to your provider (depending on how old your current SIM card is).

When logging in, you will need to enter the ID number and potentially your password or PIN on the financial institution’s website. You will then receive a message sent to your mobile phone which you will need to confirm (e. g. «OK» or «Receive»). You will then have to enter your personal Mobile ID PIN on your mobile phone. Only once you have done so will you obtain access to your account.

Optionally, you can also have your transactions confirmed with this log-in process: Once a sensitive transaction has been registered, you will then receive a message sent to your mobile phone including your transaction data, which you will need to confirm (e. g. «OK» or «Receive»). The transaction is triggered by entering your Mobile ID PIN into your mobile phone. However, such a confirmation will not be required with all remittances. Many systems are able to distinguish secured from unsecured payees, so that you will not have to confirm every single remittance.

Tips:

  • Before confirming any transaction, it is vital to check all data displayed.
  • Do not keep your mobile phone in the same place as your access data.
  • Do not use the same mobile phone for your e-banking which also receives Mobile ID messages.
  • Do not make any written notes of your passwords and PINs, unless you can keep such notes under lock and key.
  • Only ever enter your password or PIN into your e-banking log-in screen.
  • Only ever enter your personal Mobile ID PIN on your mobile phone.

 

The Mobile ID process - an overview

Push TAN

For the Push TAN procedure (app based TAN procedure), customers need a password or PIN and a smartphone. For it to receive push notifications via an encrypted Internet connection, your smartphone must have the app of the financial institution specifically meant for this purpose installed.

When logging in, you will need to enter your ID number or user name and potentially your password or PIN on the financial institution’s website. Customers will then receive a push notification on their smartphone. Once customers open the app, they are asked to enter their individual app PIN. After they have entered this, the TAN is displayed in the app, which they then enter on the financial institution’s website as usual. Only once they have done so will they obtain access to their account.

Optionally, a transaction confirmation can also be employed: Once a sensitive transaction has been registered, a push notification will also be displayed on acustomer's smartphone. Customers then open their app and enter their individual app PIN. The transaction will only be approved once customers enter the TAN displayed in the app on the financial institution’s website as usual. However, such a confirmation will not be required with all remittances. Many systems are able to distinguish secured from unsecured payees, so that not every single remittance has to be confirmed.

This process protects against attacks which manipulate transactions (e. g. man-in-the-browser attacks), as long as bank customers check the transaction data shown on their display for their accuracy before confirming.

Some tips:

  • Before confirming any transaction, you must check all data to be confirmed.
  • Do not approve any log-in requests arriving late.
  • Do not keep your mobile phone in the same place as your access data.
  • Do not use the same device for your e-banking which also has the app installed and receives notifications.
  • Do not make any written notes of your passwords and PINs, unless you can keep such notes under lock and key.
  • Only ever enter your password or PIN into your financial institution’s website.
  • Only ever enter your personal app PIN on your smartphone.

 

The Push TAN process - an overview

 

Aargauische KantonalbankAppenzeller KantonalbankBaloise Bank SoBaBanca del Ceresio SABanca del SempioneBancaStatoBank CoopBank LinthBanque CIC (Suisse)Basellandschaftliche KantonalbankBasler KantonalbankFreiburger KantonalbankBanque Cantonale du JuraBanque Cantonale NeuchâteloiseBanque Cantonale VaudoiseBerner KantonalbankBanca Popolare di Sondrio (SUISSE)Caisse d'Epargne Rivieracash zweiplusClientisCornèr Bank AGGlarner KantonalbankGraubündner KantonalbankHypothekarbank LenzburgJulius BaerLiechtensteinische Landesbank AGLuzerner KantonalbankMigros BankNidwaldner KantonalbankObwaldner KantonalbankPiguet GallandPostFinanceSchaffhauser KantonalbankSchwyzer KantonalbankThurgauer KantonalbankUBSUrner KantonalbankValiant Bank AGVontobel AGVP BankWalliser KantonalbankWIR Bank GenossenschaftZuger KantonalbankZürcher Kantonalbank

We don’t use any personalised cookies, but only technical ones to support user friendliness. By using our services, you confirm your agreement to our cookie usage. For further information, please red our Legal Information.
Ok