Deutsche Bank and TAN lists

So, my daughter needs a new phone. I feel really old-school with my iPhone 5SE, but whatever. She has earned money from video editing for a local business and also saved some pocket-money, so fine. She wants to spend almost 800 € that are all her own on a new phone, so be it. Turns out the phone is cheaper on Amazon than in the Apple Store, directly, even when you throw in an AppleCare protection plan, and of course I go order it online and suddenly find myself with a lot of cash, that I feel way to uncomfortable with to not bank it.

My account has been with Deutsche Bank forever for mostly historical reasons, but you know how long-term relationships go with banks, especially after stuff like a mortgage on a house happens and all that. So, between dropping my daughter off at school and running other errands, I hop into their nearest branch office to deposit the money. When I head to that one ATM that also takes deposits, there is this marketing guy chatting up another customer and I already cringe when I hear him explain how printed TAN lists are a security risk. The yarn he spins is how the frequency of burglaries is increasing and somebody could steal the list of TANs. He even has the nerve to mention that he has no idea why, but some people blame it on the influx of refugees!

Inside I keep going, damn, I don’t have time for that kind debate, when he explains how that is why they are planning to discontinue offering printed TAN lists around summer next year and people should get used to the photoTAN method. Screw you, methinks, and I do sincerely hope Deutsche Bank is not pushing photoTAN to protect us from refugees who are after our bank accounts. Or else I might have to reconsider my choice of bank. This story was bullsh!t on so many levels.

Yes, printed TANs do not solve every security issue that exists with online banking. But generally speaking, the TAN mechanism as a form of one-time-pad is one of the better ideas people have come up with. It offers a practical form of two-factor authentication where you have to have something and to know something to get access to your account. Somebody can steal your TAN list and without your online banking PIN it is useless and vice versa. The remaining security concerns that do exist largely revolve around (1) man-in-the-middle attacks and (2) a responsible use of TANs / convenience.

Traditional TANs (and iTANs) are agnostic of the kind of transaction. Neither for the user nor for the bank is there a way to ensure the TAN is actually used for the transaction the user intended it to be used for. If somebody can get between the bank and the client, he might be able to catch a TAN that was meant for a 5 € payment and use it to transfer a million to his own account (if you don’t have a set limit for online transactions.) Seriously, though, phishing attempts aside, and people clicking on stuff they should not be clicking on and not paying attention, that is a pretty hard thing to do. Having somebody present me a webpage that comes from the deutsche-bank.de domain, has a valid SSL certificate that my browser trusts, gets me through the regular PIN-based login and the whole workflow of ordering a money transfer up to the point where I have to enter a TAN, and still being able to see through the encrypted channel, is something my employer could do on hardware where he controls my browser’s proxy settings. And yes, somebody who similarly pwned my personal computer could do it. But using online banking from a piece of equipment that has been pwned, one way or another, is generally a bad idea. And we will come back to that line of thought.

The other problem with printed TAN lists is, of course, mobility. They are really not intended to be carried around at all times. If you do, the chances of them getting into the wrong hands obviously increases, a lot. As a matter of fact, traditional TANs even lent themselves to being used on the go a bit more than the current iTANs, because you could just copy three or four TANs from the list you kept stored safely at home and take them along on a trip. With iTANs that is no longer possible, because you do no know in advance which TAN you will be prompted for. On the other hand, people are getting used to doing everything mobile, and thus there is the risk of people not using TAN lists carefully enough. But that is just as true for many other forms of TAN, such as mTAN, photoTAN, or whatnot. Like, having an app on your phone to login to your account which potentially even saves your online banking PIN in a keychain, and then getting an mTAN as text message to that same phone entirely defeats the purpose of having a two-factor authentication. All somebody needs to do after that is to steal the phone. And Deutsche Bank even advertises on their webpage that, if you have both the banking app and the photoTAN app on your device, you do not need anything else. Am I the only one thinking there is something wrong, here?

I get convenience. I mean, I personally feel like convenience is the the thing that makes many people on the internet hang the noose around their own necks, but I do get it. I also get how banks want to get rid of having to print those TAN lists and keep mailing them to people. Just don’t try to sell it to me as a security feature. The one-time-pad’s security hinges on the safe channel through which the communicating parties pre-share their keys. And the sealed blackened envelope my printed TAN lists arrive in is something I as a person feel much more capable of handling securely than anything that involves electronic communication. Also the risk of them getting stolen: I don’t carry them around. I keep them tucked away somewhere, at home. And burglars just don’t break into your house and go search for your TAN list. They don’t! They don’t even steal your flat screen television anymore, these days. They want easy cash. Given that, again, I feel a lot more capable of finding a safe spot back home to store my TAN lists than of keeping my mobile devices safe.

And here we’re coming back to the idea of doing online banking from an pwned device. Seriously? After all the recently discovered vulnerabilities, from BlueBorn to KRACK to whatnot, can anybody seriously believe they have enough control over their mobile devices to ensure they are safe to be used for online banking? I may be paranoid again, but, micropayment for all I care, but access to my one important bank account? I don’t want my mobile phone to play any part in that, whatsoever.

Sure, photoTAN also works with a dedicated scanner device, and I’ll probably opt for that, when they stop offering printed TAN lists. And it will be a little safer, because the TAN will be tied to the actual transaction. But does this, in any way, protect me from the scanner being stolen after it has been activated? Of course not. If that thing gets stolen from my house, I have to call my bank in exactly the same way that I would have to, if my current TAN list gets stolen. So please, Deutsche Bank, if you want to save yourself the effort of sending me TAN lists via snail mail, just say so. Don’t try to tell me you’re protecting me from wicked refugees breaking into my house.