Why is mTAN secure?
January 30, 2015 11:52 AM   Subscribe

You have an app from your bank on your phone which lets you access your account and make payments. To verify payments you receive an mTAN SMS. Why is it not a terrible, terrible idea that both of these things are happening on the same device?

If my PC gets hacked, no payments can be made without an mTAN (SMS TAN) being sent to my phone. As well as the verification code, the SMS contains the IBAN number and amount of the transaction.

But if my phone gets hacked the attackers gets both the ability to start the payment, and the ability to approve the payment. Why do banks allow this? Isn't this a terrible idea? What am I missing?
posted by devnull to Computers & Internet (7 answers total) 2 users marked this as a favorite
It's not intended to be perfect or insurmountably secure, it's intended to be better than nothing. It means the hackers have to have three pieces of info instead of 2: username, password, & access to your phone. Never save your username or password in your banking app on your phone and they can't get in even if they have the SMS code.
posted by brainmouse at 12:12 PM on January 30, 2015

You're thinking of the problem as being a physical device problem, when it's more illustrative to look at it as an information problem.

They are both accessed over the same device but there are two major information channels in use here; one is the internet (sending your login information, requesting payments to be made) and the other is the cell phone's network. By using the cell phone's network as a secondary channel, the person doing the hacking has to not only have your information, but also be able to receive messages at your phone number.

Most hacking isn't someone stealing your computer or other device. Most hacking is someone remote who finds a way to get (or fake) your login information.
posted by Lady Li at 12:49 PM on January 30, 2015 [1 favorite]

You're looking at multi-factor authentication here. Traditionally, the three factors are:
  • Something you know (e.g. username and password)
  • Something you have (e.g. your phone or an RSA token)
  • Something you are (e.g. your fingerprint or retina scan)
Regardless of whether you log in from your phone or a Web browser on a computer, you must still know your password and possess your phone. The security is equivalent and the authentication is considered reasonably strong.
posted by kindall at 1:19 PM on January 30, 2015

Response by poster: But the mTAN is designed to make the problem harder by adding an additional device to control.

Say someone finds an operating system level exploit that allows them to interact in some way with my phone.
They wait until I login to the online banking app, then freeze/lock the screen.
They start a transfer, receive the mTAN, approve the transfer.
posted by devnull at 1:37 PM on January 30, 2015

if you have an iPhone, sms's can get routed through imessage to any apple pc in the world, which makes it not very secure.
posted by TheAdamist at 2:09 PM on January 30, 2015

Say someone finds an operating system level exploit that allows them to interact in some way with my phone.

The SMS isn't meant to protect against that type of attack. It's meant to protect against someone using your username and password on their phone or the bank's website.
posted by Nonsteroidal Anti-Inflammatory Drug at 2:34 PM on January 30, 2015 [1 favorite]

Not directly answering the question but these two talks (1 hour long each) might be relevant in that they show how insecure mobile networking currently is. Among many other things, SMS can easily be intercepted by someone with access to the SS7 infrastructure.
posted by Bangaioh at 4:42 PM on January 30, 2015

« Older non-viral hepatitis-- possible causes?   |   JFK long-term parking and the snowstorm: how to... Newer »
This thread is closed to new comments.