Mobile Banking Via Display-TAN: Secure and Convenient
Chip-TAN, SMS-TAN, Smartphone-TAN: there are numerous methods that banks and their customers can choose from nowadays if they want to pay by cell phone. However none of these methods have been able to impress right down to the last detail, since experts know that they’re either secure or convenient, but so far none of them is both. This situation may be set to change, as a spin-off from the University of Tübingen has developed Display-TAN: A multi-functional bank card that offers security and convenience. We spoke to the developer behind the process, Dr. Bernd Borchert, from the University of Tübingen, about how it works and the advantages for banks and customers.
Dr. Borchert, can you explain in one sentence what your Display-TAN method involves?
Borchert: Display-TAN, to put it succinctly, is a TAN generator integrated into the bank card. The process combines the properties of a conventional EC card with the function of a TAN generator, making transfers not just much more convenient, but also more secure. So I’ve got my smartphone and the only other thing I need is my EC card. It’s equipped with an “On/OK” and “Off/Cancel button” and a display, but otherwise it looks no different from its predecessors.
What advantages does Display-TAN offer compared to the methods that are available currently?
Borchert: The advantages for customers are clear: I simply need my smartphone and my bank card if I want to carry out a money transfer. I don’t need an additional device that I have to pay for and that I’ll always need to have handy. Even if the costs of the Display-TAN card were to be paid by the customer, they wouldn’t be any higher than the investment cost of a TAN generator. There are also four fundamental requirements that a process like ours needs to meet to offer a true advantage: it has to be secure, user-friendly, flexible and reliable. What sounds astonishingly simple is actually quite complex to achieve; none of the methods available on the market currently satisfy all these requirements simultaneously.
And your method meets all these basic needs?
Borchert: Yes. To be more precise – there are secure methods that are complex and user-friendly that lack the one hundred percent security aspect. With the SMS-TAN method, the emphasis is very much on user-friendliness; however, the security and mobility aspect suffer as a result. The same goes for the smartphone TAN method. The Chip-TAN method, on the other hand, is secure, but it loses points on both of the other aspects. None of the three methods is one hundred percent reliable. Ours, on the other hand, satisfies all the requirements, which is also why we’re convinced that banks will be interested in it.
What areas can your Display-TAN card be used for?
Borchert: We specifically developed the method at the University of Tübingen for three different scenarios which are becoming increasingly important in our digitized society. These include: mobile banking, which allows me to make transfers without having to be in a specific place at a specific time; mobile shopping payments, which include payments directly on a retailer’s website, and classic online banking from home on the computer.
Let’s take the example of “mobile banking“. What exactly would the steps involved be from the perspective of the user, i.e. the bank customer?
Borchert: I pick up my smartphone and I log into my mobile banking app by entering my account number and online password as normal. I then bring up the input form for transfers, enter the relevant data and send it. Here’s where the smart bit comes in – the bank’s server responds to the smartphone’s request for a TAN for the transfer. As a banking customer, I switch the card display on using a button on my EC card and hold it against my smartphone. This sends the transfer by Bluetooth to the display card, on which the destination account number appears first. I confirm this with the “OK” button, whereupon the transfer sum is displayed. With a further “OK”, a TAN is generated and sent automatically to the smartphone, which forwards it via the Internet to the bank. That’s where the transaction is verified and the transfer is made.
Your method is based on radio, or rather Bluetooth transfers. What advantages do these offer?
Borchert: A while ago, we developed a similar process based on NFC. But we decided to go with Bluetooth since iPhones and iPads don’t support NFC or don’t offer direct interfaces. Some bank cards are also already equipped with NFC. This would have given rise to two NFC antennas in a single card, which wouldn’t work.
And Bluetooth satisfies all the security aspects? Isn’t it conceivable that this method could be hacked too?
Borchert: All of the information sent via Bluetooth from the smartphone to the card is encrypted. The card does not reveal any information, such as account numbers, during Bluetooth contacts. This is also especially true for the secret key stored on the card.
Some banks have recently been providing their customers with apps that allow their smartphones to become TAN generators. Doesn’t this mean that banks already have the mobility that you want to achieve with Display-TAN?
Borchert: Virtually all banks in Germany now offer a smartphone TAN method or at least have one in the pipeline. The main problem with this, however, remains the security factor; like any computer, the smartphone is an insecure device. The biggest danger comes from Trojans, which can secretly enter the smartphone’s operating system. The banking app, with its few rights, on the other hand, is unable to defend itself against all-powerful, infiltrated operating system and it cannot even detect that it has been infiltrated. At least that’s true if the Trojan is well-made. Then there’s another problem: as soon as the banking customer changes smartphones, and we all know how often that happens – either because it gets lost, stolen, develops a fault or we simply want a new one – there’s a lot of unpleasant messing about to be done; the user has to notify the bank, then wait for a letter from them, the new device has to be initiated, and so on. So from this perspective, the Display-TAN can be seen as an extension of the smartphone TAN in which the TAN generation process is shifted from the smartphone to the bank card. Our method doesn’t have either of these two problems.
Let’s assume a bank decides to introduce the Display Card. Would the solution be ready to use straight away?
Borchert: Yes, the Display Card is ready to go and it’s been available since December 2014. It lasts 5 years or 2,000 transfers and also offers more advantages for the bank than just doing their banking customers a favor: in the event of fraud, for example, the bank has absolute legal certainty. With our method, it also complies with the stricter European conditions governing online banking and, in particular, the domain of mobile banking. The challenges produced by EBA, MaSI, PSDII, etc., should not be under-estimated and we have taken them into account.
Comment by our GFT Mobile Payment expert Bernd-Josef Kohl:
“Every second citizen in Germany is already using online banking for payments, and FinTechs are justifiably crowding the market with new developments. Banks now have to offer methods to address trends in this sector that impress users thanks to their convenience; otherwise, they run the risk of losing their customers to an alternative provider. At the same time, they need to protect their consumers and comply with European guidelines and standards. Security and convenience remain the two elements that banks and customers want and need in the domain of mobile payments. The method developed by Dr. Borchert, in my view, ticks all the boxes required to enable both parties to forge a long-term alliance.”