A transaction authentication number (TAN) is used by some online banking services as a form of single use one-time passwords to authorize financial transactions. TANs are a second layer of security above and beyond the traditional single-password authentication.
TANs provide additional security because they act as a form of two-factor authentication. Should the physical document or token containing the TANs be stolen, it will be of little use without the password; conversely, if the login data are obtained, no transactions can be performed without a valid TAN.
An outline of how TANs function:
However, as any TAN can be used for any transaction, TANs are still prone to phishing attacks where the victim is tricked into providing both password/PIN and one or several TANs. Further, they provide no protection against man-in-the-middle attacks where an attacker intercepts the transmission of the TAN and uses it for a forged transaction. Especially when the client system should become compromised by some form of malware that enables a malicious user, the possibility of an unauthorized transaction is high. It should be noticed that the remaining TANs remain uncompromised and can be used safely, even though action should be taken by the user as soon as possible.
Indexed TANs reduce the risk of phishing. To authorize a transaction, the user is not asked to use an arbitrary TAN from the list but to enter a specific TAN as identified by a sequence number (index). As the index is randomly chosen by the bank, an arbitrary TAN acquired by an attacker is usually worthless.
However, iTANs are still susceptible to man-in-the-middle attacks, including phishing attacks where the attacker tricks the user into logging in to a forged copy of the bank's website and man-in-the-browser attacks which allow the attacker to secretly swap the transaction details in the background of the PC as well as to conceal the actual transactions carried out by the attacker in the online account overview.
Therefore, in 2012 the European Union Agency for Network and Information Security advised all banks to consider the PC systems of their users being infected by malware by default and use security processes where the user can cross-check the transaction data against manipulations like for example (provided the security of the mobile phone holds up) mTAN or smartcard readers with an own screen including the transaction data into the TAN generation process while displaying it beforehand to the user (chipTAN).