« Wack-a-mole 2.0 | Main | Open Source and RF*s »
May 31, 2006
PIN and TAN - variations on a theme
When I had my first Internet bank account back around the middle of the 90's, my bank sent me a Personal Identification Number (PIN) and a list of one-time transaction numbers (TAN). The PIN was used to access the account and the TAN used to "sign" any transaction I wanted to do. This system worked pretty well (I thought, but then I was also partly responsible for the Internet-banking application in the first place - but that's another story).
Over time, as Phishing became a problem, my bank introduced indexed TANs, meaning you can no longer enter any old TAN from the list but the exact one you're requested to enter (i.e. via an index).
I've just opened another account with a different bank and they have another variation on the theme - indexed TANs with confirmation code. After you have entered the indexed TAN, the bank displays a confirmation code that you compare with the confirmation code next to the TAN on your list. If the confirmation code is correct then all is well. If not - or if the "bank" doesn't display a confirmation code at all, then something is wrong. Panic. Or rather "contact us immediately".
Posted by Matthew at May 31, 2006 08:24 PM