Security of the smsTAN in banking

Starting on January 1st 2021, online merchants must enable the authentication procedure of the EU Payment Services Directive PSD2 (Payment Directive 2). Originally, the second part of PSD2, which regulates security in payment transactions, already was supposed to come into force in mid-September 2019. This date was postponed by regulators to ensure that all participants have enough time to adapt their payment systems and make the necessary changes.

Now, all payment service providers will be required to offer Strong Customer Authentication (SCA). From now on, online and card payments must be obligatory released by at least two independent characteristics from the groupings knowledge, possession or inherence.

The knowledge category includes, for example, passwords and pins; possession includes, for example, cell phones, bank cards and TAN generators; and inherence includes biometric features such as fingerprints, iris or voices.

iTAN (indexed transaction numbers) such as the old TAN list, which the bank provided to its customers in paper form, for example, are now history and must be replaced by two-factor authentication (2FA) from 2019. Solutions such as TAN generators provided by the bank, photoTAN apps and mobile TANs are available for 2FA.

A TAN generator solution is without question technically one of the most secure solutions, but it makes customers less flexible in terms of availability – it is not even possible to quickly execute a transfer while on the move unless the TAN generator is carried along.

photoTAN or pushTAN apps from the individual banks also tend to be unpopular with customers, as users do not want to download countless additional apps and a new registration process is required when the end device is changed.

smsTAN as an additional authentication method

smsTAN is a secure, reliable and also popular among users and easy to use additional authentication method. smsTANs are sent to the mobile phone number stored in the bank customer’s user account. This ensures that a transaction is only authorized by the bank customer via their mobile phone number, to which they have access.

The advantages of smsTAN authentication are obvious. SMS can be delivered to any mobile device, requiring neither an app download nor a smartphone or data connection. They can be delivered worldwide.

As an experienced mobile messaging provider that places the highest value on data protection and security, all SMS reach users’ mobile devices without delay via Message Networks’ messaging gateways. We enable security and reliability through a direct connection to the messaging gateways of the mobile network operators as well as the use of security features such as IPsec and HTTPS. For banks or banking service providers, we thus provide a secure, fast and cost-effective 2-FA tool due to the popularity of smsTAN among consumers.