Android smartphones researchers crack photoTAN procedures

Android smartphones researchers crack photoTAN procedures

Android smartphones researchers crack photoTAN procedures
These are the most valuable brands in the world
15th place: China Mobile Source: REUTERS
Place 14: Wells Fargo Source: dpa
Rank 13: Coca-Cola Source: dpa
Rank 12: Marlboro Source: dapd
11th place: Tencent Source: REUTERS
Place 10: IBM Source: dpa
9th place: McDonalds Source: dpa

According to a report in the “Süddeutsche Zeitung”, two IT security researchers have succeeded in cracking the photoTAN procedure used in mobile banking on manipulated Android smartphones. After the two researchers had installed malware on the devices, they could either redirect online transfers or create them themselves. However, the transactions could only be manipulated if the banking app and photoTAN app are installed on one device.

According to the researchers Vincent Haupert and Tilo Müller, the attacks could target the financial institutions, Norisbank and others. “For us it is no problem at all to hide the actual transfer afterwards,” said Hauptert. As long as a customer conducts his banking transactions on the move, the manipulation remains undetected.

A one-time password is generated with the photoTAN. When the process was introduced, an image approximately three by three centimeters in size was generated from small dots on the PC monitor, which contains the transaction data. In this variant, this graphic is scanned with the smartphone or reader. After the photoTAN has been decrypted, the transaction data (amount and name of the recipient of a transfer) as well as a seven-digit transaction number with which the transfer can be approved can be seen on the screen for checking.

Apple in numbers

From the researchers’ point of view, it is critical if the banking application and the photoTAN app are on the same device and the intended two-way authentication is undermined. The researchers still consider the use of a photoTAN on the PC with an external reader to be safe. The attack by the two security researchers requires that a virus-infected app must already be installed on the victim’s smartphone.

“That makes the attack more difficult, but not impossible,” says Hauptert. This is indicated by malware such as “Godless” and “Hummingbad”. This made it into the official app store and would have worked on 90 percent of all Android smartphones. Ten million devices were affected.

What the new 5G mobile network should achieve

The attack scenario was demonstrated under the Android system. In principle, however, an attack is also conceivable with the iPhone system iOS. The iOS malware Pegasus showed that not only Android smartphones could be attacked. However, the security model of the software is more restrictive, so that compared to Android there is less chance of catching malware.

When asked, press spokespeople from and Norisbank point out that security is being taken very seriously: “When used correctly, all authentication procedures are secure.” Customers decide which procedure suits them best according to their own preferences. In the event of damage, they will reimburse the full amount, according to an answer. The bank gives customers security instructions on its website. The bank is not aware of the attack carried out by the researchers.