indexed transaction number (iTAN)
Various PIN/ TAN procedures are used in online banking. With the classic PIN/TAN procedure, any transaction number from a list is entered into the TAN field for each economic transaction. This has significant disadvantages, as in phishing the transaction numbers can be queried and used for fraud transactions. For this reason, the indexed transaction number, iTAN, was introduced.
The indexed TAN procedure works with a list of sequential numbers, each of which is assigned a randomly indexed transaction number. With the indexed transaction, the bank does not ask for a random TAN, but for a specific TAN from the TAN list, for example the 43rd TAN number, which must then be entered. The transaction is only confirmed if the customer has entered the correct transaction number. This limits phishing enormously.
Leveraging the iTAN procedure is only possible in real time, in which the attacker redirects the communication between the financial institution and the customer, reads the data stream and blocks parts of it.
The European Union has abolished the indexed TAN procedure for current account transfers in September 2019. It will be replaced by the European Payment Service Directive (PSD2).