AppAuth: On App-based Matrix Code Authentication in Online Banking

On App-based Matrix Code Authentication in Online Banking

Vincent Haupert and Tilo MüllerSystem Security and Software Protection Group.

Since its introduction, German online banking has been following a two-factor authentication procedure marked by a steady increase in its security features. In the recent past, however, app-based authentication schemes have gained in popularity and begun to replace established schemes like chipTAN. Unlike chipTAN, which uses dedicated hardware to securely legitimize transactions, authentication apps run on multi-purpose devices such as smartphones and tablets, and are thus exposed to the threat of malware. This vulnerability becomes particularly damaging if the online banking app and the authentication app are both running on the same device, also known as mobile banking. In order to emphasize the risks that mobile banking poses, we show a transaction manipulation attack for the app-based authentication schemes of Deutsche Bank, Commerzbank, and Norisbank. Furthermore, we evaluate whether the matrix code authentication method that these banks implement—widely known as photoTAN—is compliant with the upcoming payment service directive of the European banking authority.

Written report: On App-based Matrix Code Authentication in Online Banking (PDF, English)
FAU press release: PhotoTAN banking on mobile devices is not secure / PhotoTAN-Banking ist nicht sicher

Video Demonstrations

The following provides videos for some of the identified attack points. Please consult our written report for further details.

Attack Applies to Demo for
Transaction Manipulation Deutsche Bank, Commerzbank, Norisbank Deutsche Bank | Commerzbank | Norisbank
photoTAN Replication Deutsche Bank, Commerzbank, Norisbank, Comdirect Commerzbank

Further attacks


Q: I do use the photoTAN method. Should I be worried?
A: Our main goal is to draw attention to the risks app-based authentication methods pose. We want to stress that authentication apps did not take the security of online payments to the next level. The opposite is the case, particularly for mobile one device payments: Those methods bear a significant potential for fraud and abuse. Although no—at least publicly known—damage occurred until now, this is likely also due to the yet poor circulation of smartphone-based online banking authentication systems.

Q: I am using the dedicated photoTAN device of my bank. Does this protect me?
A: Yes, absolutely! Using the photoTAN method with the dedicated reader rather than the photoTAN app for your mobile phone keeps your online banking secure. If used in this fashion, the procedure has a similar protection level like chipTAN. As long as you diligently verify the displayed data on the device, you have nothing to worry and may sleep soundly.

Q: I am not using photoTAN but the app-based authentication method XYZ that my bank offers. Is my procedure secure?
A: As you are using an app-based authentication method, your procedure likely shares a very similar conceptional attack surface. This includes manipulation and replication and an increased possibility of falling prey to phishing attacks due to a trojanized authentication app. Even more dangerous are app-based authentication methods if used in conjunction with the corresponding banking app on the same device. The exact extent, however, depends on its implementation. The same applies to our previous analysis regarding the pushTAN procedure of the German Savings Banks Association.

Q: How does the security of the photoTAN method compare to the pushTAN procedure?
A: The procedures have a similar idea as both implement a dedicated TAN app. Both can be used for true two-factor authentication using two elements—e.g., a notebook for transaction initialization and the app for confirmation—or for pseudo two-step legitimation on a single mobile device, i.e., banking and TAN app on the same device. Apart from the weaknesses of all app-based authentication schemes, the photoTAN and pushTAN method are particularly vulnerable in their mobile banking operation mode. If an adversary can acquire control of the device, he or she can take over both authentication elements.

Q: I only use my app-based TAN method to confirm my payments; I never initiate payments from my smartphone. Is my online banking secured?
A: Apart from the general risk app-based authentication schemes pose, this is a reasonable approach. However, if your procedure is implemented as an integrated TAN procedure—i.e, banking app and TAN method in one app—there is a high chance you need to log into your account through your app to confirm the payment. A popular example for this is the one-app-authentication scheme of N26. Such a procedure would reduce all your efforts to enforce true two-factor authentications to absurdity. The same line trojanized authentication apps take that aim at phishing your password and steal your TAN app. App-based authentication methods place the responsibility to keep the procedure technically secure onto you.

Q: I did not root my device. Am I still affected?
A: Absolutely. The attack scenario even assumes a phone is running stock Android with no third party modification to the system. Our attack model assumes, however, that for the used smartphone, a privilege escalation exploit exists that can root your phone without the victim noticing.

Q: did root my device. Am I particularly at risk?
A: It depends. If you are using a custom ROM like Cyanogenmod or rooted your phone by installing SuperSU through recovery, this will likely not pose more risks per se. The examples are generally very concerned about providing you with root capability while keeping important security safeguards (e.g., SELinux) fully functional. Installing a third-party ROM like Cyanogenmod is often the only way to assure your system receives important security updates. Remember, however, that with great power comes great responsibility: If you carelessly permit root for any app asking for it without critically questioning the request, you are exposed to a risk greater than non-rooted users.

Q: I am using iOS. Your attacks only target Android. Naturally, I am not affected, am I?
A: While it is correct that our research focuses on Android, the attack surface app-based authentication methods and particularly mobile banking poses are entirely independent of the used system. Furthermore, the recently discovered Pegasus spyware revealed that iOS devices are targeted by sophisticated attacks just like smartphones running Android. Buying an Apple device does not make you invincible from these threats. The security model of iOS, however, is more restrictive and hence the likelihood to fall prey to malware is less than on Android.

Q: How could my device possibly get compromised by malware? I have the anti-virus product XYZ installed!
A: An anti-virus suite might spot a modified app due to its signature. Anti-virus software is, however, easy to circumvent and cannot offer the same level of effectiveness like for, e.g., Windows, due to the sandboxing mechanism of modern mobile operating systems. Consequently, you should not trust them too much.

Please note:

  1. Implementation details have been omitted and are independent of the conceptual weaknesses of app-based authentication schemes. The photoTAN method of Deutsche Bank, Commerzbank, Norisbank and Comdirect serves explicitly as an example set for our analysis.
  2. To avert damage to third parties we publish no programs, no code and no technical details which go beyond the information found in our report and on this webpage—also not upon request.

 All content of this website is licensed under a Creative Commons Attribution-NoDerivatives 4.0 International Germany License.