Online banking trojan has designs on chipTAN users

The Tatanga trojan has come up with a new way of ripping off online banking users in Germany by deceiving users of the chipTAN system. TANs, transaction authentication numbers, are one-time authentication numbers generated in various ways and used to validate banking transactions. Tatanga already had a reputation for attacking mobile TAN systems (mTAN) that use SMS to send through a TAN number.

ChipTAN is a different system which requires that a bank card is inserted into a device which is then held against the screen. The bank then flashes the display to transfer information about the current transaction to the device which in turn generates a TAN for the current transaction. According to a report by virus experts Trusteer, Tatanga can get the TAN number from a chipTAN user by tricking them into thinking that the bank is testing the chipTAN system.

When a user logs into their bank account, the trojan checks the user's account details in the background and selects an account from which it can take the most money. It then begins a transfer, but to complete that transfer it needs a TAN. Tatanga injects code into the user's bank web browsing explaining that the bank is performing a chipTAN test. The fake instructions, translated into English from what is described as "reasonable German", read

1. Insert your smart card into the TAN generator and press "F".
2. Place the TAN generator next to the animated graphic on your computer screen. Here, the markings (triangles) of the graph correspond to those on your TAN generator.
3. Check the display on the reader display, and press "OK."
4. Check the transaction details (recipient's account number, recipient’s bank and amount of the transfer) on the reader screen and then confirm by clicking "OK" on your TAN generator.
Note: also check the display of the TAN generator always using the original transaction data - for example, an invoice.

If the user follows these instructions, they end up entering a TAN number into the system which Tatanga uses to complete its transaction. Even though the device will show details of the bogus transaction, the fraudsters ensure that the victim compares it with matching details displayed on the screen as part of the fake test process. When the transaction is complete, Tatanga then takes steps to obscure the transaction in the victim's transaction history so they won't be alerted to the fraudulent transaction.

(djwm)