Wilhelm Schickard hat hier in Tübingen die Ära der rechnenden Maschinen eingeleitet — fast 400 Jahre später ist Informatik so spannend wie nie zuvor. Heute bilden über 20 Arbeitsgruppen von Informatikern das Tübinger Wilhelm-Schickard-Institut, in dem Informatik auf Spitzenniveau erforscht, gelehrt und gelebt wird.
Die Wissenschaftler und Studierenden des Instituts forschen in den Kernbereichen der Informatik genauso wie in der Bioinformatik, der Medieninformatik und der Kognitionswissenschaft. Dabei profitieren die Tübinger Informatiker von der vielfältigen Forschungsumgebung einer echten Volluniversität — es bestehen zahlreiche und intensive Kontakte zu Kollegen, die über den Fachbereich hinaus etwa in die Biologie, Medizin, Medien- und Erziehungswissenschaften oder die Psychologie reichen.
Wer sich, wie wir, der Faszination Informatik nicht verschließen kann, dem stehen die Türen des Instituts offen: Studieren Sie mit uns diese junge Wissenschaft in unseren akkreditierten Bachelor- und Masterstudiengängen und werden Sie Teil der Tübinger Informatik!
Ganz nebenbei: das Wilhelm-Schickard-Institut ist nicht nur in der Forschung auf der Höhe — der Blick hinunter auf unsere schöne Stadt am Neckar ist einfach unschlagbar.
Display-TAN - 2-Factor Mobile Banking - secure and mobile
Display-TAN is a TAN-generator integrated into the bank card, including display and Bluetooth
Display-TAN is a Mobile Banking method which is secure and mobile at the same time:
Display-TAN is secure because the TAN (Transaction Authentication Number) is generated on the bank card - not on the smartphone!
Display-TAN is mobile in the sense that for Mobile Banking the customer doesn't need more than what he carries anyway: smartphone and bank card.
Moreover, Display-TAN is convenient because Display-TAN requires no typing - just clicking!
Motivation/Background: Why Display-TAN?
Nowadays many financial transactions are executed from the user's smartphone only. But the user's smartphone may be infected by malware. The malware may manipulate transactions because it is able to spy (or abuse) every single one of the user's credentials: password, SMS, secret key, fingerprint, etc.
So the basic idea of Display-TAN is the following: Move out the secret key and the generation of the TAN to the bank card! This way, malware on the smartphone will not be able to manipulate transactions.
And why display and Bluetooth?
The display is needed for a manipulation-proof revisualization of the transaction data. Without display on the smartcard a trojan on the smartphone would be able to secretly let the smartcard generate a TAN for a different/malicious transaction.
Bluetooth is needed for the comfortable (and encrypted) transport of the transaction data to the card.
Hardware. The main element of the Display-TAN method is a bank card which has a display and a Bluetooth module - and nevertheless is thin, flexible, robust and durable like a usual bank card.
Security. The security of Display-TAN comes from the fact that everything security-critical takes place on the secure card (not on a potentially insecure end device like PC, Laptop, Tablet, Smartphone): (1) The storage of the secret key, (2) the tamper-proof re-visualization of the payment data, and (3) the generation of the TAN. The Bluetooth connection is fully encrypted.
Usability. The bank customer does not need an extra TAN-generator device. This is especially useful in the case of Mobile Banking because the customer does not need anything more than what he carries anyway: smartphone and bank card. Moreover, the bank customer does not need to type anything - just checking and clicking is enough. Even long account numbers like IBAN can be confirmed conveniently with a few clicks.
Online Payment. With the rise of Sofort, Trustly, etc., more and more Internet payments are nowadays executed as money transfers. This way, Display-TAN automatically becomes an Internet Payment method. Display-TAN is much more secure than PayPal or credit cards but nevertheless is of nearly comparable usability (no extra device, no typing besides username/password).
No Pairing. There is no pairing with the smartphone. This is possible because all the security is done completely on the card, not on the smartphone. This way, the customer is not bound to a specific mobile device, i.e. he is able to use several mobile devices alternatingly for Mobile Banking, and may add a new one at any time.
Base Information about the Card
Form. Thin and flexible like a usual bank card (ISO/IEC 7810).
Lifetime. 5 years and 2000 money transfers.
Durability. The card producer has for its display cards a proven ≤ 1% failure rate over the whole card lifetime.
Availability. Technically ready (Bluetooth certification is pending).
How does it work?
Mobile Banking. The new method is shown in the video above, and is in the image below shown from a user's perspective for Mobile Banking - for which is Display-TAN is suited especially well.
Note that the bank customer does not have to type anything during TAN generation - just checking and clicking is enough.
For more workflows like Online Banking and Payment see the Workflow page.
Uniqueness of Display-TAN
Display-TAN is the first and only Mobile Banking method which is trojan-secure and mobile!
Every other Mobile Banking method which is trojan-secure (TAN-Generator, Flickering code method, ...), is not mobile because the customer has to carry an extra device.
Every other Mobile Banking method which is mobile (SMS-TAN, App-generated TAN, NFC-TAN, biometric methods, SIM-card/SE based methods), is not trojan-secure because a smartphone trojan which has infiltrated the Operating System of the smartphone is able to execute a fraudulent money transfer without the customer or the bank noticing it, see for example this contribution for a description of the respective attacks.
For the same reasons, Display-TAN is the only Mobile Banking method which is at the same time mobile and secure against friendly fraud.
The new European IBAN destination bank account numbers can conveniently be confirmed with 3 or 4 clicks by the bank customer, line per line, see example to the right and the IBAN page.