Risk: Medium
Transaction Authentication Numbers (TANs) are created by banks for its account holders. Typically, there are 50 TANs printed on a list, each 8 characters long, which is enough to last half a year for a normal customer. The customer collects the list from their nearest bank branch and must identify themselves by presenting their passport. A few days later, a 5 digit password is sent through the post to the customer's home address. The customer is requested to memorise the password, destroy the notice and keep the TAN list in a safe place near the PC. Logging into an account with a username and password gives access to account information but the ability to process transactions is disabled. To perform a transaction, the customer enters the request and "signs" the transaction by entering an unused TAN. The bank verifies the TAN submitted against the list of TANs they issued to the customer. If it is a match, the transaction is processes. If it is not a match, the transaction is rejected.
Each TAN can only be used once and this method is considered to be a secure two-factor authentication, as they need the customer to not only provide their username and password but an additional, physical piece of information.
However, a new worm, Trojan-Spy.Win32.Bancos.pw is able to intercept HTTPS traffic and obtain the TAN code. When the customer tries to enter a TAN code, an error message appears. Phishing scammers, if they are quick enough, can then enter the code themselves.
This is not currently a widespread problem, but it is anticipated that should these types of worms grow more common in the future, authentication tokens would be rendered useless.