On App-based Matrix Code Authentication in Online Banking

Since its introduction, German online banking has been following a two-factor authentication procedure marked by a steady increase in its security features. In the recent past, however, app-based authentication schemes have gained in popularity and begun to replace established schemes like chipTAN. Unlike chipTAN, which uses dedicated hardware to securely legitimize transactions, authentication apps run on multi-purpose devices such as smartphones and tablets, and are thus exposed to the threat of malware. This vulnerability becomes particularly damaging if the online banking app and the authentication app are both running on the same device, also known as mobile banking. In order to emphasize the risks that mobile banking poses, we show a transaction manipulation attack for the app-based authentication schemes of Deutsche Bank, Commerzbank, and Norisbank. Furthermore, we evaluate whether the matrix code authentication method that these banks implement— widely known as photoTAN—is compliant with the upcoming payment service directive of the European banking authority.