For the Push TAN process, customers need a password or PIN and a smartphone with the app of the financial institution specifically meant for this purpose installed. Push notifications will then be sent to this app via an encrypted Internet connection.
Please note the following when using Push TAN:
- Carefully check all data to be signed off before confirming any transaction.
- Don’t confirm any log-in requests where delivery was delayed, and tell your financial institution if you receive any without having requested them.
- Store your access details separately from your mobile phone.
- Follow all security recommendations applicable to smartphones.
- Do not make any written notes of your passwords and PINs, unless you can keep such notes under lock and key.
- Only ever enter your ID number and your password or your PIN into the log-in template of your e-banking facility.
- Only ever enter your personal app PIN on your smartphone.
Operating principle
Once you enter your ID number and password or PIN into your e-banking portal, the financial institution will transmit a one-off access code (Push TAN) to your smartphone. To access this code, customers have to start a specific app and authenticate themselves via their PIN. Only once this additional access code has been entered, the log-in process is complete, and you are granted access to your account.
Sometimes, potentially risky transactions such as conspicuous remittances have to be confirmed via this Push TAN procedure, too. Many systems are able to remember their customers’ recurring payees, so that you don’t have to confirm every single remittance in the future.
This process protects against attacks which manipulate transactions (e. g. man-in-the-browser attacks), for as long as bank customers check the transaction data shown on their display for their accuracy before confirming.
