KOBIL Systems and Bank-Verlag GmbH offer banks and their customers a sustainable and secure solution for the transmission of TANs for account access and transaction release in online banking. The so-called BV appTAN procedure sends the TAN to an app on the mobile device of the customer via a secure, end-to-end encrypted channel. In the process, both the user and the mobile device can be clearly identified to the bank.

In addition to Bank-Verlag’s safe legitimation processes that have been proven thousands of times in practice – such as mobileTAN and chipTAN – the BV appTAN procedure for IOS and Android devices will be available to the banks as of March 2015. With this new application, Bank-Verlag GmbH uses KOBIL’s mIDentity technology for the first time for the secure transmission of the TAN and the protection of the app on the mobile device.
Through an encrypted and secure channel the TAN is transmitted from the authentication system of Bank-Verlag via the Internet to the protected app on the smartphone. In this way, man-in-the-middle attacks and other spying methods are effectively eliminated. Only the customer himself can read the TAN. For this, the smartphone app is additionally protected by a freely selectable PIN and connected firmly with his smartphone by a single, secure activation process. On the cost side, the procedure also offers distinct advantages: Because the information is transmitted securely via the Internet, the costs for the hitherto customary SMS transmission or additional hardware are omitted.
“With the BV appTAN we offer our banks a procedure that is easy to use for the customers, secure and cost-effective, that in addition to pure TAN transmission can be used as a secure channel for the communication between customer and bank and thus has great potential for other services,” says Hans-Peter Kraus, Division Manager of Bank-Verlag GmbH, the service company of private banks.
For the BV appTAN, the bank service provider from Cologne has complemented its authentication platform BV Secure by the Smart Security Management Server (SSMS) from KOBIL. Thus, the procedure is available to all banks already taking advantage of the e-banking platform of Bank-Verlag. But also for banks that operate their own online banking solution, BV Secure offers a simple to implement interface for the usage of BV appTAN.
For the protection of the application that is necessary for the BV appTAN on the smartphone, Bank-Verlag also relies on the mobile security platform of KOBIL. This software development kit (SDK) can be embedded in any existing mobile app and protects them from copying from dedicated devices as well as manipulation and the creation of fake apps. Furthermore, in conjunction with the management server the SDK offers additional security features such as

  • Protection against debugging und reverse engineering
  • Security sensors (jailbreak and malware detection)
  • Methods of software hardening for the prevention of known run time attacks
  • Protection against malicious URLs
  • End-to-end encryption
  • Memory for application-specific certificates, trustworthy certification bodies as well as for private keys and personal certificates
  • Unavailability for third party applications, as security elements and communication interfaces are completely separated from each other

With the first activation of BV appTAN the bank customer receives a postal activation letter with an activation code. He enters it after installing the app. As a result, the app is registered with the authentication platform and clearly assigned to the customer as well as his mobile device. Once the activation is done, the Smart Security Management Server continuously monitors

  • whether the mobile app is really running on the initially registered device or has been copied to another device
  • whether the current app still has its original code or has been modified
  • whether the version of this app is correct or whether it has to be updated
  • as well as the authentication (the user’s PIN) of the mobile platform.

“The security interfaces for the app and the SSMS are part of our mobile security platform mIDentity. It has been tested for safety by the Fraunhofer Institute SIT and once more on behalf of Bank-Verlag for BV appTAN by the Security Research & Consulting GmbH (SRC). We are looking forward to make it known to an even wider circle of customers and to implement it together with Bank-Verlag,” says Adnan Garip, Sales Manager DACH at KOBIL Systems.