On App-based Matrix Code Authentication in Online Banking

Owing to their growing popularity, smartphones have made two-step authentication schemes not only accessible to everybody but also inexpensive for both the provider and the end user. Although app-based two-factor methods provide an additional element of authentication, they pose a risk if they are used as a replacement for an authentication system that is already secured by two-factor authentication. This particularly affects digital banking. Unlike methods backed by dedicated hardware to securely legitimize transactions, authentication apps run on multi-purpose devices such as smartphones and tablets, and are thus exposed to the threat of malware. This vulnerability becomes particularly damaging if the online banking app and the authentication app are both running on the same device. In order to emphasize the risks that single-device mobile banking poses, we show a transaction manipulation attack on the app-based authentication schemes of Deutsche Bank, Commerzbank, and Norisbank. Furthermore, we evaluate whether the matrix code authentication method that these banks and Comdirect implement-widely known as photoTAN-is compliant with the upcoming Revised Payment Service Directive (PSD2) of the European Banking Authority (EBA).