LOGBOOK

HELP

Quiz Entry - updated: 2026.06.01

How does mTAN (SMS-based One-Time Password) work for a login or transaction?

User enters password → server sends a short code by SMS to the user's registered phone → user types the code back. Security depends entirely on the SMS channel being uncompromised.

The flow:

  1. User enters password on the PC → 1. password to bank server.
  2. Bank generates a short code (e.g. XK83L4) and sends it via SMS → 2. mTAN to user's phone.
  3. User reads SMS on phone, types code on PC → 3. mTAN to bank.
  4. Bank verifies code matches → returns account info.

Security: entirely tied to SMS channel security.

Strengths:

  • Convenient: most users already carry a phone.
  • Out-of-band: separates the OTP delivery channel from the login channel (until step 3, when the user retypes on the same PC).

Weaknesses (why NIST has deprecated SMS for high-assurance):

  • SIM-swap attacks: attacker convinces the telco to port the victim's number to a new SIM. Now SMS arrives at the attacker.
  • SS7 vulnerabilities: old telephony signalling can intercept SMS in transit.
  • Malware on the phone: Android malware can read incoming SMS silently.
  • Phishing: the user is asked to type the code on a fake site — and does.

From Quiz: ISF / Access Control | Updated: Jun 01, 2026