8

It is customary for websites, messages, or other documents to sometimes display data (credit card numbers, phone numbers, ...) with some numbers blanked (e.g., replaced with asterisks) so that the legitimate reader can recognize what full number is behind it, but an adversary cannot.

My bank uses this in to obfuscate the bank account number of wire transfer recipients in mTAN confirmation messages. However, they hide only the three last digits of an IBAN.

Given that IBAN involves a modulo 97 checksum, this is in effect not much better that hiding a single digit of "real" data, thus allowing an adversary a significant chance of guessing right. Given the additional fact that certain banks have somewhat predictable local account numbers that form the right end of the IBAN (e.g., often ending in 00, or maybe there was already some kind of checksum in it), I find this practise not very comforting.

Should I be worried / ask the bank for clarification?

EDIT: I am aware of How to mask SEPA (IBAN and BIC) information correctly?, but that question and answer aim at a very different direction, namely: How much of an IBAN should be exposed in order to recognize it from a handful of "my" IBANs to use in a planned transaction? The answer states that typically the last 3-4 digits are enough. My question however is concerned with the opposite scenario, that an IBAN is transmitted with almost all digits visible. It makes sense to display many digits in this scenario so that I can be somewhat confident that the IBAN is indeed the arbitrary IBAN I typed in before (and not the account of someone intercepting the mTAN). While "IBAN numbers are not secret" may apply here as well (thus questioning the need to obfuscate at all), I am also more concerned with the implications that the strong checksum spoils the obfuscation almost completely.

Community
  • 1
Hagen von Eitzen
  • 1,098
  • 8
  • 19
  • 2
    The first answer to that question states: `Unlike credit card numbers, IBAN numbers are not secret`. So there is no need to blank out any numbers. I guess I don't understand what more information you are looking for. – Neil Smithline Sep 23 '15 at 18:44
  • 1
    @NeilSmithline The answer continues with `so it might be a good idea not to show more information about a bank account number / IBAN than is necessary` I don't think an answer that makes a statement and its logical negation at once is very helpful – Hagen von Eitzen Sep 23 '15 at 18:50
  • 4
    So perhaps your question is `What attack vector is the bank protecting against by obfuscating the last three digits in an mTAN and, considering the way that IBAN numbers are created, does hiding the last three digits actually help?` You may want to include a link for mTAN as I had to look it up (they're not used in the US). I used this https://en.wikipedia.org/wiki/Transaction_authentication_number#Mobile_TAN_.28mTAN.29. That doesn't seem like a duplicate of the referenced question to me. We'll have to see what others think. – Neil Smithline Sep 23 '15 at 19:06
  • @NeilSmithline. Well, maybe not secret, but at least very sensitive. E.g., in Germany, one could buy goods/services just knowing your name and bank account number (IBAN), then your account will be charged for it. – Andrey Sapegin Jan 04 '16 at 14:39
  • I already provided an answer to *that question* (http://security.stackexchange.com/q/80855/52572). – Andrey Sapegin Jan 04 '16 at 15:09

1 Answers1

2

The reason for stating (part of) the IBAN in the mTAN message is to protect you from an attacker such as rogue browser plugin modifying the destination account. The more you hide, the greater the chance the attacker can use a collision - i.e. he has a full access to an account where the numbers not hidden match your intended transfer. As the plugin would only change the account for transactions it knows it can exploit, the bank wants to show as much as possible to lower the chance. The probability of someone intercepting the mTAN itself is probably regarded as too small to bother.

E.g., in Germany, one could buy goods/services just knowing your name and bank account number (IBAN)

Well, this is the real problem that one should ask your bank for a clarification. An account number is neither secret nor unpredictable and should be treated as publicly accessible information. If one account number is known, one can usually also generate other valid account numbers quite easily, so one can only hope the name is checked as well.

numo68
  • 74
  • 3