How secure is this 2FA method and what are they called?

[mononymous]

My bank uses a plastic 2FA card to verify you when you send money to someone else for example.

 

It looks something like this:

 

The bank would ask you to input code "A1" for instance and you are supposed to look at the card and type in "42". I have two questions.

 

1. How secure is this method?

2. What is the name of this type of authentication?

[SansVarnic]

Seems rather less secure than using random 2FA authenticators.

[Murasaki]

1. If the codes aren't renewed this is immediately not safe anymore once it gets leaked as it can be distributed anywhere. Nothing different than a password so this method would be extra effort with little to no benefit. Better to use something like 3D Secure I think most bank cards support this.

 

2. This reminds me of old PC games having similar protection to prevent piracy. Thats simply a lookup table.

[Eigenvektor]

21 minutes ago, mononymous said:

1. How secure is this method?

2. What is the name of this type of authentication?

1. Reasonable secure, provided every customer has their own unique card and no one other than yourself ever had access to it and every number is only used once. However there are more modern alternatives available like TOTP.

 

2. My bank also used these until a year or two ago. I think they referred to it as a "TAN list". Whenever the numbers on the list were used up, I would get a new one. These days they require the use of a mobile app that will show the transaction I'm about to do and requires me to confirm it. The app requires a separate sign-in beforehand.

[mononymous]

1 minute ago, Eigenvektor said:

1. Reasonable secure, provided every customer has their own unique card and no one other than yourself ever had access to it and every number is only used once. However there are more modern alternatives available like TOTP.

Oh. Well I have been using the same card since 2018 so I probably used every number at least twice. Never verified but I should hope they have provided me a unique card.

 

Quote

2. My bank also used these until a year or two ago. I think they referred to it as a "TAN list". Whenever the numbers on the list were used up, I would get a new one. These days they require the use of a mobile app that will show the transaction I'm about to do and requires me to confirm it. The app requires a separate sign-in beforehand.

 This is for browser based internet banking and they have a seperate system that uses a 2FA app on their mobile app.

[Eigenvektor]

47 minutes ago, mononymous said:

 This is for browser based internet banking and they have a seperate system that uses a 2FA app on their mobile app.

Same. When I log into their website in my browser, and transfer money somewhere, I need to confirm that transaction on my mobile phone as a second factor. Before I had to pick a number from a sheet of paper similar to what you described. But each number was only used once and I would get a new sheet of paper when the old one was used up.

[Arika]

I work in a bank and can confidently say this is the stupidest 2fa I have ever seen. Maybe your bank is 30 years behind everyone else, this is archaic as fuck.

[SimplyChunk]

7 hours ago, Murasaki said:

2. This reminds me of old PC games having similar protection to prevent piracy. Thats simply a lookup table.

Turn to page 37 in the manual and type the Seventeenth word in Paragraph Two

[wseaton]

Ask a captain of a German U-boat how well this works

[LogicalDrm]

This was the way most bank did things here before using app became viable (so until some 5 years ago). Its quite secure since every customer gets their own, randomized selection of codes. You also don't only insert code, usually it asks for personal ID too. So pretty much same way electronic 2FA works (for example my band offers electronic 2FA along with the app).

 

As for security, I would agree on moderate since it has multiple points of failure, but also multiple points where security is decent of good. One being bank itself, for good and for bad, as its systems hold information of all customers, their IDs and security codes. If the list get stolen, by itself its worthless. Thief would still need personal ID to access account. Same with getting to know personal ID, password etc. They only work if this kind of thing isn't in place.

 

Compared to Google Auth, there's only one extra security in between, the phone (or similar). So is this so different? Its just another way of doing things.