The iTANs (indicated TANs - as recently introduced by the Postbank) are also not the be-all and end-all against phishing attacks. The classic attack would simply be to redirect the user to their own site during phishing and then process the transaction with the bank in parallel with the user's inputs - but of course in a different form than shown to the user. Instead of simply requesting a TAN, the bank server is first contacted and the TAN required from there is then requested from the user. With this TAN, a booking can then be made problem-free while the user spends time on the supposed security update - or whatever the phishing attack pretended to be.
The RedTeam has compiled a scenario and spoken to the banks:
According to a survey by the RedTeam, the problem described was largely understood by the banks, but not taken very seriously. They wanted to continue to adhere to the presentation of secure iTANs. One bank argued that the attack would have to be very quick and take place within seven minutes. Another institution wanted to distance itself from its statements only after the first case of damage to a customer had occurred.
The same arrogant attitude that banks have always taken against abuse - instead of addressing the problems themselves or actively describing security issues and thus taking customer maturity seriously - is being dismissed and lied about. And for such nonsense, we then have to pay booking fees.