webdoctor - 11:29 am on Feb 14, 2008 (gmt 0)

a spoofer site could easily ask for a TAN number and simply accept any syntactically correct answer.

Of couse they could ... but what would the spoofer be able to do with the user's login details but only one TAN number?

When the spoofer logs on to the real bank's site there's only a 1% chance they will be asked for *that particular TAN*, the bank chooses which TAN to ask for, not the user.

Or have I missed something?

Your security mechanism seems to rely on the user crossing used numbers off the list. My bank uses such numbers, but I've never done any crossing off...

As long as the bank knows which TANs have been used, and therefore never requests any of them again, I don't think it matters if the user crosses them off their list or not (?)