A current court order could be groundbreaking. The Heilbronn regional court wrote in its judgment that the pushTAN procedure was not that secure. This was preceded by a lawsuit filed by a customer against his bank.
Almost every online banking user knows the TAN procedure. In order to take an action or carry out transactions, you have to have a numerical code generated, which then counts as verification. Normally this is not rocket science and is usually safe. But as is often the case, fraudsters find a way to get money. A current ruling could question the security of the pushTAN procedure. Because the Heilbronn regional court gave in its Verdict dated May 16, 2023, the written reasons for which were only recently published, the following was announced: “The so-called pushTAN procedure […]has an increased risk potential”.
Bank customer falls for fraudsters and demands money back from bank
There are now a lot of TAN procedures: mTAN, chipTAN, pushTAN, iTAN etc. One of the most used procedures today is the pushTAN procedure. And its somewhat indiscriminate use was fatal for a bank customer. A person introduced himself on the phone as an employee of the victim’s bank and said that a third party had made two unauthorized payments and increased the credit limit to 10,000 euros. In order to reverse the process, the alleged bank employee would need three TANs, which the victim generated via pushTAN and made available to the person they were talking to on the phone.
It later turned out that it was a fraudster who withdrew a large sum of money from the victim’s account using the TAN. This approach is also referred to as social engineering fraud. The fraud victim subsequently asked his bank to cover the resulting damage. The bank, however, refused and the case ended up in court. Its verdict is not particularly exciting, but a passing comment from the court caused a stir.
Also interesting: an overview of all TAN procedures and how they work
Court questions the security of pushTAN procedures
The Heilbronn regional court had dismissed the victim’s lawsuit because the self-generated TAN numbers were passed on to a person he did not know due to gross negligence, without paying attention to the intended use. The judgment also states: “It is clear to everyone that online banking only takes place online, not by telephone or in writing, regardless of who answers the phone about alleged measures.”
What was more exciting, however, was the court’s aforementioned comment on the judgment. This criticized the pushTAN procedure and considered it too unsafe. Basically, two-factor authentication is used for a transaction. But according to the court ruling, that was not the case here. Since both the TAN app and the banking app were installed on the same smartphone, “no authentication consisting of at least two independent elements” in the sense of § 1 Paragraph 24 ZAG (Payment Services Supervision Act) took place.
That’s what the banks say
Basically, this would mean that banks would have to require customers to have two independent devices for banking and TAN generation in order to avoid being held liable in the event of damage. Because if a fraudster or hacker were to hijack the smartphone using malware, they could theoretically gain access to both apps. The security that the pushTAN procedure was supposed to provide would then no longer be present.
TECHBOOK asked both ING and DKB for an assessment of the court’s comment. ING gave us the following statement:
We can only speak to our “banking to go” app and it is well protected by several security factors. On the one hand, the customer’s smartphone must be registered in our systems. The second security factor is knowledge or biometrics, either the mobile PIN or a biometric feature (fingerprint or Face ID). Device binding also ensures that the app with the associated PIN or biometric feature cannot be transferred to any other device. The app’s connection to our bank servers is also secured in multiple ways: all data is encrypted twice and the app is automatically checked for manipulation by third parties.
ING spokesperson for TECHBOOK
You don’t want to miss any important news in the field of technology and smart finance? Then follow us at WhatsApp!
In a first short statement, however, the DKB said that the DKB’s new banking uses the Seal One security process. Other large banks such as Postbank and Deutsche Bank also rely on this. “Orders can be easily confirmed using a fingerprint, Face ID or self-selected app PIN,” says the DKB.