Digital transformation has made online banking a popular and convenient way to manage finances. But as online transactions increase, so do the number of security concerns and legal challenges. In my practice, I am currently experiencing a significant increase in mandates and mandate requests dealing with unlawful online banking debits. A recurring theme here is the question of whether users were negligent or whether the banks’ systems offered inadequate protection. A recent ruling by the Heilbronn Regional Court brings interesting insights to this discussion and sheds light on the practice of using banking apps and PushTAN apps on the same device.
In the decision of the Heilbronn Regional Court (see Heilbronn Regional Court ruling), the use of a banking app together with a PushTAN app on the same smartphone was deemed insufficient. This ruling is based on the principles of two-factor authentication (2FA) set forth in Regulation (EU) No. 2018/389, better known as Regulatory Technical Standards (RTS) for Strong Customer Authentication and Secure Communications.
The RTS specify that two independent elements are required for authentication, which must come from two different categories: Knowledge (something only the user knows), Possession (something only the user possesses), and Inherence (something the user is). However, if both the banking app and the PushTAN app are installed on the same device, the question arises as to whether these elements are actually independent of each other.
The court’s concerns are clear: If the smartphone is compromised, e.g. by malware, both apps could be affected at the same time, which significantly increases the risk of unauthorized access to the bank account.
The implications of this ruling could be far-reaching. Banks may now be forced to revise their security protocols and encourage users to use separate devices for banking and TAN generation. This new requirement could be especially challenging for those who value the convenience of mobile banking and now need to reevaluate their security practices.
The Heilbronn Regional Court’s ruling is a clear indication that security protocols in online banking need to be critically scrutinized and, if necessary, adapted. Both banks and customers should be prepared to take the necessary steps to ensure a secure online banking experience, even though this may involve some additional effort.