Filter nach benutzerdefiniertem Beitragstyp
Filter by Kategorien
Archive - Old blogposts
Blockchain and law
Blockchain Law
Competition law
Data protection Law
Esport and politics
Esport Business
EU law
Labour law
Law and Blockchain
Law and computer games
Law and Esport
Law on the Internet
Law on the protection of minors
News in brief
Online retail
Web3 Law
Youtube video
Just call!

03322 5078053

Security deficiencies in online banking: A look at a recent ruling by the Heilbronn Regional Court and the legal situation

This post is also available in: Deutsch


Digital transformation has made online banking a popular and convenient way to manage finances. But as online transactions increase, so do the number of security concerns and legal challenges. In my practice, I am currently experiencing a significant increase in mandates and mandate requests dealing with unlawful online banking debits. A recurring theme here is the question of whether users were negligent or whether the banks’ systems offered inadequate protection. A recent ruling by the Heilbronn Regional Court brings interesting insights to this discussion and sheds light on the practice of using banking apps and PushTAN apps on the same device.

Main part:

In the decision of the Heilbronn Regional Court (see Heilbronn Regional Court ruling), the use of a banking app together with a PushTAN app on the same smartphone was deemed insufficient. This ruling is based on the principles of two-factor authentication (2FA) set forth in Regulation (EU) No. 2018/389, better known as Regulatory Technical Standards (RTS) for Strong Customer Authentication and Secure Communications.

The RTS specify that two independent elements are required for authentication, which must come from two different categories: Knowledge (something only the user knows), Possession (something only the user possesses), and Inherence (something the user is). However, if both the banking app and the PushTAN app are installed on the same device, the question arises as to whether these elements are actually independent of each other.

The court’s concerns are clear: If the smartphone is compromised, e.g. by malware, both apps could be affected at the same time, which significantly increases the risk of unauthorized access to the bank account.

The implications of this ruling could be far-reaching. Banks may now be forced to revise their security protocols and encourage users to use separate devices for banking and TAN generation. This new requirement could be especially challenging for those who value the convenience of mobile banking and now need to reevaluate their security practices.


The Heilbronn Regional Court’s ruling is a clear indication that security protocols in online banking need to be critically scrutinized and, if necessary, adapted. Both banks and customers should be prepared to take the necessary steps to ensure a secure online banking experience, even though this may involve some additional effort.

Marian Härtel

Marian Härtel

Marian Härtel is a lawyer and entrepreneur specializing in copyright law, competition law and IT/IP law, with a focus on games, esports, media and blockchain.


03322 5078053


Share via
Cookie Consent with Real Cookie Banner
Send this to a friend