Phishing attacks and poor service at N26: "That cost me a lot of nerves"

Paul Jedich, 34, a freelance SAP software consultant, describes himself as technologically sound and digitally experienced. He likes to try new things. Therefore, he did not hesitate long when he saw advertising of the hip smartphone bank N26. He opened an account in a few minutes ("That was super quick and easy") and announced his old at a branch bank. At first he was thrilled: The N26 app is intuitive, easy to use and much fancier than the competition.

However, on February 23, Jedich begins to regret having opened an account at N26. On this day, he tries to log in to his business account, but an error message pops up: The access data are not valid. Jedich desperately wants to transfer money and tries to reach the bank by phone. But no chance: She does not have a telephone service, even in emergencies.

Jedich has no choice but to write mail. Since the chat with employees is only available to logged in customers, he has to go a detour: He pretends to open a new account in order to gain access to the customer chat, he describes his approach. Only then can he communicate directly with the employees of the bank.

Several weeks pass, in which Jedich is always put off. He can not pay bills and withdraw money at this time. "That cost me a lot of nerves," he says.

Only after two weeks, the man has access to his account again - and learns in a chat that he was stolen nearly 10,000 euros. Hackers had evidently gained access to a phishing attack and transferred the money to another account.

Excerpts from the chat history that Jedich has provided to SPIEGEL show how he is being held back by the bank's employees.

N26: It is urgent that you go IMMEDIATELY to the police because of the scoreboard. I immediately forward your concerns directly to the department. The police and prosecutors will be in charge of investigating the fraud with you.

Jedich : But what about my account? And what has your support done the last two weeks in the case? When will I finally get access to my account? And can we call please and establish my identity and then I can access my account again? there would have to be over 20,000 euros on it. When will I get back my money?

N26: How much money was in your account at the end of February?

Jedich: I do not know. I have since 23.02. no access.

N26: Paul, I'm sorry. Your account is now locked. We no longer offer telephone support.

Jedi: ok, but how can I get my money? You can not just leave me so without explanation and solution proposal.

N26: Not at all. I can not give you any further information now.

To this day, the bank refuses to reimburse him for the damage. "I know that online banking can cause such attacks," says Jedich. "But I can not understand in any way that you hold me as a customer so long and not help me in an emergency." Meanwhile, the software adviser has informed the police and turned on a lawyer.

Research by SPIEGEL shows that Jedi is not alone with its problems. Since the beginning of March, customer complaints have been piling up over the bank. "We received a number of complaints, which are all similar," says Kay Görner, speaker in the team Market Watch Finance of the Consumer Center Saxony. The sequence of cases over and over again: Customers can no longer log in to their accounts, can not access their account for several weeks - until they realize that they have become victims of so-called phishing attacks. Employees of the bank can not be reached by phone during this time.

SPIEGEL has spoken to numerous victims of such online raids. The findings are as unambiguous as they are alarming: the beautiful, new, mobile payment worlds carry immense risks and, in the case of an emergency, do not have sufficient customer service. The problems raise the question of whether the currently rapidly growing start-up has the right structures to respond adequately to the increasing number of problems as the number of customers increases. According to its own information, the bank receives 10,000 new customers per day.

Recently, the bank caused a furore throughout Germany as it became the most valuable financial start-up in Europe (read a portrait of N26 here). After investors had pumped $ 300 million into the company, the value of the entire company could be extrapolated to 2.7 billion dollars. Investors rate the Berlin start-up higher than the third largest listed bank in this country, the Wiesbaden Aareal Bank, which has been offering real estate financing for almost a century.

It is not uncommon for a bank that has reached a certain size to become the target of phishing attacks. Other institutes are repeatedly victims of such attacks. But the handling of N26 with the incidents raises questions.

"The problem of lack of accessibility worries us," says consumer advocate Görner. It is important for the client in critical situations to reach the bank quickly. For example, if your own account is blocked or suspected of theft. "Being unreachable creates a loss of trust that no bank can ask for."

"We did not know what was going on for days"

Also Judith Bogner, journalist and presenter, was disappointed by N26. Her husband was on a business trip to Italy when he was unable to log in to his account. "He did not manage to establish direct contact with the bank, and for days we did not know what was going on," says Bogner. Meanwhile it is clear: The couple were stolen 4000 Euro. Bogner vented her anger and gave a detailed account of her negative experiences on LinkedIn's job placement platform.

"It is understandable that a customer reacts with discomfort when the bank is not available by phone in such a situation, so if you do not have a response for a long time, it's hard to take," says security expert Vincent Haupert. The established banks would do better: "Thanks to their established structures, they can react quickly and personally."

Haupert is the researcher who discovered gaps in the bank's security system at the end of 2017 and publicized them at a hacking convention. He had managed to manipulate transfers, to take over entire accounts and to carry out all kinds of transactions. N26 then resolved the vulnerabilities and there was no claim according to the company. "Otherwise, not only the existence of some customers would be threatened today, but maybe even those of N26 itself," he says.

Company apologizes for incidents

N26 informs on request that one should not comment on the individual cases for data protection reasons. Like all banks, N26 faces cybercrime, but "unfortunately also N26 customers could become victims of fraud such as phishing."

Meanwhile, a customer support team of 400 employees is in action to take care of the cases. "We can therefore ensure very good accessibility," it says in a statement from the company. "If customers want it, we'll call it back - especially in cases of urgency, such as suspected fraud." Unfortunately, in some cases we have found that customers have not been recalled immediately and we apologize for it. "

Also with the reimbursement of damages N26 wanted the customers "best possible support". A dedicated team will take care of improving security and analyze every fraud case.

However, customers are not always compensated by banks for phishing attacks. "A large part of the customer concerns that accrue to us are rejected by the banks and not compensated," says Thomas Feil, IT lawyer. Many houses did not shy away from clarifying matters with clients in court.

Theoretically, banks have to step in for an "unauthorized payment transaction" and refund the amount to the account holder. However, this obligation does not apply in the case of gross negligence. But this is difficult to define and banks must be able to prove to the customer.

Advisor Jedich has not given up hope that he will get his money back from N26. He still puzzles how that could happen. In his opinion, he has not fallen for fake mails or the like. But even if he should get the amount reimbursed at the end - he is always disappointed. He has therefore opened a new account: at a branch bank.