Frankfurt / Main (dpa) - Many bank customers in Germany have to say goodbye to a habit: In online banking on their home computer, they can no longer release transfers by entering a six-digit number, which they type from a printed list.
Because the paper lists with numbered transaction numbers (TAN) are abolished. As of 14 September, banks under EU law may no longer offer this so-called iTAN method for bank account transfers. The new regulation is part of a larger changeover.
Why are the paper lists abolished?
The reason for this is the European Payment Services Directive ("Payment Service Directive" / "PSD2"). With it, Brussels wants to make payments in the European Union more convenient and safer for consumers while promoting competition. The directive stipulates, among other things, that the transaction numbers necessary for online banking must be dynamically generated in the future, which is not possible with a sequence of numbers on paper.
What does that mean for customers?
With online banking and shopping on the Internet, the legal requirement for "strong customer authentication" will apply in the future. In other words, each customer must prove their identity in two of three ways: "knowledge" (eg PIN / PIN), "possession" (eg smartphone, original payment card), "being" (biometric features such as a fingerprint ). To release a transfer online, you need, for example, the PIN and can be sent by SMS a TAN on the phone.
What about payments by credit card?
In the case of card payments on the Internet, consumers will in future also have to identify themselves with two factors. For credit cards, the specifications are particularly strict, because number and check number of these cards can be spied relatively easily - for example, when used in the restaurant. That's why owning the card is not enough. Consumers need two additional security factors for credit card payments when shopping online according to the new rules: for example, a password and a TAN. Because it hangs in the trade during the conversion, the financial supervision Bafin lets still apply the past simpler security regulations.
How do you get the TAN to release online payments in the future?
Bank customers require a specially created TAN for each order. For example, the customer can have these sent by SMS to a mobile phone number previously deposited with the bank ("mobileTAN" / "mTAN"). A special TAN generator can also be used. In conjunction with the bank card, this small device generates a TAN for online banking ("chipTAN procedure"). Some institutes offer a "PhotoTAN" procedure: In the online banking of the customer, a barcode appears, which is photographed with the mobile phone. Then a TAN is generated and the booking is processed after approval by the customer.
Why can not the paper lists containing the TANs be used anymore?
Criminals are constantly trying to get bank customers to betray PIN and TAN - for example, by switching to fake websites or misleading consumers via e-mail or SMS. If then the printed iTAN lists sent by mail fall into the wrong hands, criminals can plunder the account. "If you are careful with the TAN list and keep your computer up to date, the TAN list provides adequate protection. However, if your TAN list is in the hands of third parties, no security can be guaranteed, »writes Postbank, for example.
Are the other methods really safer?
So-called dynamic legitimation methods have the advantage that a TAN - in contrast to the printed iTAN list - is recreated in each case. These numbers are then linked to the respective order and valid for a limited time. However, there are also concerns. "Although the mTan process is practical and user-friendly, it unfortunately entails a number of risks," warns the Federal Office for Information Security. "Criminals may intercept or redirect SMS messages sent for authentication. There is a risk that the TAN contained in the SMS will be abused. "
What is still changing for bank customers?
The "PSD2" also breaks the monopoly of banks in accessing account data. In the future, financial institutions will also have to allow third-party providers such as financial start-ups (fintechs) access to their customers' data. So there are companies that compare daily interest rates of different banks and offer the money transfer there. Others help consumers save by automatically setting aside small amounts of money. Banks are anything but enthusiastic about the new regulation. After all, who knows how much money customers have on their account and what they spend it on, can easily offer them further services - home finance, loans or insurance.
Can anyone access my account now?
Consumers need not fear that companies will access their data unchecked. Bank customers must explicitly allow the transfer of data, access is via the house bank and only for the requested purpose. The EU has banned the machine-based read-out of current accounts, which provides information on all payments and customs of bank customers.
How does the opening of accounts work in practice?
Fintechs can access certain data via a new interface after the customer has given their consent. On this basis, they can then make offers to customers. However, in mid-August, the financial regulator Bafin stated that the technology is not functioning as smoothly as expected. There are still "functional flaws" in the new PSD2 compliant interfaces. Therefore, the financial institutions have to improve and therefore may not close the old data channels on September 14th.
Banking Association BdB to PSD2
Bankenverband BdB to abolish the iTAN lists
Trade Association Germany to PSD2
Consumer Center to PSD2
Bundesbank to PSD2
Questions and answers about changes for bank customers
BSI on security in online banking
Insurer R + V on fraud in online banking
Phishing radar of the consumer center North Rhine-Westphalia
Questions and Answers Postbank to PSD2
Consumer Center Hesse to PSD 2
Bafin Notice 21.8.2019
Bafin for strong customer authentication