A German court has ruled against a disgruntled client, who sued his bank over a phishing case. The client claimed to have lost €5,000 ($6,608) in a fraudulent transfer, where the amount was sent to an account in Greece. The Sparda Bank customer in question had entered his Transaction Authentication Number (TAN) code into a phishing website that was designed to look like his bank’s website.
A TAN code a one-time password that is used for two-factor authentication. Sparda Bank, or any other bank for that sake, warns its customers of phishing attacks repeatedly. In this case, the negligent user entered his TAN code into the phishing website over ten times. The bank’s argument in the case was- having to enter the code ten times should have raised an eyebrow.
One time password is a standard (though not quite secure) way of authentication used by many banks across the world. In Germany, Sparda Bank is one of the few bans to stick to the iTAN procedure. For most banks, these codes stay valid for a maximum of 24 hours after generation. However, in this case, the transaction occurred three months after the codes were entered into the phishing website. Surprisingly, the TAN codes were valid for over three months!
This case might create a new storyline in the world of phishing and let banks wash their hands off cases where they are actually guilty for lax security measures. Clearly, the bank too has a responsibility here, because once generated, its TAN codes are valid three months later, which should not be the case.
Negligent customers can and will blame banks for their losses in phishing cases. With reports of phishing attacks in Germany going up by 82% over the last year, perhaps it is time banks and all financial institutions up their security measures, to protect their users from the phishing industry.