OLG ruling: S-pushTAN procedure not sufficient for strong authentication

The Higher Regional Court (OLG) of Dresden has clarified the security of the pushTAN procedure and claims for compensation in the event of a fraudulent cyberattack in a judgment published on May 5 (Ref. 8 U 1482/24). According to the decision of the 8th Civil Senate, a Sparkasse must reimburse a customer who was the victim of a phishing attack and acted with gross negligence for part of the damage incurred. The judges justified this primarily based on contributory negligence for the payment service provider in relation to the design of the login to online banking with the S-push TAN app, which did not offer "strong customer authentication".

With this decision, the Higher Regional Court overturned and recast an earlier ruling by the Chemnitz Regional Court on October 24, 2024. The plaintiff, whose current account was debited by two unauthorized transfers totalling 49,421.44 euros, was entitled to a credit note. The Sparkasse must reimburse him €9884.29 plus interest and pay pre-trial legal fees of €1119.79 plus interest.

Background to the dispute

The plaintiff used the Sparkasse's online banking service with the S-pushTAN procedure. He received a phishing email announcing an update to the online banking and directing him to a fake Sparkasse website. There he entered his access data. He then received telephone calls from an alleged Sparkasse employee who, under the pretext of a technical reinstallation, persuaded him to confirm "orders" in the S-pushTAN app. These authorizations led to an increase in the daily limit and two real-time transfers to an account unknown to him.

According to the plaintiff, the pushTAN app did not show him any details of recipients or amounts. He had merely been presented with unspecified "orders" for approval. After becoming aware of the irregularities, he informed the Spoarkasse and filed a criminal complaint.

The duped customer actually demanded that the entire amount be credited back to him, as the payments had not been authorized by him and the Sparkasse had not fulfilled its "strong customer authentication" obligations. He focused in particular on the login to online banking and the display of payment recipients in the pushTAN app. The plaintiff argued that the login only took place with a login name and static PIN and that sensitive payment data could be viewed without further authentication. This constituted a violation of Section 55 of the German Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz, ZAG). He also criticized the fact that the Sparkasse app indisputably never displayed the name of the payee, but only their IBAN, which was in breach of EU law.

The defendant countered that the plaintiff had grossly negligently breached his duty of care by responding to the phishing email and the "fake calls" and releasing the orders in the pushTAN app. It claimed that the S-pushTAN procedure was secure and TÜV-tested and that manipulation of the display was technically impossible. The plaintiff should have followed the Sparkasse's security instructions.

The EU made two-factor authentication mandatory for online banking with the Payment Services Directive PSD2. With the pushTAN procedure, a transaction number is sent as a push message to a special mobile application on the smartphone, which in some cases makes attacks possible.

Judge's ruling

The OLG initially confirmed that the payments were not authorized by the plaintiff: He had not been aware at the time of the releases that he was confirming real-time transfers. At the same time, the court also found that he had been "grossly negligent". He had breached his statutory duty of care under Section 675l BGB by "indirectly granting access to unknown perpetrators by releasing orders in the S-pushTAN app 'on demand'" and disclosing sensitive data following a phishing attack. The court emphasized that the plaintiff had not checked the data displayed in the S-pushTAN app, which constituted a serious breach of duty.

Nevertheless, the Higher Regional Court awarded the Sparkasse 20 percent contributory negligence. It justified this with a breach of supervisory regulations: The Sparkasse had failed to require "strong customer authentication" in the ZAG sense when logging into online banking, even though "sensitive payment data" could be viewed there. The court stated: "Against this background, the defendant's breach of supervisory regulations was in any case a contributory factor in the success of the fraudulent attack because it enabled the preparatory measures to be initiated from online banking and orders to be placed without the plaintiff's intervention."

The exceptional provisions that allow simple authentication for the mere retrieval of the account balance do not apply here, the judges emphasize. Further sensitive data was accessible. The OLG did not consider the plaintiff's arguments that the transaction monitoring was inadequate or that the S-pushTAN procedure was not state of the art. It considered these allegations to be unsubstantiated.

(nie)