Banks vs. phishing: A plea for measures that help normal users

Phishing works when users are inattentive. This makes it all the more important for banks to better protect and support their customers, says Markus Montz.

(Image: Shutterstock.com/ bearbeitet von heise online)

Jul 14, 2024 at 6:30 am CEST

2 min. read

c't Magazin

By

Markus Montz

This article was originally published in German and has been automatically translated.

"Your account has been hacked! Please click here to log in to online banking!" Every successful phishing attack assumes that a user can be fooled. However, people can sometimes be inattentive or the story presented in the phishing email coincidentally matches an ambiguity in the bank account. The perpetrators build on this in a calculated and professional manner. Only recently, the BSI warned of dwindling diligence among bank customers. This needs to be improved.

Markus Montz is an editor in the c't Internet, Data Protection & Applications section. Among other things, he writes about financial technology and health IT.

But I expect even more initiative from the banks. To start with, their experts are doing a lot to prevent fraud; they are familiar with the criminal tools from the darknet,. Checking algorithms and bank employees also prevent more fraud than customers ever experience.

Nevertheless, I still see room for improvement. The password with the TAN is an example of this. They are grateful targets for phishing. Fraudsters can intercept and exploit both live. So why aren't banks consistently working on authentication with phishing-proof web standards such as passkeys to replace passwords and TANs? This would render phishing websites useless in one fell swoop.

Financial institutions could improve their communication even faster. How is the average consumer supposed to know what "2FA customer authentication" means on the display of their TAN generator or smartphone? Why not "Do you want to access your online banking?", followed by details of devices and their locations if required? How about a concise reference to the risks of fraud plus an obligatory pause for thought before the bank activates the credit card for Apple Pay or even a new approval device? A clear comparison of the target IBAN and recipient name would also be helpful. At least in the latter case, the EU has just made a start.

If the banks invest better in prevention, the new consumer-friendly rules that the EU is planning should cause them less concern. And the legal dodges that defrauded customers have to endure would be unnecessary. That should be worth it.