The landmark judgement by the Federal Court of Justice is the first time that Germany’s supreme court has ruled on the question of whether banks or their clients are responsible for online-banking abuse.
It follows a case brought by a pensioner who lost €5,000 from his Sparda Bank account to a Greek account in a transaction he claimed he had not executed himself.
According to the Süddeutsche Zeitung, the transfer occurred three months after he entered ten transaction numbers, or TAN codes, on what turned out to be an illegally manipulated version of his bank’s website. This common internet scam is known as "phishing."
Tuesday’s judgement absolved the bank of any liability for the incident, as it had expressly warned customers of such practices on its website. Instead the judges ruled that the plaintiff’s lack of care in entering his TAN codes amounted to negligence.
TAN codes are sequences of numbers that customers must enter to make online transactions.
The plaintiff argued that the bank had a duty to protect its customers from the abuse of these codes. But the federal court upheld previous judgements by the district and state courts, agreeing with the bank’s argument that the customer should bear responsibility for falling for the con.
The bank said it was widely known that being asked to input several TAN codes was a telltale sign of phishing, and pointed out that a phishing warning appeared on its login page.
The plaintiff had also agreed to keep his TAN codes safe when he signed up to the bank’s online service. The bank argued that as the correct TAN codes were entered, the customer could only have entered them himself or failed to keep them secure.
German authorities were not able to track down the holder of the Greek account, despite enlisting their Greek counterparts.
Sparda Bank is one the few remaining German banks to use the iTAN procedure, and the method is commonly thought to be susceptible to phishing. But a bank spokesman told the Süddeutsche Zeitung, “As far as the court was concerned, the security of the procedure is not in question.”
Most banks favour other procedures that are thought to reduce the chances of fraud, like Mobile-TAN, where the customer receives new codes by text message, or Chip-TAN, where codes are generated by a special machine that the customer keeps at home.
In 2010, the Federal Criminal Police Office of Germany received 5,300 reports of phishing – a rise of 82 percent on the previous year. Last year’s figures are not yet available.
As many as 44 percent of German bank customers do at least some of their banking online, a survey last year found. That amounts to 27 million account holders, according to the Federal Association of German Banks.