Basic security tips

Absolute protection is impossible. But following a few basic rules can significantly improve online banking security. In this section, we look at the most important protective measures for secure online banking. You should always use these alongside our general recommendations for Internet security.

• Choose your access data carefully and handle it with care.
  Just as you should take care to keep conversations or password and access data (PIN) entry private in the bank or at the ATM, confidentiality is also the top priority on the Internet - particularly when it comes to transaction numbers (TANs). Refer to your bank's online banking terms and conditions to find out whether you are allowed to store access and transaction data electronically.
  Select a secure, complex password for accessing online banking.
• When you bank online, make sure that all communication is encrypted.
  Online banking should use the protected https protocol. The start of the browser line then changes to "https://" instead of "http://".
  When using the latest browser software, a certificate is now often displayed which confirms the correctness of the details of the server to which you are connected by an independent authority, the certificate manufacturer. Check whether the name of the website given in the security certificate matches the name of the page you are visiting. You can recognise that a website is certified by the fact that a small padlock symbol is displayed after the URL. Clicking on the padlock icon provides more information about the certificate and whether the website actually stems from where it claims it does.
  If a provider cannot prove to be the actual owner of the address with a valid certificate, you will receive a warning message from your browser. In this case, you should cancel the transaction immediately and inform your bank.
  
• Encrypt your WLAN connection.
  The standard today is WPA 2 (Wi-Fi Protected Access 2), whereby the password should be at least 20 characters long. WEP (Wired Equivalent Privacy) is outdated and not deemed secure. Note our secure tips for private WLAN use and conduct in the public WLAN
• Check the authenticity of the bank's website
  Make sure that you are actually on your bank's website. The best way to do this is to enter your bank's Internet address again on the keyboard every time you call it up. Even minimal deviations in the Internet address - such as separating dots or hyphens - are signs of a forgery. Pages where the address begins with a number and not a domain name (such as http://1357.246.579/...) as well as pages where the address only has the name of your bank "built in" (such as http://Examplebank.Domainname.de) are generally suspicious.
• Only operate online banking from your own devices as far as possible.
  Caution is especially advised on computers accessible to the public. Log out after each online banking session and clear the cache of your computer after completing banking transactions. Follow our recommendations in the Browser Security Checks.
  
• Agree with your bank on a limit for daily money movements in online banking.
  By fixing a maximum amount together with your bank, you can ensure that fraudsters do not debit large sums from your account unnoticed.
• Check your account movements regularly.
  Check your printed account statements regularly. The online statements may have been manipulated. If transactions seem strange in any way, contact your bank or your advisor immediately.
• Do not respond to phishing e-mails.
  Fake messages and websites are very professional and individualised. But don't be fooled by them: your bank will never ask you to disclose confidential data such as PINs, TANs or account numbers by e-mail. If you receive messages like this, inform your bank about them - under no circumstances follow the instructions contained in the e-mail. You can find more information on phishing here.
• Be careful when passing on your bank details.
  You should not divulge this information in social networks, nor should you entrust it to unsafe online shops or poorly rated sellers on auction platforms.
• Block your online banking access if anything seems suspicious to you.
  You can do this either by calling the bank or using the relevant function in the online banking window. Keep your bank's telephone number handy for any instances like this.

How secure are the different TAN procedures?

Introduction

TAN stands for transaction number. A transaction number like this is a one-time password comprise only of digits. Transaction numbers are used in online banking to approve a transaction, such as a transfer, setting up a standing order or changing personal data.

A TAN can be generated in various ways. The options differ in their level of security and how easy they are the use. Since the Payment Service Directive 2 (PSD2) came into force in 2019, TANs must be generated in the form of a dynamic authentication code at the same time as the money transaction. The following requirements therefore apply: the TANs

• must be generated from the transfer data
• may, unlike previously, only be valid for a limited period of time
• should be generated on a separate device where possible

Brief overview of the most common TAN procedures

• mTAN/SMS TAN: SMS on your mobile phone or smartphone

  Security aspect:
  On the one hand, the procedure is user-friendly and practical to use. On the other hand, the SMS can be intercepted. This means the risk of misuse is not inconsiderable. The possibility of using a duplicated/cloned SIM card, which makes it possible to intercept corresponding TANs, should also be noted here.

  
  

• eTAN/ChipTAN: TAN generator with girocard

  Security aspect:
  Overall, the eTAN procedure is considered very secure because two independent devices are used. The generator itself is not connected to the Internet, so it cannot be attacked remotely. Combined with the bank card, this leads to increased security. Thieves cannot do anything with the generated TANs because they are dynamically linked to the respective transfer.

  
  

• PhotoTAN/QR-TAN: Graphic on the PC, plus a reader or smartphone app

  Security aspect:
  This method is also considered secure because two separate devices are used. In addition, the graphical data encryption does not offer hackers many potential points of attack. However, a vulnerability could threaten the customer's smartphone if the software is not kept up to date, allowing an attacker to tap into the contents of the screen. As a rule, no separate password is required for the apps, so the photoTAN procedure is potentially vulnerable to mobile phone Trojans.

  
  

• PushTAN: smartphone app

  Security aspect:
  A specific end device and a personal password are required to use this procedure. This TAN procedure is secure if two separate devices are used: for example, banking via the PC while the TAN is received on the mobile device and a sufficiently strong password is chosen. The disadvantage of the procedure is that the bank's app must be installed and these apps usually stop working when the respective manufacturer stops providing the mobile device with security updates.

  
  

• HBCI: This TAN procedure combines a particularly large number of components and is mainly suitable for companies, as they can carry out a large number of transfers every day. You need special software, a chip card, a card reader and a personal PIN.

Which TAN procedure should you use?

Customers have only limited influence on which procedure they can use as the banks determine which procedures they offer. Most banks offer apps for mobile devices to use the pushTAN procedure. The banks encourage this because it is the least expensive option for them. Used correctly, this procedure also provides a good level of security. However, for the reasons detailed above, the use of a TAN generator is the most secure.

The important criteria for classifying a TAN procedure are security, flexibility and user experience. In general, the versions of TAN generation used in Germany are secure for users. The comparatively insecure procedure of iTAN lists was abolished by PSD2. Additional security is provided by the use of two independent devices, such as with the eTAN procedure, although this also increases the effort for the user.