The direct bank N26 is considered one of the stars of the German startup scene. The bank is currently opening more than 10,000 accounts a day, says its founder. However, this seems to be at the expense of customer support. The startup magazine Gründerszene reports of a N26 customer who was stolen in a fraud case 80,000 euros and then almost unsuccessfully tried to reach someone at the bank for nearly two weeks – while in the meantime, his company existence was at risk of theft.
First, the bank made no move to replace the money, only after a press request from founder scene secured the customer a refund. According to research by heise online, the hesitant reaction of the bank described in the report was not an isolated case. Many customers complain about inadequate customer service. In addition, hedging the N26 accounts raises questions.
80,000 euros away, no reaction from the bank
The report by Gründerszene states that at the end of February, a customer was unable to log into the N26 app on his smartphone, which manages his bank account. Since the company no longer offers telephone support and the support chat is not occupied at night, the worried customer wrote an e-mail to the bank. This was for days – except for an automated return mail – not answered.
More than two weeks after the incident, the customer finally managed to get someone at N26 over the company’s chat channel to take a look at his problem. The employee told him that in the account although sometimes 80,000 euros were, but now only 12.26 euros left. The employee in the chat recommended that the customer report to the police. One way to talk about the case with someone personally on the phone would not be at the bank.
For the person concerned in this case was aggravating added that he managed as an independent entrepreneur on the account money that he urgently needed to operate his business. The Bank’s slow reaction prevented him from paying his suppliers, which put him in a situation that threatened his existence. He could not pay his rent at first.
N26 praised improvement
Interrogated by heise online on this case, N26 indirectly confirmed the incidents described. A spokeswoman for the bank said, “Unfortunately, in such cases, clients often share their personal information with fraudsters, and if frauds occur, we block the affected accounts and contact customers Our customer service can be contacted via chat in the app or on the N26 website, and we call customers back if they wish, especially in cases of emergency, such as suspected fraud”.
It is also praised for improvement: “Unfortunately, we have in some cases found that customers have not been recalled immediately and we apologize for this, promptly training them and setting up a skills team to monitor and ensure prompt and satisfactory support for further incidents prevent”.
Not an isolated case
A N26 customer stolen nearly 4,000 euros and the bank responded similarly. In the end, one had been left on the loss of money. When researching this topic on our part, the impression was confirmed that these are not individual cases. Several current and former N26 customers compared to heise online a similar picture of fraud and lack of customer support. Here, the bank probably has not refunded money in several cases after attacks on N26 accounts. The consumer center Saxony is currently dealing with several comparable cases at N26. These impressions suggest that the 80,000-euro loss was only refunded because the person concerned turned to the press.
According to those described, many of the fraud cases are phishing attacks. In such attacks, the victim is sent a link to a web page that looks a lot like the N26 website or app. If the victim logs in there with his credentials, the attacker can use them to gain access to the account. In the present cases, the attackers then probably locked out the victim by changing their password and took control of their own instance of the N26 smartphone app.
Those who pay for the damage in such a case is often controversial. As a rule, a bank must prove negligence to its customers if they do not want to repay them the stolen money. However, what in such cases is considered to be negligent has always concerned the courts in the past.
Safety at N26 controversial
For most online banks, a pure access to the account, such as phishing, is not enough to transfer money. In general, security experts agree that a TAN should also be requested for the transfer of funds. For most banking apps on smartphones, such one-time security numbers are generated per transaction by the bank and sent to the customer via SMS or in an app. Some banks also use smart cards or TAN generators. This secures the account with a second factor: The customer must have control over his or her mobile phone or smartcard in addition to his password in order to transfer money. Such a hedge does not seem to exist for N26, which has probably made it easier for scams in the present cases to attack.
N26 asks for a four-digit confirmation PIN for transfers, but this is not transaction-specific and the customer can change them directly in the app. It seems that the fraudsters did just that after gaining access to their accounts. To make matters worse, according to reports from N26 customers, the app can not set a transfer limit. An attacker can thus create up to 50,000 euros a day from a hijacked account. Asked about the exact security precautions for N26 accounts and bank transfers – also in connection with the case described by Gründerszene – the bank did not want to give us any information.
This is not the first time that the security of the banking startup has been criticized. At the 33rd Chaos Communication Congress in December 2016, security researcher Vincent Haupert explained how he had managed to completely take over an N26 account with a relatively simple trick on his smartphone. He got access to the internal API of the N26 server and was thus able to make transfers. Even Haupert then warned against the threat of phishing attacks on N26 customers. According to N26, the bank is actively working to improve the safety of its customers. “In addition to all the legal requirements for fraud prevention, a dedicated team always takes care of the improvement of our security arrangements and analyzes every single fraud case”, said the spokeswoman for the bank.