I'm not too concerned by this to be honest. Since the last 10 years banking is regulated to such a painful degree that such concerns are minutiae.
This isn't bitcoin or a stage coach hurtling through the wild west. The only way money is leaving my account is by way of my chip & pin card, which is no easier or difficult than any other, and subject to the same protections, or by wire transfer which is easily detected and reversed.
Beyond that, it's the bank's problem, ergo their underwriters and if they weren't happy they wouldnt be underwriting. Even then, if the bank does go tits up my deposits are guaranteed.
That said, of course there may be risks of bad actors within the bank itself, but even in that regard I'm at least as safe as I am with any other bank.
TLDR: A German security researcher was able to take over any N26 account, even though that theoretically required having an access to customer's email address, phone number, and MasterCard ID. He was then able not only to transfer the money from the account, but also to take a credit on customer's behalf.
Thanks. As I said, both of these actions are both easily traceable and reversible. Some inconvenience to me certainly but I am covered, and the the thief is most probably in jail.
This does affect N26's own risk-profile and they'd do well to address it as such it would affect their bottom line but as a customer I have little more to fear than I have with any other bank.
I'd expect they have a lot of latitude to play with on the risk side though vs B&M banks because they don't have any actual physical exposure.
> As I said, both of these actions are both easily traceable and reversible. Some inconvenience to me certainly but I am covered, and the the thief is most probably in jail.
That's only true, if the bank itself was aware of its security issues, which N26 was not. From the bank's point of view, you had just started using its mobile app on a new device after successfully proving your identity without any suspicious activity in the logs.
Yeah a mobile device that I don't own, in a location I haven't been in, buying things I didn't buy. Most of this is easily provable, and I make such assertions based on fear of prosecution for fraud if I'm lying.
Obviously if this is the case it's an issue for them to address and to not do so puts them at risk of negligence.
You probably would have been safe, unless you lived in Germany and used CASH26[1], like many N26 users do. In that case, a hacker could have just taken all the money out at the place you frequent using any device. Good luck trying to prove to the app-only bank that you didn't give your credentials to anybody, when the bank is not aware of any security breaches.
I wonder is there a waiver in the T&C that says you’re responsible for any losses of that kind ...
Would make for an interesting court case if not!
I still think any such losses are on the bank itself. It would be incumbent upon them to refund, especially given that the details of such an attack are in the public domain!
I'm not too concerned by this to be honest. Since the last 10 years banking is regulated to such a painful degree that such concerns are minutiae.
This isn't bitcoin or a stage coach hurtling through the wild west. The only way money is leaving my account is by way of my chip & pin card, which is no easier or difficult than any other, and subject to the same protections, or by wire transfer which is easily detected and reversed.
Beyond that, it's the bank's problem, ergo their underwriters and if they weren't happy they wouldnt be underwriting. Even then, if the bank does go tits up my deposits are guaranteed.
That said, of course there may be risks of bad actors within the bank itself, but even in that regard I'm at least as safe as I am with any other bank.