All apps now offer the most important basic functions such as standing orders or scheduled transfers, even a purely mobile function such as photo transfer is now standard.
The apps have become more similar, but show differences in the quality of use. “Not all applications, for example, reliably recognize all the details on a photographed invoice.”
The study therefore weights the quality of use higher than the pure range of functions. This also includes intuitive operation. In terms of functionality, the banks were able to score points with additional analysis services. “Apps make it possible to see early on whether there is a risk of an overdraft on the account in the next month,” says Higle.
High security standards
As more and more people use mobile banking, the field becomes interesting for criminals. But they don’t have it easy. “From a purely technical point of view, there are fewer and fewer points of attack,” says Vincent Haupert, who has a doctorate in computer science and security consultant. Smartphones today offer areas in which data is securely encrypted. “Even if the smartphone is infected with malware, the apps are well protected.” At least if the latest version of the operating system is always installed.
>> Read here: Pocket money app Bling collects 3.5 million euros – and wants to “conquer the German market”
The EU Payment Services Directive PSD2 has also contributed to more security. It prescribes two-factor authentication for online and mobile banking. This was decided in 2015, but will not be implemented in Germany until 2021. In practice, this means that users have to identify themselves in two different ways for banking transactions.
“The level of safety has increased significantly as a result,” says Haupert. Possible different factors are a password, a TAN generated via the smartphone or an external device or a biometric identification via fingerprint or face scan.
External TAN generator reduces risks
The push TAN procedure is particularly popular today. A second app, which is independent of the actual banking application, is usually installed on the smartphone and can be used to authorize a transaction. This is convenient, but both factors run through the same device. “The gold standard is still a two-device process,” says Haupert. For example, the chip TAN procedure, in which the giro card is inserted into an external TAN generator. However, this is more complex and the necessary device is not always readily available on the go.
In addition, the first providers have started to abolish the giro card altogether. The SMS-TAN procedure, which savings banks and Volksbanks already ended in 2022, will also be phased out. It is considered comparatively insecure, since the SMS sent with the TAN can theoretically be intercepted.
However, Haupert considers app-based procedures such as the push TAN to be acceptable. Of course, users should not use the same password for both apps used. Biometric methods are also safe in principle. These have the advantage that they can hardly be cracked from afar. It is usually not possible to trick the face scanner with a photo
human vulnerability
Basically, the weak points tend to lie with the users themselves, says Haupert. “No matter how secure the procedure may be from a technical point of view, if you then hand over the generated data to criminals, it’s of no use.” But that’s exactly what happens. Because technical attacks are becoming increasingly difficult, criminals are increasingly relying on social engineering – i.e. the targeted deception of users in order to gain access to their data. Attackers first need the access data for online banking.
They usually get to this through so-called phishing, says Haupert – for example via an email with a link that leads the user to a fake input mask. Unsuspecting users enter their data there, which ends up directly with the criminals. However, fraud alone does not succeed – after all, there is two-factor authentication.
“Criminals sometimes go to great lengths to get a generated TAN,” says Haupert. They often try to deceive users by posing as bank representatives. “For example, you write a message via messenger or even call directly.”
It is technically possible for the number of the local bank branch to be shown on the display. The criminals then claim, for example, that they want to reverse an allegedly faulty transfer. To do this, they request a TAN – or ask the user to release an order themselves. Or they pretend to set up a new security procedure and register a device they own with the help of the user. Haupert advises staying calm.
“No banking situation is so urgent that you can’t just ask the bank if everything is going right.” The general rule is: “Communication that comes directly from the bank should never be shared with others. A bank will never ask you to give a TAN over the phone.”
The banks must therefore manage the balancing act between convenience and security and, if possible, offer added value compared to pure online banking. Ranking leader Deutsche Bank, which was second in the previous year, had most of the functions surveyed in the study and was particularly convincing in multibanking, i.e. the simultaneous administration of accounts from different banks in one application. The quality of use also proved to be consistently convincing.
According to SWI market researcher Higle, it is often the new banks that introduce new functions first – the established banks then take over these with a slight delay. In the ranking, Vivid Money achieved the best placement of a neobank: fifth place and the grade “very good”. “The neobank apps get updates very frequently,” says Higle. As a result, there are always new services and controls. But there is also the danger of irritating users with constant changes.
Higle still sees potential for improvement in the personalization of the applications. “Some of the apps have functions that the user doesn’t even know about because they are so hidden.” Other functions are prominently placed but may not be used at all. “It would make sense to have a question-and-answer dialogue that could be used to create an individual user profile.” It is crucial that the users perceive the apps as added value for themselves. They could also use location data to give tips tailored to their whereabouts, says Higle. “For example, which of my cards I can use to withdraw money free of charge in the holiday country.”
More: These three charts shed light on the app market