The XI Civil Senate of the Federal Supreme Court, which is responsible for banking and stock exchange law, has ruled on the conditions under which a bank customer is liable for damages in the event of a pharming attack in online banking.
In the underlying case, the plaintiff claims repayment of the defendant bank for a transfer of € 5,000 carried out by it in online banking.
The plaintiff maintains a current account with the defendant and has participated in online banking since 2001. For transfer orders, the defendant uses the so-called iTAN procedure, in which the user, after receiving access by entering a correct personal identification number (PIN), is requested to enter a specific (indexed) transaction number (TAN) identified by a position number from a numbered TAN list provided to him beforehand.
In the middle of the log-in page of the defendant's online banking was the following notice:
"Currently, there are more malware programmes and so-called phishing e-mails in circulation that ask you to enter several transaction numbers or even credit card data in one form. We will never ask you to enter several TANs at the same time! We will also never ask you to register for ... Net-Banking by e-mail!"
On 26 January 2009, after entering his PIN and a correct TAN, an amount of € 5,000 was transferred from the plaintiff's current account to an account at a Greek bank. The plaintiff, who denied having initiated this transfer, filed a criminal complaint on 29 January 2009 and stated the following on the record:
"In October 2008 - I don't remember the exact date - I wanted to go to online banking. I clicked on the online banking of the ... bank. The screen opened as usual. Then I was told that I did not have access to online banking at the ... Bank at the moment. Then I was instructed to enter ten tan numbers. The fields were not numbered from 1 to 10, but criss-crossed. I then also entered the requested tan numbers, which I already had from the bank, into the fields chronologically. After that, I was then given access to my online banking. I then made a transfer using a different tan number."
The investigation was discontinued because a perpetrator could not be identified.
The action for payment of € 5,000 plus interest and pre-litigation costs remained unsuccessful in the lower courts. The Federal Supreme Court dismissed the appeal allowed by the Court of Appeal.
The action is unfounded. Even if the plaintiff did not arrange for the transfer of the € 5,000, his claim for payment of this amount expired because the defendant offset it with a claim for damages in the same amount pursuant to section 280 (1) BGB.
According to the facts presented in his criminal complaint, the plaintiff fell victim to a pharming attack, in which the correct call to the bank's website was technically redirected to a fraudulent page. The fraudulent third party used the TAN thus obtained to issue the transfer order to the bank without authorisation. The plaintiff was liable for damages to the bank through his reaction to this pharming attack. He disregarded the due diligence required in the course of business by simultaneously entering ten TANs during the log-in process, i.e. not in relation to a specific transfer transaction, despite the bank's explicit warning. Simple negligence is sufficient for the customer's liability in the present case, because section 675v (2) of the German Civil Code (BGB), which provides for unlimited liability of the customer in the case of misuse of a payment authentication instrument only in the case of intent and gross negligence, only entered into force on 31 October 2009.
The court of appeal rightly denied that the bank was contributorily negligent. According to its findings, by using the state-of-the-art iTAN procedure in 2008, the bank fulfilled its obligation to provide an online banking system that was as little susceptible to abuse as possible. It also did not violate any duties to inform or warn. Whether the customer's credit limit was exceeded by executing the transfer is irrelevant, because credit institutions generally have no duty to protect their customers from overdrawing their accounts. The parties had not agreed on a credit line that would limit the individual transaction regardless of the account balance.
Judgment of the BGH of April 24, 2012 - XI ZR 96/11
Düsseldorf Local Court - Judgment of April 6, 2010 - 36 C 13469/09
Düsseldorf Regional Court - Judgment of January 19, 2011 - 23 S 163/10
Goldberg Attorneys at Law 2012
Attorney at Law Michael Ullrich, LL.M. (Information Law)
Specialist attorney for information technology law