Skip to content
logo The magazine for digital lifestyle and entertainment
After the Verdict

Sparkasse Must Refund Customers €10,000!

OLG Dresden has ruled on a phishing case–assigning partial blame to the Sparkasse.
The Dresden Higher Regional Court heard a phishing case and found the Sparkasse bank partially liable. Photo: Getty Images

July 9, 2025, 1:16 pm | Read time: 3 minutes

A ruling by the Dresden Higher Regional Court is currently drawing attention. Despite gross negligence by a bank customer in a phishing scam, the savings bank must reimburse part of the damages. The reason: According to the court, the bank’s security measures were insufficient to prevent the attack.

Share article

After a phishing attack on a savings bank customer, the Dresden Higher Regional Court ruled that the bank must cover 20 percent of the resulting damages. Although the customer acted with gross negligence by revealing his login details and carelessly approving TAN authorizations, the savings bank also shares some blame for not implementing strong customer authentication during login, according to the ruling from May 5, 2025 (Case No. 8 U 1482/24).

Phishing Attack with Dramatic Consequences

The case centers on a savings bank customer who used the S-pushTAN procedure. Through a phishing email, fraudsters obtained his login details. In several phone calls, they convinced him in February of this year to approve an increase in his transfer limit and two payments totaling 49,421.44 euros in real time via the TAN app.

The customer testified in court that the S-pushTAN app did not display details of the transactions, such as the amounts or the recipient. He only received generic approval requests for “orders.” The Higher Regional Court found this statement unconvincing but noted the unusual situation of approvals during an ongoing phone call.

Court Recognizes Sparkasse Shares Blame

The court clearly classified the plaintiff’s behavior as grossly negligent. He entered his login details on a fake website and approved sensitive payments without sufficiently verifying the information. The ruling states: “Due to the numerous cases made known by various media in recent years, the understanding that customers are being prompted by fraudulent messages and calls from supposed bank employees to disclose online banking login details must be considered common knowledge.”

However, the court also acknowledged the savings bank’s shared responsibility. The judges criticized the lack of strong customer authentication during online login. This allowed sensitive data, such as birth dates or card numbers, to be accessed—information the fraudsters used to prepare the fraudulent transfers.

The absence of legally required “strong customer authentication” during online banking login clearly contributed to the perpetrators gaining access to online banking through a spear-phishing email, a fake website, and by reading the PIN.

There, again without requiring strong customer authentication, sensitive payment data as defined in Section 1, Paragraph 26 of the Payment Services Supervision Act (ZAG) was accessible (credit limit, daily limit, IBANs of the plaintiff’s various account numbers, account balance and transactions in debit and credit, plaintiff’s birth date and mobile number, etc.).

Excerpt from the ruling 8 U 1482/24

Security Gaps in Savings Bank’s pushTAN Procedure

The Dresden Higher Regional Court clarified that the savings bank’s pushTAN procedure can generally meet the requirements for strong authentication if adequate protective measures are implemented. In this specific case, however, additional authentication during login, such as a second factor like biometrics or device binding, was missing. This violated the bank’s regulatory obligations.

The ruling is not surprising. As early as 2023, another court addressed the security of the pushTAN procedure. At that time, the Heilbronn Regional Court ruled that “the so-called pushTAN procedure […] poses an increased risk potential,” particularly when the TAN and banking app are installed on the same device.

More on the topic

Sparkasse Must Reimburse Almost 10,000 Euros

Due to the aforementioned shared responsibility of the savings bank, the customer who lost his money was able to achieve partial success. The Dresden Higher Regional Court awarded him a compensation claim of 20 percent, which the savings bank must pay, amounting to 9,884.29 euros. The bank must also cover the customer’s pre-litigation attorney fees of 1,119.79 euros. The ruling is final, and an appeal was not permitted.

This article is a machine translation of the original German version of TECHBOOK and has been reviewed for accuracy and quality by a native speaker. For feedback, please contact us at info@techbook.de.

Topics #SimOnMobile Fraud News Online-Banking Right
You have successfully withdrawn your consent to the processing of personal data through tracking and advertising when using this website. You can now consent to data processing again or object to legitimate interests.