For online banking with FinTS, there is now the HBCI classic procedure with two options for customer authentication in addition to the PIN/TAN procedure. This is either the use of a signature chip card or the use of an HBCI key file RDH-10.
The HBCI / FinTS procedure with key file is based on the use of an electronic signature, as every contract must be signed.
The software generates a key for the signature, which is stored on a persistent storage medium such as a USB stick.
During setup, the public part of the key is transmitted online to the bank.
An INI letter is generated by the HBCI software for this purpose.
The INI letter signed by the customer confirms the authenticity of the electronic signature to the bank.
TAN numbers are no longer required for transfers, only the key file.
The standard provides various security profiles for the HBCI/FinTS procedure with key file.
These are currently RDH-1, RDH-2, RDH-10 and RAH-10, which differ in cryptographic features such as the length of the keys used, which range from 768bit to 4096bit.
The new EU directive regulating the business activities of payment service providers in the EU (PSD
II) will replace the existing Payment Services Directive (PSD
I) and will cover payment service providers and forms of payment that were previously unregulated.
Furthermore, this directive is intended to provide a legal basis for new payment options and thus pave the way for new payment methods.
The increased requirements for data protection and the security of electronic payments are also taken into account.
To perform strong customer authentication in accordance with PSD II, two elements from the categories “knowledge”, “possession” and “inherence” (biometrics) must be used.
The “possession” factor must be unique and may only exist once.
For example, a card fulfills the “possession” criterion and a PIN fulfills the “knowledge” factor.
According to PSD II, security procedures are permitted as a possession element if they effectively prevent copying.
As a key file in the RDH-10 security procedure can be copied and used in different places at the same time, it does not fulfill the “possession” factor.
Against this background, the DK decided that a copyable key file may no longer be used under PSD II and that the RDH-10 procedure must be replaced.
Possible alternatives are the use of a signature chip card or a PIN/TAN procedure.
A decision as to which alternative procedure should be used depends on the individual situation of the customer.
