Major security issues for N26 – a German fintech acting exclusively as a mobile bank, with 1.5 mln. customers across Europe

German banking startup N26 is winning over customers and investors with its pledge to offer “banking without the bullshit.” But a security test shows how easy it is to open an account under a false name, according to Handelsblatt .

Germany’s fintech darling N26 is potentially vulnerable to money laundering and terrorism financing, according to research by Handelsblatt’s sister magazine WirtschaftsWoche, which exposed a security gap at the online banking startup.

The apple of discord is how easily someone can open an account with a fake ID. A WirtschaftsWoche correspondent saw first hand how a man, Milo T., scanned a friend’s ID, added his own passport photo to the ID, printed it out and stuck it atop of a white plastic card that was the same size as the office ID card in his country. He cut the edges to make them round and voilà: a new identification card.

It took five minutes and the result is so blatantly a forgery that it would fail to convince even the laxest of nightclub doormen. None of the holograms or other security features found on original IDs can be seen on the fake. Regardless, Milo effortlessly used this ID to set up an N26 account, and this wasn’t a one-off occurrence. WirtschaftsWoche documented how several people opened N26 accounts using forged papers.

Toast of the town
It’s an embarrassment for N26, which since its launch in 2015 has become the toast of Germany’s fintech scene with its app-based business model that offers what it calls “banking without the bullshit.” Its services are digital, modern and cheap, unencumbered by the branch networks, admin and creaking IT systems that are the bane of its brick-and-mortar rivals.

Founders Valentin Stalf and Maximilian Tayenthal won high-profile investors such as insurer Allianz, Internet group Tencent and PayPal founder Peter Thiel who invested a total of $215 million in the startup. N26 offers services in 18 countries and plans to launch in the US soon.

The fintech reports some 1.5 million customers and is aiming for 5 million across Europe by 2020. It needs that kind of growth to help meet its target of becoming profitable from 2019. Because it offers basic banking services consisting of a free checking account and a Mastercard, N26 can only hope to earn money via fees, like when customers overdraw, or buy other banking products.

However, there is a wrench in the works with German financial watchdog BaFin investigating N26’s security vulnerability: the so-called selfie validation procedure.

The trouble with selfie checks
Milo used a selfie to open his account. He filled out a form on the N26 app and provided an email address; then he used his phone to photograph the fake ID card and then himself. Within 15 minutes of sending both images to N26, he received an email saying “Your Mastercard is on its way.”

The selfie system isn’t permitted in Germany because BaFin said it doesn’t meet the country’s anti-money laundering standards. But N26 uses this same system in a number of other European countries including Portugal, where it also falls short of legal requirements. In Portugal, however, authorities are powerless to stop it — because branchless N26 doesn’t have a physical presence in the country.

Here it seems that N26 is benefiting from a European loophole. Under EU law, a bank only needs an operating license in one country to be able to do business across the entire single market. In the case of fintechs without branches in specific countries, it’s hard for authorities to intervene, especially if the bank isn’t breaking any rules in its home market.

Banks must check the identity of everyone opening an account to prevent money laundering. While these ID checks used to take place exclusively at bank counters, many services use video identification. Customers rotate their ID card in front of a camera allowing staff to check for security features, like holograms, and BaFin signed off on this procedure.

The upside of using selfie checks for N26 is that it grows its customer base at a low cost — around half as much as the safer ID check via video chat.

No safety guarantees
Even with new technologies, no remote ID check is completely foolproof and it’s a problem for all banks. Candid Wüest of IT security firm Symantec estimated that 12 accounts per day are opened in Germany in the name of people who don’t exist. These fraudulent accounts could only be prevented if ID checks were strictly limited to bank branches and if each branch used verification machines issued by the Federal Printing Office, she said.

N26 recently tightened its security standards after its own video ID system was abused by criminals who had posted job adverts and then asked applicants to identify themselves via video chat. The applicants were unaware that they were opening an N26 account that was later used to transfers funds.

In response to an inquiry by BaFin and other regulators, N26 reiterated that “no verification procedure guarantees 100 percent security,” adding that “various security measures and control mechanisms are implemented” with photo checks. The online bank said it was meeting regulatory requirements on money laundering and was reporting suspicious cases.

When questioned further about why the bank was using an ID checking procedure in Portugal that didn’t meet Portuguese standards, the bank said it adhered to German money-laundering law. Yet acquiescing to German law is a poor defense as the selfie checks do not meet Germany’s requirements either.

In response to WirtschaftsWoche’s inquiry into the bank’s vulnerabilities, BaFin said: “The necessary supervisory measures were taken.” The authority was informed of the security gaps several months ago and is continuing its investigation, but the selfie check system is still used at N26 and there is no indication the startup is considering otherwise.

Furthermore, there are also scores of reports online that non-EU citizens are opening N26 accounts using phony addresses, suggesting how easily that requirement can also be circumvented. It makes you wonder: Maybe there is a reason for the bullshit.