HBCI – Home banking in the national standard
The abbreviation HBCI stands for “Home Banking Computer Interface”. This nationally valid standard was developed by the Central Credit Committee and is intended to make online banking more secure and to increase compatibility between different types of bank computers and customer systems.
Banking kernel in the customer system – how HBCI works
Cashless payment transactions via the Internet are carried out using electronic checks according to a well-secured system. All important data relevant to the transfer of funds is stored on the chip card, which serves as an electronic checkbook. The basic requirement for using Electronic Cheque is that both parties must have an account. Registration and identification is done via a protected password. Once the instruction to pay a certain amount is triggered, the sum is transferred to the recipient’s account and the customer’s liquidity is checked via a server network. Overall, the payment procedure with Electronic Cheque is similar to payment with conventional checks, only the medium is different. Electronic Cheque also requires the issuer’s account number, recipient, amount and currency, as well as a signature.
How secure is HBCI?
Even if the HBCI procedure can be classified as significantly more secure than iTAN or TAN list procedure, there are still risks. Because just as security has evolved in the area of banking software, this has also happened within cybercrime. It is conceivable that the program used for HBCI banking could be manipulated from the outside and the bank deceived by fictitious orders. It should be borne in mind that the encryption does not take place in the card reader, but that the signature is encoded by the home banking program. As with all transactions via the Internet, the same applies here: A procedure is only as secure as the PC on which it is executed. All in all, the HBCI procedure is also vulnerable if the PC system is not protected against external attacks.
The spread of HBCI
Although the HBCI procedure is considered particularly secure and is recommended by banks, private customers in particular often use TAN-based procedures. Here, mTAN, i.e. the sending of a generated TAN by cell phone, and eTAN plus, i.e. the generation of TANs using an EC card for authentication and a TAN generator, are considered just as secure as HBCI. This system is currently considered particularly secure because the TAN generated is linked to the recipient data. The PIN/TAN method, which is now considered insecure and outdated, is also in use. Here, the transaction is verified by the customer using a PIN and any TAN number from an unlimited list.
