Most internet bank users using ID-card or Mobile-ID are used to first enter PIN1 and then confirm by PIN2 again when making a payment. Danske Bank, however, has solved the matter differently, and will only ask for PIN1 for both login and for payment confirmation.
Annika Maiste, head of Danske Bank’s e-banking, told that indeed the same PIN code should be used for both login and payment confirmation, and according to the bank, this does not have any effect on security. “In our risk assessment, we have analyzed various attacks and concluded that the use of the digital signing function in Internet Banking may not provide significant additional protection to the user in the case of modern malware,” Maiste said.
She added that the above principle is used for both Mobile-ID and ID-card, and that the company can confirm that, although compared to other banks, Danske Internet Bank does not ask PIN2 from users, it is safe for the users.
Katrin Talihärm, Managing Director of the Banking Association, said that what kind of security code to ask is the responsibility of each service provider and they have not made recommendations to their members about it. She added that both ID-card and Mobile-ID are categorized by their definition as strong authentication tools, when used in an electronic environment in addition to PIN.
If only the modern malware is considered in the threat model than indeed PIN2 does not provide any additional protection. However, there are other attacks where, while the compromise of one key is feasible, the compromise of both keys is not.