Exception: "Unexpectedly multiple matches for Rueckmeldungscode 3956"

[witschko]

Hi everybody,

today one of our developers ran into a InvalidArgumentException: "Unexpectedly multiple matches for Rueckmeldungscode 3956" for every request to the bank (statement of account, direct debit, transfer). The log shows the following entry:

HIRMS:4:2:3+3956::Starke Kundenauthentifizierung noch ausstehend.+3956::Starke Kundenauthentifizierung noch ausstehend.

So it seems the exception is correct but we do not why it occurs. First we were thinking that the regular TAN request needs to be done but in the onlinebanking UI of the bank he can login without any TAN request and also the onlinebanking works well.

Does anybody know where this could come from? And another question: is it a general problem if there are multiple matches for one "Rueckmeldungscode"?

Thanks and best regards

[Philipp91]

Looks like an unintentional mistake by that bank, but it's not technically against the spec, so let's tolerate it. I'll send a fix (#415). Please test it to see if there's any follow-up problems. We want to rule out the case that the bank means something with that duplicated entry that we're not understanding, i.e. we want to verify that it's actually just an unimportant mistake on their part.

[witschko]

Thank you!

An additional information: we tried to ask the bank but didn't get a reply yet. But also it seems that it was a temporary issue as it didn't occur today...there is only one 3956 entry in the banks' response.

[witschko]

For the sake of completeness:

We just found out what happened. It seems that the banks send mutliple 3956 entries when there is an outstanding request validating the 3-month recurring TAN input and another TAN request validating a transaction.

It seems to be fixed with #415

[Philipp91]

Oh but there's only a single process ID / "Auftragsreferenz"? Or do they also send multiple HITAN with different IDs? Because there is a mechanism for Multi-TAN authentication, but as far as I know, phpFinTS tries to detect and actively block it, because it's not implemented.

When it sends multiple 3956, do you have to confirm multiple things on your phone? Or still just one?

[witschko]

That's a good question. We are not sure because we only found out because we logged in into the online banking of the bank and were presented the recurring TAN request and confirmed at. After that it worked with our implementation because it seems there was only one TAN request left for pulling the journal.

But we'll check it next time (which will take 3 months as it seems...).