Yeah a mobile device that I don't own, in a location I haven't been in, buying things I didn't buy. Most of this is easily provable, and I make such assertions based on fear of prosecution for fraud if I'm lying.
Obviously if this is the case it's an issue for them to address and to not do so puts them at risk of negligence.
You probably would have been safe, unless you lived in Germany and used CASH26[1], like many N26 users do. In that case, a hacker could have just taken all the money out at the place you frequent using any device. Good luck trying to prove to the app-only bank that you didn't give your credentials to anybody, when the bank is not aware of any security breaches.
I wonder is there a waiver in the T&C that says you’re responsible for any losses of that kind ...
Would make for an interesting court case if not!
I still think any such losses are on the bank itself. It would be incumbent upon them to refund, especially given that the details of such an attack are in the public domain!
Obviously if this is the case it's an issue for them to address and to not do so puts them at risk of negligence.
So I reckon I'm safe enough!