[Tinkerphones] OT: Banking in Germany (was: Strategies for sustainable phones)

H. Nikolaus Schaller hns at goldelico.com
Sun Sep 22 10:02:58 CEST 2019


> Am 22.09.2019 um 01:21 schrieb Martin <debacle at debian.org>:
> 
> On 2019-09-21 21:33, Xavi Drudis Ferran wrote:
>> El Sat, Sep 21, 2019 at 07:22:22PM +0200, H. Nikolaus Schaller deia:
>>> BTW: this makes me wonder if a TAN generator can be used for tracking
>>> users? Who knows what information it is encoding in the TAN?
>> 
>> No idea, I hadn't heard of TAN before. Sounds like an interesting question.
> 
> Just two laypersons thoughts:
> 
> First, the TAN generator hardware is very simple. It does not
> have any connection to other devices or the internet, other than
> the optical sensor to detect the flicker code on the screen.
> There is no GPS to detect location.
> 
> Second, the TAN itself is very short, not more than six decimal
> numbers. There is not much, one could encode in so few numbers.

Yes, you are probably right.

I can imagine that the process is likely:

bank computer -> flicker(encrypt(random number + TAN + account information + transfer data)) -> sent to web browser screen -> optical sensor -> decrypt with some secret inside the generator -> display TAN -> user types the number into web form -> bank computer compares sent and received TAN

Which means the bank can (and must) already track that you are using the online account :)
They already know the IP address of the web browser. They already know your bank account number.
So there is no new information for the bank.

What I don't know is how the encrypt/decrypt works. This apparently involves some personal information.
Or does the generator read the chip inside your bank card? Then, this chip card encapsulates the secret and is unique.

So in total it doesn't seem to be more risky than using the card in some ATM.

But I am not at all a security specialist which is why I raise this question...

> 
>> Pse. Mine is also a cooperative, but now it requires a mobile phone to
>> operate. For many years it was enough with login and password, and for
>> operations moving money, a printed code card (a small One-Time-Pad,
>> which I left at home).  Now they send you a SMS that someone could
>> intercept or someone could use your stolen phone, or force you to use
>> your phone...
> 
> At least, you can receive SMS using an old, non-smart phone (no
> Android/iOS!) or a USB GSM modem, using ofono or modem-manager
> or gammu on a Linux PC. There is a software called sms4you, which
> forwards SMS via email (and XMPP is in the works).

Well, some banks seem to no longer provide TAN (transaction numbers)
neither by paper/card nor SMS. They require to have an App which is
the connection to the original topic.

There will never be FLOSS variants of such software. Unless there were
an open standard for the interfaces.

> 
>> I mean being a cooperative is not immediately a silver bullet (but maybe
>> the rest of banks are even worse). 
> 
> They are probably slightly less evil.

At least they are more responsible towards the member-owners and less to third party owners.

BR,
Nikolaus



More information about the Community mailing list