[Tinkerphones] OT: Banking in Germany (was: Strategies for sustainable phones)

Martin debacle at debian.org
Sun Sep 22 10:48:28 CEST 2019


On 2019-09-22 10:02, H. Nikolaus Schaller wrote:
> bank computer -> flicker(encrypt(random number + TAN + account information + transfer data)) -> sent to web browser screen -> optical sensor -> decrypt with some secret inside the generator -> display TAN -> user types the number into web form -> bank computer compares sent and received TAN
> 
> Which means the bank can (and must) already track that you are using the online account :)
> They already know the IP address of the web browser. They already know your bank account number.
> So there is no new information for the bank.

And if one doesn't want the bank to know the location, there is
Tor or VPN.

> What I don't know is how the encrypt/decrypt works. This apparently involves some personal information.
> Or does the generator read the chip inside your bank card? Then, this chip card encapsulates the secret and is unique.

I don't known the details, but it seems to be a standard
"HHD 1.4". Problably not an open standard, I fear. See
https://de.wikipedia.org/wiki/Transaktionsnummer and
https://www.kuketz-blog.de/online-banking-aber-sicher-das-chiptan-verfahren/
both in German. It's seems, that it's pretty secure compared to
e.g. using a smartphone with its billions of vulnerabilities.

> Well, some banks seem to no longer provide TAN (transaction numbers)
> neither by paper/card nor SMS. They require to have an App which is
> the connection to the original topic.

Yes, and some banks had SMS TANs for free, suddenly you have to
pay, e.g. comdirect. Which puts pressure on people towards their
proprietary apps for proprietary OSes. We are back at the 1990s,
when it was very hard to live without MS Windows.


More information about the Community mailing list