[Tinkerphones] OT: Banking in Germany

Benson Muite benson_muite at emailplus.org
Sun Sep 22 11:01:58 CEST 2019 

On 9/22/19 11:48 AM, Martin wrote:
> On 2019-09-22 10:02, H. Nikolaus Schaller wrote:
>> bank computer -> flicker(encrypt(random number + TAN + account information + transfer data)) -> sent to web browser screen -> optical sensor -> decrypt with some secret inside the generator -> display TAN -> user types the number into web form -> bank computer compares sent and received TAN
>>
>> Which means the bank can (and must) already track that you are using the online account :)
>> They already know the IP address of the web browser. They already know your bank account number.
>> So there is no new information for the bank.
> And if one doesn't want the bank to know the location, there is
> Tor or VPN.
>
>> What I don't know is how the encrypt/decrypt works. This apparently involves some personal information.
>> Or does the generator read the chip inside your bank card? Then, this chip card encapsulates the secret and is unique.
> I don't known the details, but it seems to be a standard
> "HHD 1.4". Problably not an open standard, I fear. See
> https://de.wikipedia.org/wiki/Transaktionsnummer and
> https://www.kuketz-blog.de/online-banking-aber-sicher-das-chiptan-verfahren/
> both in German. It's seems, that it's pretty secure compared to
> e.g. using a smartphone with its billions of vulnerabilities.

Might also take a look at Estonian ID card system that can also be used 
for Bank authentication:

https://github.com/open-eid


Similar systems used in Latvia, Lithuania and Finland:

https://github.com/OpenSC/OpenSC/wiki/Estonian-eID-(EstEID)

https://github.com/OpenSC/OpenSC/wiki/Finnish-FINEID

https://github.com/eID-LV


It is possible to build an open device just for bank authentication with 
these specifications.

>
>> Well, some banks seem to no longer provide TAN (transaction numbers)
>> neither by paper/card nor SMS. They require to have an App which is
>> the connection to the original topic.
> Yes, and some banks had SMS TANs for free, suddenly you have to
> pay, e.g. comdirect. Which puts pressure on people towards their
> proprietary apps for proprietary OSes. We are back at the 1990s,
> when it was very hard to live without MS Windows.
> _______________________________________________
> Community mailing list
> Community at tinkerphones.org
> http://lists.goldelico.com/mailman/listinfo.cgi/community
> http://www.tinkerphones.org

More information about the Community mailing list