[Tinkerphones] OT: Banking in Germany (was: Strategies for sustainable phones)

Sun Sep 22 13:21:35 CEST 2019

On Saturday 21. September 2019 21.33.22 Xavi Drudis Ferran wrote:
> El Sat, Sep 21, 2019 at 07:22:22PM +0200, H. Nikolaus Schaller deia:
> > > Am 21.09.2019 um 19:14 schrieb Martin <debacle at debian.org>:
> > > 
> > > 
> > > Note: I live in Germany and do not own a mobile phone. My bank
> > > uses the so-called "Sm at rt-TAN plus", where one inserts the bank
> > > card. It reads some flickering code from the screen and displays
> > > the TAN. It was less than 12 € in the electronics shop nearby.

It's an interesting but rather convoluted approach, almost sounding like a 
distant relation of those "data watches" from thirty years ago or more.

Initially, when reading the above far too quickly, I just thought it was like 
the system that at least one Swiss bank had (and probably still has) involving 
a fairly basic smartcard reader with keypad and small LCD panel, into which a 
specially issued card was inserted. The reader would then ask for a PIN and 
some code from the online bank and then a response code would be given on the 
panel to be typed into the banking interface.

This is rather more complicated than the system many Norwegian banks have used 
which involves single-button, six-digit "RSA tokens" that just generate 
numbers in a sequence. These tend to be incorporated into whatever 
authentication mechanism each bank uses, but many of them now use a common 
scheme called BankID that supports plain Web use: it used to be some dubious 
Java application (not applet) that wanted to "check" your system, but now this 
part is just JavaScript.

The BankID stuff is also available for phones, and I think this is a 
combination of "app" and the use of a fundamental cellular technology for 
storing the credentials, maybe in the SIM card or in a supposedly secure part 
of the hardware. In principle, any phone supporting the basic cellular 
technologies could support such mechanisms, but I don't know about the BankID 
protocols.

(Country- and industry-specific protocols can be stupidly secretive or 
restrictive, driven by some ambition to establish broader adoption elsewhere 
and for the initiators to be able to make lots of money with their "winning 
solution".)

> I do care about free and open, but I'd care even more in banking
> than other uses. I haven't researched this, but I've heard SMS
> security is long broken, and phones physical security seems to me very
> weak.

SMS isn't secure, and I rather think that it is just assumed that the path 
through the infrastructure will all be in the same data centre, from a server 
in one rack to a server in another, and that the bad people won't be able to 
find a way in. And let us not get started on unsigned, unencrypted e-mails 
being fired around from institutions like banks...

[...]

> Pse. Mine is also a cooperative, but now it requires a mobile phone to
> operate. For many years it was enough with login and password, and for
> operations moving money, a printed code card (a small One-Time-Pad,
> which I left at home).

Printed cards were a feature of Norwegian banks before the code generator 
tokens were introduced. They aren't a bad solution, but I guess the logistics 
of having to print them and send them out are a hassle and an expense for the 
banks.

[...]

> I mean being a cooperative is not immediately a silver bullet (but maybe
> the rest of banks are even worse).

I think the banking sectors in most countries still have a lot of skeletons in 
their closets, despite having supposedly been reformed, audited, "stress-
tested" and so on.

Paul

P.S. Restrictive and unnecessarily complicated mechanisms for authentication 
would undermine Bunnie's Betrusted concept which seeks to avoid security 
problems with general-purpose devices:

https://betrusted.io/