[Tinkerphones] OT: Banking in Germany (was: Strategies for sustainable phones)

Martin Jansa martin.jansa at gmail.com
Sun Sep 22 13:26:02 CEST 2019

In Czech Republic one of the banks I'm using used to have mandatory
certificate (password protected) used to login to internet banking and
re-verified when doing the transactions, together with SMS TANs for free.

So you had to carry your certificate with you in some secure storage (or
always do it from the same PC at home). I understand why some people who
don't care so much about security weren't happy with this and wanted
something easier or more comfortable for them e.g. when traveling often.

But what the bank did really makes me angry, instead of adding the opt-in
(or even default) option to use their app on smartphone, they are removing
the support for certificate authentication (you won't be able to extend the
certificate in internet banking after your current one expires - so all
users will stop using it in less than a year).

So you have 2 options:
1) use the smartphone app to confirm the login from PC as well (instead of
SMS TANs) - promoted as new greatest and comfortable way of doing things
2) replace your certificate with just username/password and confirmation
with SMS TANs - promoted as deprecated option for old people without
smartphones (who knows this will stay available and free)

Why do they have to take the certificate authentication + SMS TANs option
away? They clearly had the system for certificate re-newal in place and it
was working fine.

I really like the SMS TANs as 2nd channel when doing the transactions.
Having the certificate in encrypted partition was another obstacle for
someone trying to impersonate me.

Even for online payments with credit card I would like to make the SMS TANs
mandatory, but my bank doesn't enforce it (I understand that this is more
complicated requirement, because the bank gateway needs to support that and
especially foreign companies use gateways which don't support that at all).
But how is that possible that e.g. Amazon is able to do transactions on
debit card without even requiring CVV - that should be easy to enforce by
bank. Amazon automatically saving the used card (for future transactions)
is another insane feature - you can delete the card afterward, but your
card is only as secure as your username/password on amazon is once you
forget to delete it payment.

Well maybe we're too security sensitive, I've seen many people either using
the smartphone app or internet banking in browser on the same phone where
they receive SMS TANs, so once the device is compromised the attacker has
all the information needed - and it was often on some cheap android phone
where all the updates stopped couple years ago. When I've tried to explain
how dangerous that is, they didn't really listen/care.

Another interesting vector is that e.g. this bank still accepts paper
payment orders you can just throw in the box in the bank. The amount of
money you can transfer that way (without someone confirming your ID) is
limited, but still to much bigger sum than what I believe most people set
as the limit on credit/debit cards they carry with them. And this is
secured only with your signature which again many people use the same
signature everywhere and don't know that it's better to add some kind of
password to the signature used in the bank.

I don't really like where this is all going, soon we might start stuffing
the cash back to pillows for better sleep :). Maybe it's another way how to
promote spending, without any savings in bank people won't need to think
about how secure that is.


On Sun, Sep 22, 2019 at 10:48 AM Martin <debacle at debian.org> wrote:

> On 2019-09-22 10:02, H. Nikolaus Schaller wrote:
> > bank computer -> flicker(encrypt(random number + TAN + account
> information + transfer data)) -> sent to web browser screen -> optical
> sensor -> decrypt with some secret inside the generator -> display TAN ->
> user types the number into web form -> bank computer compares sent and
> received TAN
> >
> > Which means the bank can (and must) already track that you are using the
> online account :)
> > They already know the IP address of the web browser. They already know
> your bank account number.
> > So there is no new information for the bank.
> And if one doesn't want the bank to know the location, there is
> Tor or VPN.
> > What I don't know is how the encrypt/decrypt works. This apparently
> involves some personal information.
> > Or does the generator read the chip inside your bank card? Then, this
> chip card encapsulates the secret and is unique.
> I don't known the details, but it seems to be a standard
> "HHD 1.4". Problably not an open standard, I fear. See
> https://de.wikipedia.org/wiki/Transaktionsnummer and
> https://www.kuketz-blog.de/online-banking-aber-sicher-das-chiptan-verfahren/
> both in German. It's seems, that it's pretty secure compared to
> e.g. using a smartphone with its billions of vulnerabilities.
> > Well, some banks seem to no longer provide TAN (transaction numbers)
> > neither by paper/card nor SMS. They require to have an App which is
> > the connection to the original topic.
> Yes, and some banks had SMS TANs for free, suddenly you have to
> pay, e.g. comdirect. Which puts pressure on people towards their
> proprietary apps for proprietary OSes. We are back at the 1990s,
> when it was very hard to live without MS Windows.
> _______________________________________________
> Community mailing list
> Community at tinkerphones.org
> http://lists.goldelico.com/mailman/listinfo.cgi/community
> http://www.tinkerphones.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.goldelico.com/pipermail/community/attachments/20190922/04d2e761/attachment.html>

More information about the Community mailing list