Thanks for your feedback! Bernhard E. Reiter <bernh...@fsfe.org> writes:
>> First, am I the only one who was caught unawares by this situation? > > at least it did not hit me, as my bank can do business without app, > they offered a small photoTAN device and still allow mobileTAN > via SMS as second factor. A dedicated device is a good option, IMO. But I find it most interesting that you still have SMS as an option. My bank (and others) used to offer the same service, SMS-based second factor. But now, representatives of every bank I talked to claim that the EU directive and/or the protocol used by credit card companies (3-D Secure, if I'm not mistaken; there are several marketing terms for the same thing) require use of something stronger, i.e. an app. It's possible that it's not actually true; representatives that answer phones and read emails only say what they are told to say and are unable to discuss any details. I see two options here: - The representatives are correct and some banks (like yours, Bernhard) are simply slow to make the transition from SMS-based second factor. I know that some merchants are slow, e.g. I can still use PayPal via SMS for that reason. If this is the case, it's only a question of time before all banks fall in line. - Alternatively, it's not true, it's just that the banks here are pushing hard for everyone to switch to apps, using the EU directive as an excuse. I don't know what the incentive for that would be, though. I mean, banks don't change infrastructure for no good reason. And besides, they seem to have worked pretty hard to make the January 1st deadline. Either case seems pretty bad to me, the only difference is that the first case is EU-wide while the second is more local. I wrote to this list because, given what I was told, it seemed to me that it's an EU-wide issue. If it is not, it would be interesting to find out why. >> Second, does anyone know a bank that is usable with Free Software only >> and will serve international customers? > > It would be good to know in which country of residence you are. Oh, it's no secret, I'm from Slovenia. I should have noted that fact, given that my question is tied to it, I just forgot. Sorry. > Some general advise (which you probably have tried as well): > * Some banks do not know which standard they are actually using, > maybe some offer something a general app from f-droid.org can do. Which standard are you referring to? I know of no bank that would offer an open API to access their services. Spurred by your suggestion, I searched f-droid once more, and I do see Bankdroid there. Apparently, Swedish banks do offer some limited API, but it doesn't seem to go beyond showing the balance of your account. Am I missing something that will work with 3-D Secure? > * The Auora Store app from f-droid.org can help to download > apks from the play-store without account. This can be helpful > in some cases. Very true. In the case of my (now former) bank, though, the app downloaded using Aurora refused to work even on a stock Samsung, not rooted or anything. It just wasn't linked to a Google account. Which is probably related to your last point ... > * Safety net maybe required by some apps (thought this does not > make that much sense, https://www.xda-developers.com/how-to-use-magisk/ > can hide that a phone is rooted to try to get make that check > (However that did not work last time I've tried.) If my information is current, Magisk and microG don't give you a working SafetyNet at this time. And I wouldn't want to rely on it for banking anyway because SafetyNet is an arms race so it's bound to break every once in a while. There's also the little issue that DroidGuard needs some proprietary software; it probably pales in comparison to a bank's app itself and the drivers needed to make a phone work, but still ... Thanks, Jure
signature.asc
Description: PGP signature
_______________________________________________ Discussion mailing list Discussion@lists.fsfe.org https://lists.fsfe.org/mailman/listinfo/discussion This mailing list is covered by the FSFE's Code of Conduct. All participants are kindly asked to be excellent to each other: https://fsfe.org/about/codeofconduct
