On Thu, Feb 22, 2024 at 07:35:24PM +0100, Florian Snow wrote: > I'm curious to hear what you think about this topic. What's your > experience with your bank? How do you do your banking? Is there an > important angle that I missed? I appreciate any feedback.
I have to interact with many different banks in several different countries (in the EU/EEA and outside) as part of my job, and also a few in my private life. Up to recently, the working systems were, depending on the bank: * Get a nonce/TAN by SMS * Mostly for USA banks: bog-standard TOTP (they call that "Google Authenticator", but FreeOTP+ or Aegis work perfectly well). * Some kind of hardware token. Some tokens are "push a button and get a code", some are "enter a PIN code and get a code", some are "scan this color QR-like code" and that generates a code, some use (ABN AMRO Netherlands) one's debit card and a reader where one inputs a code + PIN code of the card, others (Germany Sparkasse) one scans something on the screen with the debit card inserted but one does not enter the card's PIN code. I basically have a big collection of hardware tokens of different kinds in a big pot that I kept in a safe, and I take the pot out when I need to interact with such a bank. * The main Luxembourg retail / commercial banks "standardise" on the Luxembourg scheme called "LuxTrust". Over the last 1-2 years, some banks have indeed started to offer "mobile app only" and to refuse to issue hardware tokens or deactivate already issued hardware tokens, respectively. When I explain that I don't have a Google or Apple account to access these stores, the solution for big amounts in the higher-end business/private banks is... to send instructions by email. I kid you not. On (Luxembourg) bank said the CSSF (the bank regulator) was forcing them to retire hardware tokens in favour of mobile app because that is "more secure". So I do my orders by email and by phone... like that is even more secure, yeah. The banks of the group in other countries still happily use hardware tokens. Now, LuxTrust used to be available with a simple push-button hardware token, and officially still is. *But* the banks started announcing they would not allow logins with the token, and push for the Luxtrust mobile app, which uses the same certificate under the hood (the certificate is held by the Luxtrust company "on the cloud", so in reality one authenticates to LuxTrust and LuxTrust issues a signature with "your" certificate... which means that technically they are 100% able to fake your signature, and that is a LEGALLY BINDING SIGNATURE for contracts, according to the EU digital signatures directive, etc. How scary is that?). After pushing back, it turns out one can purchase for 105 EUR a hardware with a camera that scans a code on screen. Luxtrust is also available through a real smartcard. The driver for that smartcard, and also the local webserver (I kid you not) necessary to use it on websites is available only for GNU/Linux amd64 (and Microsoft Windows and Mac OS X). The driver is a hacked version of the Gemalto driver (the smartcard is a Gemalto one); that hacked version cannot be installed concurrently with other variants of the same driver, so that you can either use Luxtrust smartcard on an OS install OR other Gemalto smartcards, but not both. I had started, more years ago that I care to count, adding support to OpenSC, I got the authentication key working but not the signature key, because then the commands need to be authenticated to the smartcard; that was in principle not a big problem, I had the right password, I just needed to implement the protocol, but never got around to it, and I never succeeded in getting my patches merged into OpenSC due to some idiosyncracies of the smartcard protocol, which was nearly, but not quite, standard. This exercise allowed me to realise one thing: authentication to a bank or government website uses the SIGNATURE KEY for authentification. Again, I kid you not. Basically, on a crypto level, it looks like any bank or government website (or generally any website to which one authenticates with a Luxtrust smartcard) can MAKE YOU CRYPTOGRAPHICALLY SIGN ANY LEGAL DOCUMENT without your consent, since usually authentication is made by signing a nonce... replace the nonce by the hash of contract, and you have just signed that contract with a qualified signature. Big facepalm... _______________________________________________ Discussion mailing list Discussion@lists.fsfe.org https://lists.fsfe.org/mailman/listinfo/discussion This mailing list is covered by the FSFE's Code of Conduct. All participants are kindly asked to be excellent to each other: https://fsfe.org/about/codeofconduct
