Hi everyone,
Thank you Florian for starting that discussion and thank you Nico for
pointing it out on the Dutch list.
Since I wasn't subscribed to this list when the discussion started, I
hacked together this reply from the list's archive. Hopefully, it will
preserve the threading and such ...
On 27-02-2024 18:32, André Ockers wrote:
If you are in the Netherlands and want to avoid proprietary bank apps, then
you have the following options for logging in to public banks:
- ING: scanner device
- Rabo: scanner device
- Volksbank:
- ASN: browsercode
- Regiobank: browsercode (phases out digipas device)
- SNS: browsercode (phases out digipas device)
ASN is also going to phase out the hardware token generator (Digipas).
The remaining options will then be authentication through the app or
browsercode.
Browsercode
I don't know much about the technical implication, but I have been told
by ASN Bank it is essentially a long living cookie in your browser,
which requires some second factor to set up. That second factor could be
either the app or you registered phone number.
I have a long standing habit of cleaning all my cookies when a tab or
window is closed. That would require me to re-authenticate the
browsercode every time. But more important, I believe, is the security
regarding that browsercode. Once authenticated and living on in your
browser's cache, a security flaw in the browser could give a malicious
site / app access to that browsercode. I'm not sure what measures have
been implemented to prevent that, but it sure doesn't sound very reassuring.
ASN Bank suggested making use of a different browser (profile) for
banking only. That way I wouldn't need to re-authenticate every time. I
don't think that's a workable solution. For one, I would need to use
that setup on every device I intend to access my bank account on
(desktop, laptop(s), etc.).
App
ASN Bank recently introduced a new banking app. As with the previous app
and as mentioned here for other banks, the app is only made available
through the duopoly's app stores. Both worked on my device running
LineageOS with MicroG without any warnings or issues.
However, the new app has, in my opinion, such a deteriorated UI/UE that
I decided to no longer make use of it. That leaves me with the Digipas
or browsercode and soon only browsercode (or nothing, see above).
Phone number
I also distaste having to register my phone number for more and more
services. Soon getting hold of a person's registered phone number will
increase the attack vector towards that person. The Dutch government's
authentication tool DigiD suffers from the same defects. It's either
app, which is only available through the duopoly, or registering a phone
number to receive authentication codes by way of SMS - a rather insecure
medium.
Cheers,
Sandro
_______________________________________________
Discussion mailing list
Discussion@lists.fsfe.org
https://lists.fsfe.org/mailman/listinfo/discussion
This mailing list is covered by the FSFE's Code of Conduct. All
participants are kindly asked to be excellent to each other:
https://fsfe.org/about/codeofconduct
