[SPAM] Re: Is there a bank that is usable with a Google-free phone?

Xavi Drudis Ferran xdrudis at tinet.cat
Mon Mar 22 11:58:42 UTC 2021


El Fri, Mar 19, 2021 at 09:33:09AM -0400, fsfe at centromere.net deia:
> 
> I recommend the following:
> 
> 1. Physically visit the bank, look the teller in the eye, and complain
> vociferously (yet respectfully),
> 2. Use cash while you still can,
> 3. Build a strong community who understands what's at stake,
> 4. Shop locally, and
> 5. Pray.
>

Yes, even 2FA with SMS requires you to have a phone and a contract
with a telco.  What was so wrong about that system they used before of
a code card that the bank gave the customer and then a code at a
diferent coordinate was used for each transaction ? Make it bigger (a
booklet), or add manual pseudosteganography or pseudocrypto and be
done with it.

Now they move it to a device that hasn't physical security (because
people carry it around with them when they go around, so it's easily
lost or stolen), hasn't logical security (because phones are jailed
and people install all sort of dubious apps, and it's all proprietary
stuff most often) and has no network security (because SMS, when they
use that, have been broken, and because SIMs are stolen with just
social engineering).

Whatever is used for 2FA should be practical to leave at home (you
don't need to bank on the go, not always, anyway), something you can
use with no matter what device or network (public library if you don't
have internet at home) and as simple as possible to avoid
vulnerabilities. If they want to replace the code card (or code
booklet) with a small device, ideally something like Precursor with
free software, that might be acceptable, but even that looks too
complex.

The whole idea of credit cards where you need to give your credentials
to your counterpart and then keep watching if the charge is wrong to
revoke it (and the merchant keeps watching whether the payments
received are revoked) is backwards. The seller should give you an
invoice with bank details and amount due and you should start a transfer
with your bank. Or better yet, something like GNU Taler. 

The Big Brother risks will be there anyway with any clearing house, be
it SEPA transfers, credit cards, GNU Taler or anything. Only cash can
avoid that, because cryptocoins create more problems than they solve,
even with banks competing so hard to create the most problems that
they may one day force me to reconsider it...  But to pretend to install
code in your systems or even have your phone number is just to erode
your privacy, not to secure anything.

And, Jure Varlec: no, I don't think yours was a rant. It's a very
reasonable complaint even if I can't help you about it, unfortunately.


More information about the Discussion mailing list