banking and Free Software

Tue Feb 27 11:51:26 UTC 2024

On Thu, Feb 22, 2024 at 07:35:24PM +0100, Florian Snow wrote:

> I'm curious to hear what you think about this topic. What's your
> experience with your bank? How do you do your banking? Is there an
> important angle that I missed? I appreciate any feedback.

I have to interact with many different banks in several different
countries (in the EU/EEA and outside) as part of my job, and also a
few in my private life. Up to
recently, the working systems were, depending on the bank:

 * Get a nonce/TAN by SMS

 * Mostly for USA banks: bog-standard TOTP (they call that "Google
   Authenticator", but FreeOTP+ or Aegis work perfectly well).

 * Some kind of hardware token. Some tokens are "push a button and get
   a code", some are "enter a PIN code and get a code", some are "scan
   this color QR-like code" and that generates a code, some use (ABN
   AMRO Netherlands) one's debit card and a reader where one inputs a
   code + PIN code of the card, others (Germany Sparkasse) one scans
   something on the screen with the debit card inserted but one does
   not enter the card's PIN code.

   I basically have a big collection of hardware tokens of different
   kinds in a big pot that I kept in a safe, and I take the pot out
   when I need to interact with such a bank.

 * The main Luxembourg retail / commercial banks "standardise" on the
   Luxembourg scheme called "LuxTrust".

Over the last 1-2 years, some banks have indeed started to offer
"mobile app only" and to refuse to issue hardware tokens or deactivate
already issued hardware tokens, respectively. When I explain that I
don't have a Google or Apple account to access these stores, the
solution for big amounts in the higher-end business/private banks
is... to send instructions by email. I kid you not.

On (Luxembourg) bank said the CSSF (the bank regulator) was forcing
them to retire hardware tokens in favour of mobile app because that is
"more secure". So I do my orders by email and by phone... like that is
even more secure, yeah. The banks of the group in other countries
still happily use hardware tokens.

Now, LuxTrust used to be available with a simple push-button hardware
token, and officially still is. *But* the banks started announcing
they would not allow logins with the token, and push for the Luxtrust
mobile app, which uses the same certificate under the hood (the
certificate is held by the Luxtrust company "on the cloud", so in
reality one authenticates to LuxTrust and LuxTrust issues a signature
with "your" certificate... which means that technically they are 100%
able to fake your signature, and that is a LEGALLY BINDING SIGNATURE
for contracts, according to the EU digital signatures directive,
etc. How scary is that?). After pushing back, it turns out one can
purchase for 105 EUR a hardware with a camera that scans a code on
screen.

Luxtrust is also available through a real smartcard. The driver for
that smartcard, and also the local webserver (I kid you not) necessary
to use it on websites is available only for GNU/Linux amd64 (and
Microsoft Windows and Mac OS X). The driver is a hacked version of the
Gemalto driver (the smartcard is a Gemalto one); that hacked version
cannot be installed concurrently with other variants of the same
driver, so that you can either use Luxtrust smartcard on an OS install
OR other Gemalto smartcards, but not both.

I had started, more years ago that I care to count, adding support to
OpenSC, I got the authentication key working but not the signature
key, because then the commands need to be authenticated to the
smartcard; that was in principle not a big problem, I had the right
password, I just needed to implement the protocol, but never got
around to it, and I never succeeded in getting my patches merged into
OpenSC due to some idiosyncracies of the smartcard protocol, which was
nearly, but not quite, standard.

This exercise allowed me to realise one thing: authentication to a
bank or government website uses the SIGNATURE KEY for
authentification. Again, I kid you not. Basically, on a crypto level,
it looks like any bank or government website (or generally any website
to which one authenticates with a Luxtrust smartcard) can MAKE YOU
CRYPTOGRAPHICALLY SIGN ANY LEGAL DOCUMENT without your consent, since
usually authentication is made by signing a nonce... replace the nonce
by the hash of contract, and you have just signed that contract with a
qualified signature. Big facepalm...