banking and Free Software

• Previous message (by thread): banking and Free Software
• Next message (by thread): banking and Free Software
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi everyone,

Thank you Florian for starting that discussion and thank you Nico for 
pointing it out on the Dutch list.

Since I wasn't subscribed to this list when the discussion started, I 
hacked together this reply from the list's archive. Hopefully, it will 
preserve the threading and such ...

On 27-02-2024 18:32, André Ockers wrote:
> If you are in the Netherlands and want to avoid proprietary bank apps, then
> you have the following options for logging in to public banks:
> 
> - ING: scanner device
> - Rabo: scanner device
> - Volksbank:
>    - ASN: browsercode
>    - Regiobank: browsercode (phases out digipas device)
>    - SNS: browsercode (phases out digipas device)

ASN is also going to phase out the hardware token generator (Digipas). 
The remaining options will then be authentication through the app or 
browsercode.

Browsercode

I don't know much about the technical implication, but I have been told 
by ASN Bank it is essentially a long living cookie in your browser, 
which requires some second factor to set up. That second factor could be 
either the app or you registered phone number.

I have a long standing habit of cleaning all my cookies when a tab or 
window is closed. That would require me to re-authenticate the 
browsercode every time. But more important, I believe, is the security 
regarding that browsercode. Once authenticated and living on in your 
browser's cache, a security flaw in the browser could give a malicious 
site / app access to that browsercode. I'm not sure what measures have 
been implemented to prevent that, but it sure doesn't sound very reassuring.

ASN Bank suggested making use of a different browser (profile) for 
banking only. That way I wouldn't need to re-authenticate every time. I 
don't think that's a workable solution. For one, I would need to use 
that setup on every device I intend to access my bank account on 
(desktop, laptop(s), etc.).

App

ASN Bank recently introduced a new banking app. As with the previous app 
and as mentioned here for other banks, the app is only made available 
through the duopoly's app stores. Both worked on my device running 
LineageOS with MicroG without any warnings or issues.

However, the new app has, in my opinion, such a deteriorated UI/UE that 
I decided to no longer make use of it. That leaves me with the Digipas 
or browsercode and soon only browsercode (or nothing, see above).

Phone number

I also distaste having to register my phone number for more and more 
services. Soon getting hold of a person's registered phone number will 
increase the attack vector towards that person. The Dutch government's 
authentication tool DigiD suffers from the same defects. It's either 
app, which is only available through the duopoly, or registering a phone 
number to receive authentication codes by way of SMS - a rather insecure 
medium.

Cheers,

Sandro

• Previous message (by thread): banking and Free Software
• Next message (by thread): banking and Free Software
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]