banking and Free Software

• Previous message (by thread): banking and Free Software
• Next message (by thread): banking and Free Software
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Nico,

Thank you for those detailed thoughts.


Nico Rikken, 2024-02-25 13:30 +0100 (UTC+0100):
> And now with mobile apps being so abundant, it is assumed most people
> use the app. Some banks are eroding the online experience by removing
> features from the website and creating new features only in the app.
> This is something André is keeping track of in the Netherlands.

Yep, unfortunately what you're describing is part of a larger trend
that I also perceive as problematic.


> Regarding the security developments, in the Netherlands people are
> being robbed on the street where they are being forced to log into
> their app and transfer the maximum amount to an account of a money
> mule.

Well, while this is unfortunate, it's not something we can solve with
Free Software. It's a separate question.


> In 2021 the Dutch bank Knab started demanding users to switch to apps
> for authentication, removing support for the hardware identifiers.

I fear this will be the next step for many banks.


> As you mentioned, this is why TOTP isn't suitable, because there is
> no guarantee that the code is not copied. Solutions have to rely on
> an external copy-resistant chip/device that stores the material
> (could be a debit card) or rely on system on chips that have such
> features built in.

Well, at least currently, that is not what many banks do, though. They
implement this in software.


> In recent months I learned that methods of rooting now also come with
> methods to disguise the rooting to make sure that banking apps still
> function. It seems to be a cat and mouse game.

I think it is as long as the user controls the device. For devices
where the manufacturer takes great care that the user will never be in
control (as certain fruit related vendors do), this is much less of a
cat and mouse game, unfortunately.


> To enable a Free Software banking app, it would be great if banks
> would provide an API. I don't think this is a realistic expectation.
> Banks want control over the user experience and the features provided
> by banks differ. Will banks trust users to use various applications
> to do their banking? I expect them to only to support this if
> required by legislation.

I disagree here. The features are pretty uniform for at least the
basics and banks used to provide HBCI without problems for many years.


> Besides a Free Software app, the second best would be to run the
> banking application as much in Free Software as possible: in a
> webbrowser. Modern websites can leverage the power of web standards
> for integration including for authentication. It can be provides as a
> Progressive Web App (PWA), so the application itself is cached. All
> required interaction is defined by standards and it then becomes OS
> independent and can even run on new GNU/Linux smartphones.

Yes, I agree that this is the second best option, but it's quite a step
down. Just because you install non-free software through a browser,
doesn't make it any more free.

Happy hacking!
Florian

-- 
Florian Snow - Free Software Foundation Europe e.V.
Schönhauser Allee 6/7, 10119 Berlin, Germany
Registered at Amtsgericht Hamburg, VR 17030
Your support enables our work (fsfe.org/join)

• Previous message (by thread): banking and Free Software
• Next message (by thread): banking and Free Software
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]