Re: [Tinkerphones] OT: Banking in Germany

Sun, 22 Sep 2019 02:03:02 -0700 


On 9/22/19 11:48 AM, Martin wrote:

On 2019-09-22 10:02, H. Nikolaus Schaller wrote:

bank computer -> flicker(encrypt(random number + TAN + account information + transfer data)) 
-> sent to web browser screen -> optical sensor -> decrypt with some secret inside the 
generator -> display TAN -> user types the number into web form -> bank computer compares 
sent and received TAN

Which means the bank can (and must) already track that you are using the online 
account :)
They already know the IP address of the web browser. They already know your 
bank account number.
So there is no new information for the bank.

And if one doesn't want the bank to know the location, there is
Tor or VPN.


What I don't know is how the encrypt/decrypt works. This apparently involves 
some personal information.
Or does the generator read the chip inside your bank card? Then, this chip card 
encapsulates the secret and is unique.

I don't known the details, but it seems to be a standard
"HHD 1.4". Problably not an open standard, I fear. See
https://de.wikipedia.org/wiki/Transaktionsnummer and
https://www.kuketz-blog.de/online-banking-aber-sicher-das-chiptan-verfahren/
both in German. It's seems, that it's pretty secure compared to
e.g. using a smartphone with its billions of vulnerabilities.



Might also take a look at Estonian ID card system that can also be used 
for Bank authentication:


https://github.com/open-eid


Similar systems used in Latvia, Lithuania and Finland:

https://github.com/OpenSC/OpenSC/wiki/Estonian-eID-(EstEID)

https://github.com/OpenSC/OpenSC/wiki/Finnish-FINEID

https://github.com/eID-LV



It is possible to build an open device just for bank authentication with 
these specifications.





Well, some banks seem to no longer provide TAN (transaction numbers)
neither by paper/card nor SMS. They require to have an App which is
the connection to the original topic.

Yes, and some banks had SMS TANs for free, suddenly you have to
pay, e.g. comdirect. Which puts pressure on people towards their
proprietary apps for proprietary OSes. We are back at the 1990s,
when it was very hard to live without MS Windows.
_______________________________________________
Community mailing list
[email protected]
http://lists.goldelico.com/mailman/listinfo.cgi/community
http://www.tinkerphones.org

_______________________________________________
Community mailing list
[email protected]
http://lists.goldelico.com/mailman/listinfo.cgi/community
http://www.tinkerphones.org






















					Reply via email to