On Saturday 21. September 2019 21.33.22 Xavi Drudis Ferran wrote: > El Sat, Sep 21, 2019 at 07:22:22PM +0200, H. Nikolaus Schaller deia: > > > Am 21.09.2019 um 19:14 schrieb Martin <[email protected]>: > > > > > > > > > Note: I live in Germany and do not own a mobile phone. My bank > > > uses the so-called "Sm@rt-TAN plus", where one inserts the bank > > > card. It reads some flickering code from the screen and displays > > > the TAN. It was less than 12 € in the electronics shop nearby.
It's an interesting but rather convoluted approach, almost sounding like a distant relation of those "data watches" from thirty years ago or more. Initially, when reading the above far too quickly, I just thought it was like the system that at least one Swiss bank had (and probably still has) involving a fairly basic smartcard reader with keypad and small LCD panel, into which a specially issued card was inserted. The reader would then ask for a PIN and some code from the online bank and then a response code would be given on the panel to be typed into the banking interface. This is rather more complicated than the system many Norwegian banks have used which involves single-button, six-digit "RSA tokens" that just generate numbers in a sequence. These tend to be incorporated into whatever authentication mechanism each bank uses, but many of them now use a common scheme called BankID that supports plain Web use: it used to be some dubious Java application (not applet) that wanted to "check" your system, but now this part is just JavaScript. The BankID stuff is also available for phones, and I think this is a combination of "app" and the use of a fundamental cellular technology for storing the credentials, maybe in the SIM card or in a supposedly secure part of the hardware. In principle, any phone supporting the basic cellular technologies could support such mechanisms, but I don't know about the BankID protocols. (Country- and industry-specific protocols can be stupidly secretive or restrictive, driven by some ambition to establish broader adoption elsewhere and for the initiators to be able to make lots of money with their "winning solution".) > I do care about free and open, but I'd care even more in banking > than other uses. I haven't researched this, but I've heard SMS > security is long broken, and phones physical security seems to me very > weak. SMS isn't secure, and I rather think that it is just assumed that the path through the infrastructure will all be in the same data centre, from a server in one rack to a server in another, and that the bad people won't be able to find a way in. And let us not get started on unsigned, unencrypted e-mails being fired around from institutions like banks... [...] > Pse. Mine is also a cooperative, but now it requires a mobile phone to > operate. For many years it was enough with login and password, and for > operations moving money, a printed code card (a small One-Time-Pad, > which I left at home). Printed cards were a feature of Norwegian banks before the code generator tokens were introduced. They aren't a bad solution, but I guess the logistics of having to print them and send them out are a hassle and an expense for the banks. [...] > I mean being a cooperative is not immediately a silver bullet (but maybe > the rest of banks are even worse). I think the banking sectors in most countries still have a lot of skeletons in their closets, despite having supposedly been reformed, audited, "stress- tested" and so on. Paul P.S. Restrictive and unnecessarily complicated mechanisms for authentication would undermine Bunnie's Betrusted concept which seeks to avoid security problems with general-purpose devices: https://betrusted.io/ _______________________________________________ Community mailing list [email protected] http://lists.goldelico.com/mailman/listinfo.cgi/community http://www.tinkerphones.org
