Hello everyone,
This is a rant. Don't say I didn't warn you :) . It's about EU Directive 2015/2366. This directive has been there for a while now, obviously. Yet it was only at the end of last December that it first came to my attention.
My bank notified me that, starting January 1st, I would only be able to make online purchases by confirming them in their smartphone app. They've given me *mere days* notice for something that had been cooking for 5 years. I've been without a fully functional credit card ever since.
If you read the Directive, there is relevant material in articles 97(1) and 4(30) which require "strong authentication" with at least two factors. Not bad, I'd say.
Except _all_ banks in my country of residence decided the second factor *must* be a smartphone and nothing else will do. I checked, I wrote to all of them. Oh, there is one that still offers a card reader, but when you try to open an account with them, it turns out they want you to install an app to do so, and that the card reader is being phased out. I think this may have to do with the processes that Visa and Mastercard put into place; it may well be that banks don't really have a choice in the matter, but I can only guess.
The problem is that you need an Apple or Google phone, you need an account with either company, and there's no way around that. I was especially angry because this came at a time when most physical stores (except for groceries) were closed here; ordering online was not a luxury, but necessity, and I was left (almost) without ability to do so.
There is a *single* bank that answered my query with some good news: their Android app doesn't require a Google account! You can actually download an APK from their web site, without going through the Play Store. Needless to say, I opened an account with them. I had to "augment" my Google-less LineageOS phone with microG because even their app relies on push notifications (which go through Google servers), but I was willing to make the compromise. Except ... confirming online payments doesn't really work. It turns out that the purpose behind supporting phones without Play Store is to support Huawei phones, no more, no less.
So I tried the N26 bank which many of you probably know. I know people who use their app successfully on LineageOS+microG. But it turned out that the identity verification process fails on my phone, so I can't open an account.
There are many reasons why I find the situation completely unacceptable, but let me just point out one. I find it incredible that an institution like a bank would require me, as their customer, to enter a relationship with some particular third party in order to use what is nowadays a basic service of the bank. And I mean *any* third party; that the required parties here are Google and Apple is merely the icing on the cake. Let me be clear: banks have other companies as contractors, they might as well outsource some stuff to Google. I don't care. I just don't want to enter a relationship with Google *myself* because that relationship is not subject to the same contracts and regulations as the relationship between a bank and its contractors.
Let me finish this, before it gets too long, with two questions.
First, am I the only one who was caught unawares by this situation? I mean, I admit that I don't read *every* single Free Software related piece of news, there's too much going on in our community for that. But I fancy myself far from clueless in these matters. Perhaps that's why it hurts more that I first heard about this not from some Free Software blog, but from my bank, and when it was already too late.
Second, does anyone know a bank that is usable with Free Software only and will serve international customers? N26 was my last hope. Well, not *quite* my last hope, I still hope to be able to fix microG so that these apps would work. That's what we Free Software developers do, right? Scratch our itches? It's just that I'm not an Android developer, and debugging an app that is not your own is not something this system was designed for, I think. Also, I'd rather vote with my wallet and support a bank that actually supports Free Software (if there is such a thing) than hack proprietary apps that are (in the name of security) actively hostile to such attempts.
Thanks for reading this far!
Jure
Hi,
Luxembourg banks use the local "LuxTrust" national scheme of authentication / signature. One of the solutions is a physical "token" that emits a numeric code that you enter as second factor. (Smartcards are another solution, and I had a draft patch for OpenSC somewhere sometime that allowed to use the authentication key, and plans to extend it to the signature key... never finished it up; also authentication uses the signature key!!! Duh.)
As to whether a Luxembourg bank would take a customer from your country, which you do not say which that is, is another question <shrug>
Best Regards,
Lionel
On Thu, 18 Mar 2021 20:37:23 +0100 Jure Varlec exzombie@fsfe.org wrote:
First, am I the only one who was caught unawares by this situation? I mean, I admit that I don't read *every* single Free Software related piece of news, there's too much going on in our community for that. But I fancy myself far from clueless in these matters. Perhaps that's why it hurts more that I first heard about this not from some Free Software blog, but from my bank, and when it was already too late.
Second, does anyone know a bank that is usable with Free Software only and will serve international customers? N26 was my last hope. Well, not *quite* my last hope, I still hope to be able to fix microG so that these apps would work. That's what we Free Software developers do, right? Scratch our itches? It's just that I'm not an Android developer, and debugging an app that is not your own is not something this system was designed for, I think. Also, I'd rather vote with my wallet and support a bank that actually supports Free Software (if there is such a thing) than hack proprietary apps that are (in the name of security) actively hostile to such attempts.
Thanks for reading this far!
Jure
The people who think they control the world want to move everyone to a "Central Bank Digital Currency" (CBDC) so that every transaction can be traced and taxed[0]. If you engage in wrongthink, your ability to buy and sell will be limited[1].
I recommend the following:
1. Physically visit the bank, look the teller in the eye, and complain vociferously (yet respectfully), 2. Use cash while you still can, 3. Build a strong community who understands what's at stake, 4. Shop locally, and 5. Pray.
Regards, Alex
[0] https://mobile.twitter.com/SwanBitcoin/status/1372859090943246340 [1] https://www.corbettreport.com/central-bank-digital-currencies-and-the-global...
El Fri, Mar 19, 2021 at 09:33:09AM -0400, fsfe@centromere.net deia:
I recommend the following:
- Physically visit the bank, look the teller in the eye, and complain
vociferously (yet respectfully), 2. Use cash while you still can, 3. Build a strong community who understands what's at stake, 4. Shop locally, and 5. Pray.
Yes, even 2FA with SMS requires you to have a phone and a contract with a telco. What was so wrong about that system they used before of a code card that the bank gave the customer and then a code at a diferent coordinate was used for each transaction ? Make it bigger (a booklet), or add manual pseudosteganography or pseudocrypto and be done with it.
Now they move it to a device that hasn't physical security (because people carry it around with them when they go around, so it's easily lost or stolen), hasn't logical security (because phones are jailed and people install all sort of dubious apps, and it's all proprietary stuff most often) and has no network security (because SMS, when they use that, have been broken, and because SIMs are stolen with just social engineering).
Whatever is used for 2FA should be practical to leave at home (you don't need to bank on the go, not always, anyway), something you can use with no matter what device or network (public library if you don't have internet at home) and as simple as possible to avoid vulnerabilities. If they want to replace the code card (or code booklet) with a small device, ideally something like Precursor with free software, that might be acceptable, but even that looks too complex.
The whole idea of credit cards where you need to give your credentials to your counterpart and then keep watching if the charge is wrong to revoke it (and the merchant keeps watching whether the payments received are revoked) is backwards. The seller should give you an invoice with bank details and amount due and you should start a transfer with your bank. Or better yet, something like GNU Taler.
The Big Brother risks will be there anyway with any clearing house, be it SEPA transfers, credit cards, GNU Taler or anything. Only cash can avoid that, because cryptocoins create more problems than they solve, even with banks competing so hard to create the most problems that they may one day force me to reconsider it... But to pretend to install code in your systems or even have your phone number is just to erode your privacy, not to secure anything.
And, Jure Varlec: no, I don't think yours was a rant. It's a very reasonable complaint even if I can't help you about it, unfortunately.
Hi Jure,
Am Donnerstag 18 März 2021 20:37:23 schrieb Jure Varlec:
First, am I the only one who was caught unawares by this situation?
at least it did not hit me, as my bank can do business without app, they offered a small photoTAN device and still allow mobileTAN via SMS as second factor.
Second, does anyone know a bank that is usable with Free Software only and will serve international customers?
It would be good to know in which country of residence you are.
Some general advise (which you probably have tried as well): * Some banks do not know which standard they are actually using, maybe some offer something a general app from f-droid.org can do. * The Auora Store app from f-droid.org can help to download apks from the play-store without account. This can be helpful in some cases. * Safety net maybe required by some apps (thought this does not make that much sense, https://www.xda-developers.com/how-to-use-magisk/ can hide that a phone is rooted to try to get make that check (However that did not work last time I've tried.)
Regards, Bernhard
Hi Jure,
Easybank.at still offers SMS TAN. However, I'm curious how long they'll "be allowed/willing" to keep it that way.
Regards, Peter
Thanks for your feedback!
Bernhard E. Reiter bernhard@fsfe.org writes:
First, am I the only one who was caught unawares by this situation?
at least it did not hit me, as my bank can do business without app, they offered a small photoTAN device and still allow mobileTAN via SMS as second factor.
A dedicated device is a good option, IMO. But I find it most interesting that you still have SMS as an option. My bank (and others) used to offer the same service, SMS-based second factor. But now, representatives of every bank I talked to claim that the EU directive and/or the protocol used by credit card companies (3-D Secure, if I'm not mistaken; there are several marketing terms for the same thing) require use of something stronger, i.e. an app.
It's possible that it's not actually true; representatives that answer phones and read emails only say what they are told to say and are unable to discuss any details. I see two options here:
- The representatives are correct and some banks (like yours, Bernhard) are simply slow to make the transition from SMS-based second factor. I know that some merchants are slow, e.g. I can still use PayPal via SMS for that reason. If this is the case, it's only a question of time before all banks fall in line.
- Alternatively, it's not true, it's just that the banks here are pushing hard for everyone to switch to apps, using the EU directive as an excuse. I don't know what the incentive for that would be, though. I mean, banks don't change infrastructure for no good reason. And besides, they seem to have worked pretty hard to make the January 1st deadline.
Either case seems pretty bad to me, the only difference is that the first case is EU-wide while the second is more local. I wrote to this list because, given what I was told, it seemed to me that it's an EU-wide issue. If it is not, it would be interesting to find out why.
Second, does anyone know a bank that is usable with Free Software only and will serve international customers?
It would be good to know in which country of residence you are.
Oh, it's no secret, I'm from Slovenia. I should have noted that fact, given that my question is tied to it, I just forgot. Sorry.
Some general advise (which you probably have tried as well):
- Some banks do not know which standard they are actually using, maybe some offer something a general app from f-droid.org can do.
Which standard are you referring to? I know of no bank that would offer an open API to access their services. Spurred by your suggestion, I searched f-droid once more, and I do see Bankdroid there. Apparently, Swedish banks do offer some limited API, but it doesn't seem to go beyond showing the balance of your account. Am I missing something that will work with 3-D Secure?
- The Auora Store app from f-droid.org can help to download apks from the play-store without account. This can be helpful in some cases.
Very true. In the case of my (now former) bank, though, the app downloaded using Aurora refused to work even on a stock Samsung, not rooted or anything. It just wasn't linked to a Google account. Which is probably related to your last point ...
- Safety net maybe required by some apps (thought this does not make that much sense, https://www.xda-developers.com/how-to-use-magisk/ can hide that a phone is rooted to try to get make that check (However that did not work last time I've tried.)
If my information is current, Magisk and microG don't give you a working SafetyNet at this time. And I wouldn't want to rely on it for banking anyway because SafetyNet is an arms race so it's bound to break every once in a while. There's also the little issue that DroidGuard needs some proprietary software; it probably pales in comparison to a bank's app itself and the drivers needed to make a phone work, but still ...
Thanks, Jure
Am Freitag 19 März 2021 21:01:13 schrieb Jure Varlec:
A dedicated device is a good option, IMO.
Yes, this works fine.
But I find it most interesting that you still have SMS as an option. My bank (and others) used to offer the same service, SMS-based second factor. But now, representatives of every bank I talked to claim that the EU directive and/or the protocol used by credit card companies (3-D Secure, if I'm not mistaken; there are several marketing terms for the same thing) require use of something stronger, i.e. an app.
We could try to check: Does the directive forbid SMS as second factor?
Some of the credit cards seem to go to the bank for an additional verification and some banks seem to be able to use what they always use.
I'm from Slovenia. I should have noted that fact, given that my question is tied to it, I just forgot.
No problem. I just think it may allow some people to comment on the local conditions in your country (like having a recommendation).
Some general advise (which you probably have tried as well):
- Some banks do not know which standard they are actually using, maybe some offer something a general app from f-droid.org can do.
Which standard are you referring to? I know of no bank that would offer an open API to access their services. Spurred by your suggestion, I searched f-droid once more, and I do see Bankdroid there. Apparently, Swedish banks do offer some limited API, but it doesn't seem to go beyond showing the balance of your account. Am I missing something that will work with 3-D Secure?
I was thinking that for a second factor banks could potentially use the standards for one time passwords, like HTOP or TOTP for a random example app see https://f-droid.org/en/packages/org.cry.otp/ However I don't know if there is any bank offering this. (If not, I'd be interested to know why.)
[Using the Aurora store on a non-google phone] (Thanks for correcting my typo, Andrea. :) )
If my information is current, Magisk and microG don't give you a working SafetyNet at this time. And I wouldn't want to rely on it for banking anyway because SafetyNet is an arms race so it's bound to break every once in a while. There's also the little issue that DroidGuard needs some proprietary software; it probably pales in comparison to a bank's app itself and the drivers needed to make a phone work, but still ...
True, it is an arms race, but hey, an emulated computer is also a computer and if this it is mine, I should be able to run the software on it which pleases me. So the whole "tamper" protection is a two edged sword at least.
Regards, Bernhard
Hello Jure,
"P.B." pb@fsfe.org writes:
Easybank.at still offers SMS TAN. However, I'm curious how long they'll "be allowed/willing" to keep it that way.
ING Bank offers SMS TAN or even a landline call, for those who don't want a "smartphone".
I also found their APK outside Google Play and the Apple Store: https://smart-banking.en.aptoide.com/app
I think the issue you raise is a real one, I hope associations can digg deeper and raise general awareness about it.
Best,
Hi Jure,
On Thu, Mar 18, 2021 at 08:37:23PM +0100, Jure Varlec wrote:
Second, does anyone know a bank that is usable with Free Software only and will serve international customers?
I don't know about the latter part, but Deutsche Bank still offers HBCI with chip-card. I use it with aqbanking and the smart card reader built-into my laptop. aqbanking has command line tools and can work with CSV files and the like, very useful for automatization. I also think there's gnucash integration, but I never used that.
They also offer online banking via web frontend using "photo TAN" which is a small dedicated reader device with a CCD camera that you use to scan a 2D barcode off their website.
Regards, Harald