Banks considered harmful
The future full of
proprietary software where one is forced to use it and does not
have the right to use software which is FLOSS (free libre open source
software) is the story of 1984 of the 21st century and is
inevitable if we do not stand up against it.
By FLOSS I mean
libre software for
example under license
like GPL.
I
personally adhere to libre software as much as possible on PC
(e.g.
using fully libre GNU/Linux distribution like Trisquel), mobile phone
(with Replicant OS), router (installed with LibreCMC).
But
now majority of banks in
Slovakia are forcing their
customers to have bank’s
proprietary
internet-banking token app installed on their private
mobile phones.
This is getting very serious
and dangerous and threatens
personal freedoms and liberties.
I
am convinced that the right to use only FLOSS (libre
SW) is a basic human right for everybody.
And
forcing someone to use non-FLOSS should be made a criminal act.
Sadly
that is not in Slovak constitution/law
or in other countries constitution/law
that I am aware of.
Some banks in
Slovakia are forcing customer to use proprietary software for
internet-banking service.
For authentication on internet-banking
website and authorization of payment transaction a proprietary SW
token app from bank is necessary. Either you use it and stick to
their policy how it can and can not be used or you can not use
internet-banking service at all.
Also the
bank claims (in order to persuade customers
to use the app) that SMS
authentication/authorization is not strong authentication like
defined by EU law.
That is NOT TRUE
!
See links: EU Directives in Slovak language.
Nowhere in EU law is a statement that
can be interpreted that SMS authentication/authorization is not
recognized as strong authentication.
The proprietary
software token app from bank is available only via Google, Apple or
Huawei shop means one has to create account by Google, Apple or
Huawei (one has to provide various personal data ) in order to be
able to download the app in the first place.
So in reality bank
is forcing the customer to provide personal data to either Google,
Apple or Huawei.
The bank is not providing any other
possibility to download the software token app
like to
download it
directly from bank website.
Another issue is
that this proprietary SW token app is uncontrollable from user
perspective.
It can be installed only on device that is not
rooted.
Means on the device that you can not fully
control.
Bank’s proprietary software token app is available
only for Android or IOS, so you can install it only on a mobile
phone.
The app requires access to GPS, Camera, Microphone, storage of the whole device. None of which except for taking a picture is really needed for the SW token app to generate code that has to be filled on the website for authentication, authorization.
This gives a big
opportunity to spy via bank’s app on the customer.
For example
where he is by GPS, to see and hear via device (by camera and
microphone) and obtain data from the device storage.
In Slovakia
we have a saying: Opportunity makes a theif.
And that
certainly is the case here.
Not to mentioned that having an
exploit to get access to bank’s app would give one the same
unnecessary permissions right away.
Bank is putting cost of the device on which bank’s software token app can run on the customers shoulders.
If you happened to use a phone with other system as non-rooted Android and IOS (or with Android and IOS system with older/unsupported versions) you can not install this app.
My proposed
solutions:
From security
perspective a Token that is HW or SW or a hybrid HW/SW Token (f.e.
Yubikey as HW part with accompanying FLOSS app) that uses open
protocol for authentication/authorization implemented by FLOSS app
seems to be the ideal solution.
Such an open standard/protocol
for authentication/authorization already exist, it is called OCRA.
There are already a few providers that sell HW Token with OCRA
protocol:
SOLIDPASS, PROTECTIMUS , FEITIAN.
Sadly I have
not found one Slovakian bank that would offer such a Token.
From HW point of view a free libre HW Token should be used with libre SW running on it.
Other intermediate
solution is to leave authentication/authorization via code send by an
encrypted SMS.
Prerequisite is that the bank will have to first
receive public key created by customer via his personal FLOSS and
ideally customer transfer it personally by physically visiting the
bank.
Customer would have his personal key to decipher the
encrypted SMS, means no one else would have the proper key to
decipher the SMS other than the customer.
Necessary app to
decipher SMS has to be FLOSS and available without restriction like
for non-rooted operating system.
It should be available for all
major mobile phone operating systems and PC operating systems (like
Windows, Mac, Libre GNU\Linux distribution) much like there is
version of Web-browser available for all major operating systems with
libre operating systems included (example: Trisquel , Replicant).
Conclusion:
I realize that the proposed solution will have to be forced by law otherwise the banks will do as they please to force proprietary SW on customers as we see it happening now.