Navigation

    UBports Robot Logo

    UBports Forum

    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Search

    The banking situation

    Support
    11
    24
    397
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      Emphrath last edited by

      I reckon banking abilities is even more important than videochat. Despite all its flaws, UT has been my daily driver for a year now (guess i'm a recluse ^^) and I got over the flashlight not working and a couple of apps I miss. But banking... It's a pain i have to shift to my work phone to be able to do anything money-related and I ended up calling my bank to tell them they need to develop sth for UT. I think they're still laughing about it ^^ That's a real issue though. I'm starting to wonder if I'm gonna leave the bank I've been in for 15 yrs just because I need to find a bank that doesn't rely on 2FA... Yet. I guess with the chinese and russian move to a Sailfish fork, Banks are gonna have to make Linux apps - but that won't mean much for us, sadly. I don't see this happening in the foreseeable future, and as long as people going for UT have to rely on another phone for such a critical matter, well, any progress otherwise is pretty much doomed isn't it ? I know the issue is also very much there with AOSP, but ubports is now a foundation, which I guess would make it easier for banks to build secure, dedicated apps, if they know who to talk to, and can relate to an actual store... Or maybe I have to accept the fact that half the people on this forum still have a bank account that allows transactions through web browsers and sms codes and I need to find one !

      dobey AppLee 2 Replies Last reply Reply Quote 1
      • dobey
        dobey @Emphrath last edited by

        What form of 2FA is required by your bank, that isn't usable with UT?

        E 1 Reply Last reply Reply Quote 0
        • E
          Emphrath @dobey last edited by

          @dobey When I try to move money from my account to someone else, or buy sth online, or just check my bank account, the website will tell me I need to authenticate with my phone. That is, their banking app. I fire up the android app, and the login screen is automatically replaced by a prompt for my pin code. I type the code in, and only then the website acknowledges the transaction.

          dobey 1 Reply Last reply Reply Quote 0
          • AppLee
            AppLee @Emphrath last edited by

            @emphrath
            2FA stands for 2 factor authentication.
            It could be a SMS sent to your phone, TOTP, HOTP or any other method.
            This second method of authentication is often used with the classic login password.

            IIRC, in Europe banks are forced to set 2FA or "strong" authentication to secure their customers accounts. Some banks limit the second factor to HOTP or TOTP via their app.
            The best solution is to let the customer choose how they want to authenticate, but we need lobbying towards open solution.

            Closed source apps is no proof of security and it is annoying for customers.
            Sadly there is not much that the foundation can do, but the UBports community can send a message to the banks for them to allow other options for their users.

            1 Reply Last reply Reply Quote 0
            • dobey
              dobey @Emphrath last edited by

              @emphrath You have to type the PIN you use for the ATM to do that? 😕

              Flohack 1 Reply Last reply Reply Quote 0
              • Flohack
                Flohack @dobey last edited by

                @dobey No, basically the phone displays a code and you have to type it into the website. The app is very simple, probably even simpler than your Authenticator app 😉 but it runs in the Android secure execution environment, or with SafetyNet activated, and a bank would not compromise on having a UT app that cannot do this.

                I dont think any bank will put trust into UT at the moment. Anbox might or might not help, as apps might detect they are not being run on a secured device.

                1 Reply Last reply Reply Quote 0
                • C
                  cliffcoggin last edited by

                  In England it is common to have a personal card reader, issued at no cost by the bank, to generate one time pass codes as the second factor for authorisation. Is that not available where you are?

                  SMS codes can be used as an alternative, but I refuse to use that system.

                  E Flohack 2 Replies Last reply Reply Quote 0
                  • D
                    domubpkm last edited by

                    It is more than likely that no bank will invest a penny in software or a secure authentication solution for UT : they are making investments that affect the masses, not minorities.

                    1 Reply Last reply Reply Quote 0
                    • Keneda
                      Keneda last edited by

                      I used to access my bank account with morph, and it worked well.
                      But since some months now, they added a 2FA login with a code sent by SMS.
                      Problem is morph acting like i don't enter anything in the code field, resulting in failure due to "wrong code".

                      What can i do?

                      D 1 Reply Last reply Reply Quote 0
                      • D
                        domubpkm @Keneda last edited by domubpkm

                        @keneda On the other hand, I am quite surprised that the sms authentication window doesn't work for you. Is the issue linked to your bank or specific to your MX4 smartphone... As idon't have this problem on BQ E5 HD.

                        Edit : If you haven't already done so, I advise you to disable uadblock completely to see if this solves the problem.

                        T 1 Reply Last reply Reply Quote 0
                        • T
                          tera @domubpkm last edited by tera

                          What @Emphrath describes sounds like similar recent requirements i got for Government Cloud related security accesss where SMS is not acceptable anymore for 2FA: https://www.okta.com/resources/whitepaper/configuring-okta-for-fedramp-compliance/

                          Some colleagues mentioned banks will have to transition soon/one day 😞

                          Edit: see table at the top of the following page, SMS is considered "moderate" security: https://www.okta.com/resources/whitepaper/configuring-okta-for-fedramp-compliance/

                          1 Reply Last reply Reply Quote 0
                          • E
                            Emphrath @cliffcoggin last edited by

                            @cliffcoggin Well actually that's what I'm going for in the discussiobs with my bank now, but they seemed to imply something truly scornful like: "this is for old people" and also it seems it works only for checking ur bank account. I'll look into other banks. @Flo This kind of secure environment surely can be replicated in UT, no ?

                            1 Reply Last reply Reply Quote 0
                            • Fla
                              Fla last edited by Fla

                              I am facing a similar situation. I created an account in a bank and then received a letter asking me to download the HID Approve application on the Play Store or App Store.
                              I am then supposed to scan the QR code they send me to initiate the app, which will then give me a code each time I want to access my bank account.

                              Interestingly, they also gave me an ID, a code invitation and the "Service Address" which is taurus.pbgate.services:443/HIDCAF in case of "Manual synchronization".

                              Here is the content of the QR code btw: {"ver":"v4","url":"taurus.pbgate.services:443/HIDCAF","uid":"XXX","did":"XXX","dty":"DT_TDSV4","pch":"CH_TDSPROV","pth":"AT_TDSOOB","sec":"","pss":"XXXX"}

                              I searched a bit and found this gnome app which proposes a lot (probably around 500) of providers (@Emphrath maybe yours is in). Unfortunately, no trace of my bank or "HID".

                              Still, as I have the information to connect to the server, I feel like something can be done from our side to solve this problem.

                              E D 2 Replies Last reply Reply Quote 0
                              • E
                                Emphrath @Fla last edited by

                                @fla sadly, no qr code for me. Just the bloody app.

                                1 Reply Last reply Reply Quote 0
                                • D
                                  domubpkm @Fla last edited by

                                  @fla said in The banking situation:

                                  a lot (probably around 500) of providers

                                  Can you put the link of supported providers ? I can't find it. Thank you

                                  Fla 1 Reply Last reply Reply Quote 0
                                  • AppLee
                                    AppLee last edited by

                                    Bank apps probably use TOTP or HOTP that should be no secret to give us (customers) an alternative way to generate this one-time-password so we can configure Authenticator-NG accordingly.

                                    If I'm correct HOTP uses Android secure environment so this might be an issue for us.

                                    But compliant solutions exist that we can use on UT, banks just don't like to be transparent about the technical solution they use.

                                    E 1 Reply Last reply Reply Quote 0
                                    • E
                                      Emphrath @AppLee last edited by

                                      @applee But the thing is they don't have to release any code at all ! I guess you can publish proprietary software on the openstore, can't you ?

                                      Flohack 1 Reply Last reply Reply Quote 0
                                      • Flohack
                                        Flohack @Emphrath last edited by

                                        @emphrath You could, yes. At least we would find a way, there is no technical limitation.

                                        1 Reply Last reply Reply Quote 0
                                        • Flohack
                                          Flohack @cliffcoggin last edited by

                                          @cliffcoggin EU made it so that banks can choose which 2FA they offer. Some German banks still deliver physical devices as an alternative (which you have to pay), then my house bank still uses SMS.

                                          But 95% of all banks in Austria moved to Android/iOS Apps, they are the cheapest form for them, no device, no SMS to pay for. The user pays for himself basically 😉

                                          So I must say, I cannot really change to another bank, and hope that mine will not stop SMS codes soon...

                                          E 1 Reply Last reply Reply Quote 0
                                          • Josele13
                                            Josele13 last edited by Josele13

                                            Is it possible that Morph can connect to a 2FA authentication key to validate with the bank?

                                            Or would the banks not accept it?

                                            https://mightygadget.co.uk/yubico-launches-lightning-compatible-hardware-2fa-security-key-the-yubikey-5ci/

                                            https://www.yubico.com/

                                            Regards...

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post