Category Archives: computer

Deutsche Bank and TAN lists

So, my daughter needs a new phone. I feel really old-school with my iPhone 5SE, but whatever. She has earned money from video editing for a local business and also saved some pocket-money, so fine. She wants to spend almost 800 € that are all her own on a new phone, so be it. Turns out the phone is cheaper on Amazon than in the Apple Store, directly, even when you throw in an AppleCare protection plan, and of course I go order it online and suddenly find myself with a lot of cash, that I feel way to uncomfortable with to not bank it.

My account has been with Deutsche Bank forever for mostly historical reasons, but you know how long-term relationships go with banks, especially after stuff like a mortgage on a house happens and all that. So, between dropping my daughter off at school and running other errands, I hop into their nearest branch office to deposit the money. When I head to that one ATM that also takes deposits, there is this marketing guy chatting up another customer and I already cringe when I hear him explain how printed TAN lists are a security risk. The yarn he spins is how the frequency of burglaries is increasing and somebody could steal the list of TANs. He even has the nerve to mention that he has no idea why, but some people blame it on the influx of refugees!

Inside I keep going, damn, I don’t have time for that kind debate, when he explains how that is why they are planning to discontinue offering printed TAN lists around summer next year and people should get used to the photoTAN method. Screw you, methinks, and I do sincerely hope Deutsche Bank is not pushing photoTAN to protect us from refugees who are after our bank accounts. Or else I might have to reconsider my choice of bank. This story was bullsh!t on so many levels.

Yes, printed TANs do not solve every security issue that exists with online banking. But generally speaking, the TAN mechanism as a form of one-time-pad is one of the better ideas people have come up with. It offers a practical form of two-factor authentication where you have to have something and to know something to get access to your account. Somebody can steal your TAN list and without your online banking PIN it is useless and vice versa. The remaining security concerns that do exist largely revolve around (1) man-in-the-middle attacks and (2) a responsible use of TANs / convenience.

Traditional TANs (and iTANs) are agnostic of the kind of transaction. Neither for the user nor for the bank is there a way to ensure the TAN is actually used for the transaction the user intended it to be used for. If somebody can get between the bank and the client, he might be able to catch a TAN that was meant for a 5 € payment and use it to transfer a million to his own account (if you don’t have a set limit for online transactions.) Seriously, though, phishing attempts aside, and people clicking on stuff they should not be clicking on and not paying attention, that is a pretty hard thing to do. Having somebody present me a webpage that comes from the deutsche-bank.de domain, has a valid SSL certificate that my browser trusts, gets me through the regular PIN-based login and the whole workflow of ordering a money transfer up to the point where I have to enter a TAN, and still being able to see through the encrypted channel, is something my employer could do on hardware where he controls my browser’s proxy settings. And yes, somebody who similarly pwned my personal computer could do it. But using online banking from a piece of equipment that has been pwned, one way or another, is generally a bad idea. And we will come back to that line of thought.

The other problem with printed TAN lists is, of course, mobility. They are really not intended to be carried around at all times. If you do, the chances of them getting into the wrong hands obviously increases, a lot. As a matter of fact, traditional TANs even lent themselves to being used on the go a bit more than the current iTANs, because you could just copy three or four TANs from the list you kept stored safely at home and take them along on a trip. With iTANs that is no longer possible, because you do no know in advance which TAN you will be prompted for. On the other hand, people are getting used to doing everything mobile, and thus there is the risk of people not using TAN lists carefully enough. But that is just as true for many other forms of TAN, such as mTAN, photoTAN, or whatnot. Like, having an app on your phone to login to your account which potentially even saves your online banking PIN in a keychain, and then getting an mTAN as text message to that same phone entirely defeats the purpose of having a two-factor authentication. All somebody needs to do after that is to steal the phone. And Deutsche Bank even advertises on their webpage that, if you have both the banking app and the photoTAN app on your device, you do not need anything else. Am I the only one thinking there is something wrong, here?

I get convenience. I mean, I personally feel like convenience is the the thing that makes many people on the internet hang the noose around their own necks, but I do get it. I also get how banks want to get rid of having to print those TAN lists and keep mailing them to people. Just don’t try to sell it to me as a security feature. The one-time-pad’s security hinges on the safe channel through which the communicating parties pre-share their keys. And the sealed blackened envelope my printed TAN lists arrive in is something I as a person feel much more capable of handling securely than anything that involves electronic communication. Also the risk of them getting stolen: I don’t carry them around. I keep them tucked away somewhere, at home. And burglars just don’t break into your house and go search for your TAN list. They don’t! They don’t even steal your flat screen television anymore, these days. They want easy cash. Given that, again, I feel a lot more capable of finding a safe spot back home to store my TAN lists than of keeping my mobile devices safe.

And here we’re coming back to the idea of doing online banking from an pwned device. Seriously? After all the recently discovered vulnerabilities, from BlueBorn to KRACK to whatnot, can anybody seriously believe they have enough control over their mobile devices to ensure they are safe to be used for online banking? I may be paranoid again, but, micropayment for all I care, but access to my one important bank account? I don’t want my mobile phone to play any part in that, whatsoever.

Sure, photoTAN also works with a dedicated scanner device, and I’ll probably opt for that, when they stop offering printed TAN lists. And it will be a little safer, because the TAN will be tied to the actual transaction. But does this, in any way, protect me from the scanner being stolen after it has been activated? Of course not. If that thing gets stolen from my house, I have to call my bank in exactly the same way that I would have to, if my current TAN list gets stolen. So please, Deutsche Bank, if you want to save yourself the effort of sending me TAN lists via snail mail, just say so. Don’t try to tell me you’re protecting me from wicked refugees breaking into my house.

 

 

Advertisements
Tagged , ,

StrongSwan Client with Ubuntu 16.04 LTS

So, I’m a regular user of public WLAN hotspots, those of Deutsche Telekom among others. Being the paranoid digital self-defense person I am, I’ve been using a VPN service for quite some time now. I recently noticed that my PPTP client setup stopped working at hotspot locations run by Deutsche Telekom that I regularly use, when it still worked from home or some other hotspots I use. I embarked on a journey to teach my Ubuntu laptop some more VPN protocols. OpenVPN worked like a charm with just installing the obvious packages for network-manager. StrongSwan, however, didn’t cooperate quite as easily, due to Ubuntu 16.04 having packages in its repository which are known to not work with the version of network-manager also in that version.

OK, use the source, Luke …

But rather than compile from source tarball and clutter my system with stuff, I found the repositories for zesty have the versions I need. So, I decided to backport that:

  1. Edit /etc/apt/sources.list
    1. uncomment all deb-src lines and insert one line: deb-src http://de.archive.ubuntu.com/ubuntu/ zesty main restricted universe multiverse
  2. apt-get update
  3. apt-get install build-essential
  4. mkdir strongswan
  5. cd strongswan
  6. apt-get build-dep strongswan
  7. apt-get source strongswan
  8. export DEB_BUILD_OPTIONS=nocheck
  9. dpkg-buildpackage -us -uc
  10. dpkg -i strongswan-nm_5.5.1-1ubuntu3_amd64.deb libstrongswan_5.5.1-1ubuntu3_amd64.deb strongswan-libcharon_5.5.1-1ubuntu3_amd64.deb
  11. cd ..
  12. mkdir nm-strongswan
  13. apt-get build-dep network-manager-strongswan
  14. apt-get source network-manager-strongswan
  15. dpkg-buildpackage -us -uc
  16. dpkg -i network-manager-strongswan_1.4.1-1_amd64.deb

Then configure as per wiki page.

Now, I only need to find out how to trust the VPN provider’s certificate when their IKEv2 configuration howtos all seem to rely on turning certificate verification off.

Tagged , , , ,

Login to Telekom Hotspot on Linux command line

So, my old laptop has been reactivated to a 16.04 LTS ubuntu release. When traveling, I frequently do use the Telekom Hotspot services, and given how I like using the Tor Browser (with some additional plugins just because I’m fed up with all the tracking) there’s a litle issue: I need to log in to a web page to start using the hotspots, but I cannot start browsing with the Tor browser before I have a network connection.

No big deal on a Mac with the wispr stuff to automatically fill out the captive portal pages for you, or at least automatically pop them up in a window separate from your browser. So, what are the options on Linux?

  1. Start firefox, first, log in to the hotspot, shut down firefox again to then start the Tor browser.
  2. Somehow work in a “-new-instance” argument into starting Tor Browser so you can actually do #1 but leave firefox open (which helps with stuff like posting on wordpress.)
  3. Use some entirely other browser unrelated to firefox as your second/first browser to log in to the hotspot
  4. Use a WISPR client like this one (though the page has issues as of writing this), but the whole approach seems like a security issue.
  5. log in to the hotspot on the command line

So, yes … Linux geeks chose option #5:

#!/usr/bin/perl

use strict;
use Term::ReadKey;

my $username;
my $password;

print "username: ";
$username = <>;
chomp $username;

ReadMode ('noecho');
print "password: ";
$password = <>;
chomp $password;
ReadMode ('restore');

print "\n";

system ( "curl 'https://hotspot.t-mobile.net/wlan/rest/login' -H 'Host: hotspot.t-mobile.net' -H 'User-Agent: Mozilla/5.0 (X1
1; Ubuntu; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0' -H 'Accept: application/json, text/plain, */*' -H 'Accept-Lang
uage: en-US,en;q=0.5' --compressed -H 'Content-Type: application/json;charset=utf-8' -H 'X-Hash: AjbCkwnbQWKb+eKqFSelsyugcyVt
XiU1ZkUjnqDYhsA=' -H 'Referer: https://hotspot.t-mobile.net/TD/hotspot/Tank_Rast_Petro/en_GB/index.html' -H 'Content-Length: 
57' -H 'Cookie: JSESSIONID=1111D92CBA6C27FE69D13F04F5CD4497.P3; POPUPCHECK=1496237026311; DT_H=NzY5OTk0MTgy' -H 'Connection: 
keep-alive' -d '{\"username\":\"$username\",\"password\":\"$password\"}' ");

Make sure you have the Term::ReadKey module installed. On Xenial you do:

apt install libterm-readkey-perl

Tagged , , ,