Secure online banking nowadays (bonus termination template PDF for Consorsbank attached) (#R12)
We’re a bit off-topic for today, aside from software design/UI/UX in general. But the “increased” security in everything banking, equally forced by new legislation and the real-world implementation by the banks, really rustles my jimmies. I’m about to cancel a sparsely used bank account (Consorsbank – ex Cortal Consors, daughter of BNP Paribas) after several tries to access it over the course of one year – complete termination is now easier than discussing the matter with some hotline doofus and waiting for more snail mail to arrive, only to be denied access again and again.
First things first: If you’re here for the title, here’s the good stuff for Consorsbank: Since the cancellation template has moved inside the login area (genius!) so that anything in the form can (presumably) be pre-filled for bonus points on customer experience, that poses a slight issue for people not being able to access their account at all. And since there’s a lot of questions when cancelling a bank account, I used the Wayback Machine to get a link to the old (open) PDF form, which sadly isn’t saved there, but still accessible on the server of Consorsbank. Of course the link to it is completely wiped from the googles, but if you still got it from somewhere, say, this pesky blog post, you could still use it. Well, try this. Or, if it’s finally deleted, maybe try this. Both ways, check their address before sending it off somewhere, but as of today it’s still valid.
How did I know of this? Well, the PSD2 “more-secure-banking-for-the-bottom-1%” regulation went into effect around a year ago. Thanks, EU socialist government, more regulations are absolutely on the top 3 wishlist of old-fashioned banks. Anyway, all of my banks were pestering me, and all of them except Consorsbank proactively provided everything I needed to use their buggy apps, like activation codes (one-time or multiuse) printed on classic dead tree. Consorsbank only mentioned a date where one NEEDED to be on the app. No information on what happens if one, just out of curiosity, is not. No checks afterwards if one really is. I wasn’t.
Activation after that date needed, surprise surprise, an activation key (dead tree again). Only catch was that this letter could only be requested a) by sending a mail (more dead tree) to them, that b) included a photocopy of one’s ID. There was no “help, I’m late to the party” option. Fuck no. At that time I thought about account cancellation for the first time, since that form also needed to be sent in via classic mail and also required a signature, but no further proof of ID. So – easier to quit than to work with them. But in the end I didn’t, there’s no money or stocks in that account (…I think), and I gave them a little more time to figure it out.
A couple months later, probably caused by one of the balancing mails they send every quarter, I checked again and now there’s a “I need a new activation letter” button present. When I clicked it, they sent one. I apparently didn’t make it in time, so it expired. Hope it didn’t cost a thing or I might be in debt for eternity due to not being able to even see that debt…
Now I got another one after clicking this nice button again. It’ll expire next Tuesday, it says. After downloading the app and thinking of a very secure password*, it now says:
“Wrong login credentials” (or something along that lines)
Googling leads me to other angry people that somehow managed to get it working by talking to hotline folks and telling them what to do in order to get it working (they’re clueless and their default script doesn’t work for that error message). Which leads me back to my original intention of just cancelling that account, since it is easier than fixing their fucking error messages of their fucking 2FA system that they fucking overspecced to make it more “secure”. Fuck that shit.
Now that I’m enraged, let’s get back to the “very secure password*” line. *: 6 to 20 digits. I’m so sick of that shit where everybody decides for other patronizing guidelines. Commerzbank and a Sparkasse (there’s many) decided for alphanumerical, but one digit is required. Fuck you. Barclays enforces exactly 5 digits. FUCK YOU. All of that crap for securing an application that is only used to acknowledge a code sent from the already password-authenticated banking website or online shopping/payment portal, since SMS, iTAN or, god forbid, TAN lists aren’t secure enough in a couple of edge cases that are far cheaper to just reimburse than forcing that crap onto everybody. So that’s two passwords to receive one one-time password. Some of those apps allow a swipe for confirmation, some allow a swipe that needs to be confirmed on the website again, some of them require a 2D code to be scanned, some of them just present you with a code that needs to be entered back into the website. CAN YOU GUYS NOT FUCKING STANDARDIZE ON SOMETHING?
More on the crappy experience side of things: Frankfurter Sparkasse, 1822direkt to be precise. For once, their regular app is called “1822 direkt”. Sure Bob, what’s the name of the connected acknowledgement app? “QRTAN+”. The one’s on the fucking top of the entire app list, and the other one is pretty much on the bottom. Everybody else can prefix their shitty two-app solution by their company name, but Sparkasse can’t? Well how much of a surprise is it that they can’t even do correct mail encoding. This is what I got three days ago:
Sehr geehrter Herr Buchwald
in Ihrer Elektronischen Postbox haben wir f�r Sie wichtige Informationen eingestellt, weshalb wir Sie zus�tzlich per E-Mail informieren. Wir ben�tigen Ihre aktive Unterst�tzung und Zustimmung, damit Ihre Kundenverbindung in bew�hrter Weise fortgef�hrt werden kann.
Was m�ssen Sie jetzt tun?
Bitte lesen Sie unsere Nachricht und die entsprechenden Anh�nge in Ihrer Elektronischen Postbox. Diese k�nnen Sie ganz einfach einsehen: Melden Sie sich im Online-Banking oder in der 1822direkt Banking App an und klicken Sie auf den Briefumschlag.
Anschlie�end bitten wir um Ihre zeitnahe Zustimmung zu unseren Bedingungswerken und Preisen. Die Zustimmung k�nnen Sie ebenso mit nur wenigen Klicks im Online-Banking oder in unserer 1822direkt Banking App vornehmen.
Wir danken Ihnen f�r Ihre aktive Unterst�tzung und freuen uns auf eine weiterhin vertrauensvolle Zusammenarbeit.
Mit freundlichen Gr��en
(yes, displayed as is with standard Unicode encoding, with the comma placed in the second line as it should be…)
If it wasn’t for the correct name and sent to their their exclusive mail address, I would have categorized this as one of those phishing attempts. Saved from positive (spammy) scoring by Rspamd through following DMARC guidelines, thankfully.
X-Rspamd-Bar: / X-Rspamd-Report: R_DKIM_ALLOW(-0.2) R_MISSING_CHARSET(0.5) MIME_GOOD(-0.1) R_SPF_ALLOW(-0.2) DMARC_POLICY_ALLOW(-0.5) X-Rspamd-Score: -0.5
But since I’m already shitting on Consorsbank, here’s one of their quarterly mails for comparison:
X-Rspamd-Bar: +++ X-Rspamd-Report: DMARC_POLICY_SOFTFAIL(0.1) BAYES_HAM(-0.116725) MIME_GOOD(-0.1) MISSING_MID(2.5) FORGED_SENDER(0.3) R_MIXED_CHARSET(0.625) X-Rspamd-Score: 3.308274
3.3, likely spam. Missing (unique) message ID which is usually generated by their SMTP server. So a bank isn’t able to configure their mail servers correctly, now that’s inspiring confidence…
Even flatex, who still allow usage of a clever static TAN card that fits your wallet (or hard drive…), send mails with mixed scoring, only to be saved by a huge bonus of the Bayes spam detector:
X-Rspamd-Bar: - X-Rspamd-Report: BAYES_HAM(-2.676829) R_SPF_ALLOW(-0.2) MIME_GOOD(-0.1) CTYPE_MIXED_BOGUS(1) MID_RHS_NOT_FQDN(0.5) X-Rspamd-Score: -1.476829
Yes. Two more things.
Allow fucking screenshots of your banking app. I very rarely use those, but when I do, I sometimes need a screenshot of it. Doesn’t matter if it’s for legit purposes, e.g. must-send-money-now with only the smartphone present, or for flexing. While that is no problem with browser-based user interfaces on the PC, denying a screenshot…c’mon.
And: Allow running your banking apps on rooted devices (or jail…broken? apple-y devices). My current CAT S61 isn’t rootable as far as I know, but the previous S60 was, and it didn’t allow the Sparkasse app. Rooted – not supported. But it still runs on ancient Android versions that have not received patches for years. Fuck you!
And, but this isn’t the fault of the banks but rather a business opportunity for third parties: I just checked if StarMoney is still a thing. It is. Still a 3rd party banking app, now also available for Macs, iPhones and Android.
I abandoned this together with Windows in the early 2000s, I think 6.0 was my last version that required the following patching route since the local Sparkasse sold the “Update” versions way cheaper: Install 2.0 (full), patch to 2.1 (I think), patch to 3.0, patch to 4.0, patch to 5.0, patch to 6.0. No version jump allowed/supported. Good times.
Nowadays, that’s no longer an issue – you can no longer purchase the product for 20 bucks and enjoy your offline banking tool that really did save a lot of money on phone bills with prepared bank transactions. StarMoney 13 (maybe earlier?) has gone to a subscription model. 2.79€ to 5.49€ – per month. I don’t pay that much in fees for all of my banks in the entire year, and that includes the negative interest on cash on the flatex account.
Go fuck yourself. All of you. In the butt. With love