Let’s say, I create a bank with the caveat that all of my banking phone apps and webapps are FOSS (or if they depend on non-free components — banks probably do to communicate with each other —, then just OSS). Am I going to be behind the competition by doing this?

If the most secure crypto algorithms are the ones that are public, can we ensure the security of a bank’s apps by publicizing it?

Are they not doing this because they secretly collect a lot of data (on top of your payment history because of the centralized nature of card payments) through these apps?

EDIT: Clarifying question: Is there a technical reason they don’t publicize their code or is it just purely corporate greed and nothing else?

  • sweng@programming.dev
    link
    fedilink
    arrow-up
    12
    ·
    1 year ago

    Thanks to PSD2 most european banks have APIs, so there isn’t actually any requireent to use the bank’s apps anymore.

    • leds@feddit.dk
      link
      fedilink
      arrow-up
      3
      ·
      1 year ago

      Tell me more? Are there opensource banking apps that work or can for example gnucash use these APIs?

    • freedomPusher
      link
      fedilink
      arrow-up
      1
      ·
      1 year ago

      That’s not a reality for any Belgian banks as far as I can tell.

      One bank even shut their doors, took down their website, and forced all their customers to either use their non-free app or lose access to their money.

        • freedomPusher
          link
          fedilink
          arrow-up
          1
          ·
          edit-2
          1 year ago

          Looks like Ing still maintains the linux CLI app. I thought they discontinued that but it’s apparently still maintained. I’ve never seen a FOSS app from any other Belgian bank. FOSS phone apps are entirely non-existent for all Belgian banks AFAICT. The link you posted does not appear to lead to one.

          BTW, wouldn’t it be strange if Ing had a FOSS Android app considering their app from playstore detects when it’s launched in a virtual machine and then refuses to run? If they had a FOSS app, the user could make it run inside a VM.

            • freedomPusher
              link
              fedilink
              arrow-up
              1
              ·
              edit-2
              1 year ago

              Be the change you want to see.

              I agree with that principle. And for me, that leads me elsewhere. (I’m not the OP)

              I oppose forced banking. I also oppose forced online banking within the banking sector.

              Forced online banking

              Technologists are mostly incompetent, evidenced by today’s web which is increasingly enshitified. The ultimate escape from incompetently implemented shitty tech is an offline/analog option. It’s important for consumers to be able to say “fuck this, I’m done with electronic access.” Naturally you’d think if you write the app yourself that solves the problem. Not exactly. That API is still controlled by the bank. While the API is likely decent, there’s a firewall around it. Banks are increasingly making stupid anti-consumer moves in their firewalls:

              1. They either put their services on Cloudflare, thus blocking Tor and subjecting all users (tor and non-tor) to Cloudflare’s eye on all their sensitive financial traffic including usernames and passwords. Or
              2. they simply block Tor, which then enables your ISP to track where you bank and also enable the bank to track your physical whereabouts upon every single login.

              These factors are outside of the control of the app developer. A developer could invest a lot of their own time building a great app, only to be demoralized by aggressive firewall anti-features. And worse, if the dev boycotts Cloudflare and/or the bank, their FOSS app continues to benefit the bank after they begin their boycott. IOW, the fruits of their labor is used against them.

              Forced banking

              Banks are becoming increasingly anti-consumer both online and offline. I could fill a book on this. But to be brief, imagine a bank decides to force everyone online, they close their countertop service, and then force people to obtain a mobile phone, mobile phone service, and force them to share their mobile phone number with the bank. (yes, this has actually happened). The ultimate escape is being able to function without a bank. The #WarOnCash is killing that option off so we are being forced to use banks.

              So when you say “Be the change you want to see”, that’s exactly what I’m doing by living an unbanked life and fighting against the war on cash. In that mission, producing a FOSS app would actually be antithetical. A FOSS app would make banking a little more satisfying when it’s more important to have unbanked people fighting for the right to live an analog life.

              • sweng@programming.dev
                link
                fedilink
                arrow-up
                1
                ·
                1 year ago

                Surely you are not suggesting that Cloudflare has access to end user credentials? Why would you say thay? Do uou have any hint of proof that that is the case? It would be a massive no-no, and heads would roll. If you hate electronic banking, here is your chance to take them down.

                • freedomPusher
                  link
                  fedilink
                  arrow-up
                  1
                  ·
                  edit-2
                  1 year ago

                  Cloudflare holds the keys. They decrypt all traffic that reaches their reverse proxy. It’s legal. Banks can outsource anything they want and they do so willy nilly. Their privacy policies cover this… they can share whatever they need to with their partners.

                  BTW FWiW, I have caught banks breaking a few laws and reported it to regulators. Regulators don’t care. Everyone thinks consumer banks have a gun pointed at them to comply with the law because it periodically makes a big splash in the media when they’re caught not enforcing AML rules. But when it comes to consumer protection, anything goes to a large extent. There’s very little pressure to do right by consumers. One regulator even had the nerve to say to me “why don’t you change banks?” (in response to a report of unlawful conduct).

                  • sweng@programming.dev
                    link
                    fedilink
                    arrow-up
                    1
                    ·
                    1 year ago

                    I’m well aware that Cloudflare holds the TLS keys. I’m also well aware that that does not equal having access to credentials.

                    Banks certainly can not outsource willy nilly. Or well, I suppose they may in some jurisdictions, but the context here is Europe, where the banks actually are regulated.