Felicitas Pojtinger 🌅New idea: Neobank specifically for digital sovereignty, from the app running on Linux/without SafetyNet and other nonsense to the servers running on local infrastructure
People need banking and payment apps to work on Linux mobile for it to work. Obviously the only real "fix" for this is a regulatory one that declares SafetyNet a monopolistic control mechanism, which it is. But also, with fintech stuff getting easier and easier, I wonder if creating at least an open _banking_ app should be possible. Yes, various countries require push-based 2FA, but nothing locks you into Google/Apple here on Linux. I wonder how the payments situation would be ...
I kind of want to check whether Visa/Mastercard have any requirements for SafetyNet etc. to work in order for a digital payments solution (in Germany, the contactless "Mobiles Bezahlen" app vendored by Volksbank for example works completely w/o Google Wallet and works everywhere contactless works, but requires SafetyNet).
Also, we can check for different security signals on Linux systems, like whether measured boot passed and secure boot is enabled (GNOME has that under the "Security" tab in settings, and it's failing on my system bc I don't have secure enabled) Maybe what Amutable is working on could also fit into this.
darkdragon@pojntfx FYI Slightly related are my thoughts around a new payment scheme for direct debits which could replace VISA in the EU: https://chaos.social/@darkdragon/116113460892545054
darkdragon (@[email protected])
@Lilith Der Hauptgrund für Schufa ist die Reduzierung von Zahlungsausfällen. Dabei könnte es so einfach sein. Zur Echtzeit-Überweisung (SEPA Instant Credit Transfer) könnte man einfach eine Echtzeit-Lastschrift gesellen. Authentifizieren könnte man solch einen request via JWT, den man per NFC im Laden oder OAuth mit der Bankwebsite in Internet generiert. Ein Großteil der Infrastruktur für die Zahlungsabwicklung ist mit der Echtzeit-Überweisung vorhanden.
@darkdragon Gosh, we can only dream lol
Here in Canada there is at least still a very popular sovereign debit payment system that's pretty universally accepted (Interac)
Marco Mastropaolo@pojntfx 100%. But I doubt there's any incentive in regulation of SafetyNet, especially in the current era of governments pushing towards more tracking, more identification, less freedom.
@pojntfx The relevant legislation regarding 2FA is the strong customer authentication (SCA) requirement of the revised Directive on payment services (PSD2):
@pojntfx My understanding is that TOTP is not sufficient for 2FA because PSD2 SCA requires that for online payments, the authentication must be dynamically linked to the transaction's specific amount and payee. But maybe a standard JWT minting process could be enough (send request to the app, app signs the request with a private key potentially via TPM2, send the signed request back).
@darkdragon Thank you for the link! Makes sense. I know that there is a push notification in all of the EU banking apps I've used (SecureGo etc.). But as long as there is no hard-coded requirement for SafetyNet specifically, I don't see why we can't get to the same level of security _in theory_ with TPM2 for storing secrets safely + measured & secure boot, Flatpak/Bubblewrap sandboxing + push notifications that we send over WebPush etc.
@darkdragon Heck, if we really want it or are legally required to so there are also ways to do remote attestation for Linux systems, the embedded world has been doing it for a while and immutability makes this much easier
@pojntfx Maybe one could use passkeys for the signing part? So from the banks perspective, a "device" is a passkey. One can revoke passkeys in the web interface. Passkeys can be securely synced between devices. One could even create a PWA, no native app needed.
@pojntfx Yes, please! Several Fintechs started as customers of https://www.solarisgroup.com/en/ before getting their own banking license. Their API documentation is also openly available.
@pojntfx Device registration endpoint only takes a public key as parameter: https://docs.solarisgroup.com/api-reference/onboarding/device-management/device-binding/paths/~1v1~1mfa~1devices/post
@pojntfx This device key can then be used to sign requests (SEPA money transfer and VISA 3D secure): https://docs.solarisgroup.com/guides/authentication/strong-customer-authentication
@pojntfx They do seem to use device fingerprinting, so a passkey moving between devices does not seem to be allowed for use with their API: https://docs.solarisgroup.com/guides/kyc/device-monitoring