What's stopping banks from creating FOSS (or atleast open-source) banking solutions (apps)?

nIi7WJVZwktT4Ze@fost.hu to Free and Open Source Software@beehaw.org – 44 points –

Let's say, I create a bank with the caveat that all of my banking phone apps and webapps are FOSS (or if they depend on non-free components — banks probably do to communicate with each other —, then just OSS). Am I going to be behind the competition by doing this?

If the most secure crypto algorithms are the ones that are public, can we ensure the security of a bank's apps by publicizing it?

Are they not doing this because they secretly collect a lot of data (on top of your payment history because of the centralized nature of card payments) through these apps?

EDIT: Clarifying question: Is there a technical reason they don't publicize their code or is it just purely corporate greed and nothing else?

44

What incentive would a bank have to release their apps as FOSS?

You probably could create an open source banking app and use it to run a bank on a primarily open source software stack. But banks are not software companies, and they have no reason to engage with the FOSS world. We could think up lots of potential reasons for why a bank might not want to release their apps as FOSS, but the simplest answer is "why would they?"

I'd love to live in a world where free software is the norm, but we're not in that world. So if the bank has no incentive to do it other than the comparatively niche interests of the FOSS community, they just won't do it.

There is also a lot of "security by obscurity" in the corporate/fintech world - "it's open source so everyone can see the code which makes it less secure". The inverse is often true thanks to Linus's Law.

The inverse is often true thanks to Linus’s Law.

The article you linked seems to suggest that Linus's Law is a mere suggestion, at best.

No one is suggesting that open source is inherently less secure, just that the vulnerabilities are easier to find, and thus easier to get exploited. For a third party reviewer there's a lot of incentive not to report bugs they would find in banking software.

No one is suggesting that open source is inherently less secure

Unfortunately, I've met a number of people who genuinely do believe this! The same demographic who don't know how copy and paste works or take photos of stuff on their monitor instead of print-screening and tend to end up running large corporations even though they're completely out of touch.

What incentive would a bank have to release their apps as FOSS? .. but the simplest answer is “why would they?”

Indeed they wouldn’t because most consumers are pushovers, willing to fetch and run any garbage non-free software and willing to share sensitive data with Google in the process. So there’s no reason to offer a FOSS option -- as people are not demanding it.

I am one of the very few who demand FOSS. I will not run a non-free app (esp. banking) and I will not create a Google account to reach their exclusive playstore. And now that bank’s web services have started going to shit (blocking tor, reducing web features or simply being shut down to force people to use the phone apps), I’ve gone analog. If a critical mass of consumers were to do the same and stand up for themselves, banks would be forced to do the right thing. But they are not. Ethical consumers are too small of a group to be worth getting business from.

If your software makes your clients' life easier and your internal operations cheaper/faster/whatever, it's a competitive advantage. Why would you give it away? Corporate greed or healthy competition, I suppose, depending on your point of view.

Why does any company ever undercut the competition by offering something more attractive?

Bank A makes their customer’s lives easy/convenient, but forces them to bend over and install freedom-disrespecting spyware. If bank B wants to take some of bank A’s market share (healthy competition), they produce an app that is equally convenient but respects freedom.

Healthy competition is not in play here. Banks are highly skiddish and risk adverse. The US has over 6000 banks yet US consumers experience very little diversity between them. They’re all basically the same because in when money is on the line no one in the finance industry wants to gamble with doing something different or original. They copy each other and produce shitty websites. Even the website software is outsourced primarily to a few different suppliers.

Even before smartphones existed, I was disturbed that if I wanted an electronic statement, I was forced to login to a website manually and do a lot of clicking. Fuck manual labor. They called that “electronic delivery”. But it wasn’t delivery; it was pick-up. I want my statements like I want my pizza: delivered. It’s been possible to email PGP-encrypted statements since the 1990s, but no banks in the US do it. I think just one bank in Germany did it. But in the US no bank wants to try something different because if they succeed, other banks will copy them anyway. So they only put their neck on the line with risk only to have the benefit of the success be exploited by the competition who avoided taking risk.

As long as the bank has a good API, there's nothing stopping anyone except money.

There is a cost to making a good app. And banks have no incentive to open source their current apps - if it's any good it's a competitive advantage.

For example - I'm currently using a bank because their app is awesomely good (compared to other banks). Why would they open source it - it means customers might go to other banks who do better on interest rates, or fees.

There is a cost to making a good app.

That cost is actually reduced in the open source world. Wheels need not be reinvented. The bank would only have to code a few basic features as an example, publish the API, and let the community develop their app at no cost to the bank. The bank would only have to finance the code audit and acceptance, which the commercial software producer must do anyway.

For example - I’m currently using a bank because their app is awesomely good (compared to other banks).

Surely you have a low bar for what’s good. Just about every banking app I’ve encountered is not even downloadable unless you have a Google account. That already crosses the enshitification line. You have to create a Google account, share your personal phone number with Google, agree to Google’s terms, let Google harvest your IMEI number, let Google keep track of where you bank (since it tracks every download), trust Google not to sell that info to debt collectors, etc. Then once you have the app, it likely detects and refuses to run inside a VM, thus forcing you to buy new hardware to keep up with updates. Then the app likely has spyware therein simply judging from the excessive perms they tend to require.

Why would they open source it - it means customers might go to other banks who do better on interest rates, or fees.

Are you saying a FOSS app from bank A would simply work on bank B? That they have the same API? Perhaps, but that can be controlled by using a unique API.. though indeed that protectionism would incur an extra cost.

Thanks to PSD2 most european banks have APIs, so there isn't actually any requireent to use the bank's apps anymore.

Tell me more? Are there opensource banking apps that work or can for example gnucash use these APIs?

That’s not a reality for any Belgian banks as far as I can tell.

One bank even shut their doors, took down their website, and forced all their customers to either use their non-free app or lose access to their money.

I don't know much about Belgian banks, but the first one I found is Ing, and here is their documentation: https://developer.ing.com/openbanking/home. I'm sure searching for " bankname PSD2" will give you results for other banks.

Looks like Ing still maintains the linux CLI app. I thought they discontinued that but it’s apparently still maintained. I’ve never seen a FOSS app from any other Belgian bank. FOSS phone apps are entirely non-existent for all Belgian banks AFAICT. The link you posted does not appear to lead to one.

BTW, wouldn’t it be strange if Ing had a FOSS Android app considering their app from playstore detects when it’s launched in a virtual machine and then refuses to run? If they had a FOSS app, the user could make it run inside a VM.

Be the change you want to see. The API is there. Go build that FOSS phone app.

Be the change you want to see.

I agree with that principle. And for me, that leads me elsewhere. (I’m not the OP)

I oppose forced banking. I also oppose forced online banking within the banking sector.

Forced online banking

Technologists are mostly incompetent, evidenced by today’s web which is increasingly enshitified. The ultimate escape from incompetently implemented shitty tech is an offline/analog option. It’s important for consumers to be able to say “fuck this, I’m done with electronic access.” Naturally you’d think if you write the app yourself that solves the problem. Not exactly. That API is still controlled by the bank. While the API is likely decent, there’s a firewall around it. Banks are increasingly making stupid anti-consumer moves in their firewalls:

  1. They either put their services on Cloudflare, thus blocking Tor and subjecting all users (tor and non-tor) to Cloudflare’s eye on all their sensitive financial traffic including usernames and passwords. Or
  2. they simply block Tor, which then enables your ISP to track where you bank and also enable the bank to track your physical whereabouts upon every single login.

These factors are outside of the control of the app developer. A developer could invest a lot of their own time building a great app, only to be demoralized by aggressive firewall anti-features. And worse, if the dev boycotts Cloudflare and/or the bank, their FOSS app continues to benefit the bank after they begin their boycott. IOW, the fruits of their labor is used against them.

Forced banking

Banks are becoming increasingly anti-consumer both online and offline. I could fill a book on this. But to be brief, imagine a bank decides to force everyone online, they close their countertop service, and then force people to obtain a mobile phone, mobile phone service, and force them to share their mobile phone number with the bank. (yes, this has actually happened). The ultimate escape is being able to function without a bank. The #WarOnCash is killing that option off so we are being forced to use banks.

So when you say “Be the change you want to see”, that’s exactly what I’m doing by living an unbanked life and fighting against the war on cash. In that mission, producing a FOSS app would actually be antithetical. A FOSS app would make banking a little more satisfying when it’s more important to have unbanked people fighting for the right to live an analog life.

Surely you are not suggesting that Cloudflare has access to end user credentials? Why would you say thay? Do uou have any hint of proof that that is the case? It would be a massive no-no, and heads would roll. If you hate electronic banking, here is your chance to take them down.

Cloudflare holds the keys. They decrypt all traffic that reaches their reverse proxy. It’s legal. Banks can outsource anything they want and they do so willy nilly. Their privacy policies cover this.. they can share whatever they need to with their partners.

BTW FWiW, I have caught banks breaking a few laws and reported it to regulators. Regulators don’t care. Everyone thinks consumer banks have a gun pointed at them to comply with the law because it periodically makes a big splash in the media when they’re caught not enforcing AML rules. But when it comes to consumer protection, anything goes to a large extent. There’s very little pressure to do right by consumers. One regulator even had the nerve to say to me “why don’t you change banks?” (in response to a report of unlawful conduct).

I'm well aware that Cloudflare holds the TLS keys. I'm also well aware that that does not equal having access to credentials.

Banks certainly can not outsource willy nilly. Or well, I suppose they may in some jurisdictions, but the context here is Europe, where the banks actually are regulated.

I’m well aware that Cloudflare holds the TLS keys. I’m also well aware that that does not equal having access to credentials.

Can you elaborate? I believe the hashing must be done on the server side not the user side, so Cloudflare would see the creds before hashing. I know it’s possible to subscribe to an enterprise package where you hold your own SSL keys, but it’s unclear why CF would even be used in that scenario. If CF cannot see the traffic, it cannot optimize it as it all has to be passed through to the original host anyway. AFAICT, CF’s only usefulness in that scenario is privacy of the websites ownership - something that banks would not benefit from.

Banks certainly can not outsource willy nilly. Or well, I suppose they may in some jurisdictions, but the context here is Europe, where the banks actually are regulated.

US banks (esp. credit unions) outsource with reckless disregard for just about everything. Europe is indeed different in this regard. But European banks have no hesitation to outsource email to Microsoft or Google and then to use email for unencrypted correspondence with customers. That crosses a line for me.

European banks will also outsource investments to JP Morgan (one of the most unethical banks in the world), and they tend to be quiet about it. I boycott JPM along with other similar banks in part due to investments in fossil fuels and private prisons. This means banking in Europe is a minefield if you boycott the upstream baddies.

Without TLS termination Cloudflare is still useful for e.g. DDoS protection, and serving content that do not contain client information.

Caching client data globally using Cloudflare would be pretty pointless and help very little and probably even be harmful to performance, so them having the TLS key for it would absolutely not be worth it.

Without TLS termination Cloudflare is still useful for e.g. DDoS protection,

I’m not seeing that. Cloudflare’s DDoS protection is all about having the bandwidth to serve the traffic. If CF cannot treat the traffic itself (due to inability to see the payloads), that whole firehose of traffic must be passed through to the original host which then must be able to handle that volume. CF’s firewall in itself is not sophisticated enough to significantly reduce the traffic that’s passed along. It crudely uses IP reputation which can easily be done by one’s own firewall. What am I missing?

6 more...
6 more...
6 more...
6 more...
6 more...
6 more...
6 more...
6 more...
6 more...
6 more...
6 more...
6 more...

Absolutely, you are the company paying for all the work of the FOSS app, having to ensure it meets FCC regulations for banking. It's a huge mess. Costs millions to do. Pull requests can't just be taken they must be studied by several teams and a lot of the time it'd be easier and better if that code came internally so you'd be able to directly communicate with the author. That said FINOS exists, https://www.finos.org/ They are more about adopting the usage of open source libraries rather than writing their own though.

Overall you'd get no to little benefit and lose a competitive edge while causing more technical headaches following standards to open source your code.

Absolutely, you are the company paying for all the work of the FOSS app, having to ensure it meets FCC regulations for banking. It’s a huge mess. Costs millions to do.

FCC regs, really? That’s comms. First I’m hearing the FCC regulates banks. But surely those regs must be quite lax because banks in the US are quite sloppy. One-factor auth is good enough.. if someone gets your username & PW they can spend your money. US banks are putting their websites on Cloudflare, so all sensitive banking info and transactions is shared with a tech giant. Pretty much everything is outsourced, even simply printing statements, which puts a lot of eggs in one basket. US banks get breached regularly, like Capone who didn’t even bother to encrypt data at rest on Amazon’s server, so an Amazon contractor leaked the data.

With such lousy regulation, would it really be hard to get approval for a FOSS app?

I don't know of anything stopping banks from creating FOSS apps, but since it's not their area of expertise, I think they're more likely to license an app from a provider, and existing providers don't have a compelling incentive to open-source their apps.

If we want FOSS banking apps, I think the first and most important step would be legally requiring banks to provide standard APIs.

If we want FOSS banking apps, I think the first and most important step would be legally requiring banks to provide standard APIs.

Germany supposedly has an open standard banking API. I don’t know if it’s legally mandated but in principle its mere existence and acceptance by some banks would theoretically be sufficient to inspire FOSS apps. I vaguely recall that GNU Cash recognizes that standard.. can anyone confirm?

I don’t think I’ve seen any portable FOSS banking apps for any country in the F-Droid official repos. Which suggests that a standard open API may not be sufficient. Or perhaps I have something wrong here.

License bullshit. Already had a call with a smaller sustainable bank (GLS) and they are mostly totally dependend on bigger mother banks and their weird security ideas

In Belgium the water company has imposed forced-banking by removing the cash option. Then at least one bank has shutdown their website and shut their doors, essentially forcing people to buy a smartphone and install their non-free app. So if you want water service, you must buy a smartphone and sell your soul. How perverted is that? Sure, those customers can also change banks but more banks could take the same shitty direction: run non-free software or lose access to water.. how’s that for human rights?

Am I going to be behind the competition by doing this?

Yes, because you are due a lot more diligence with open source, and that will slow down your releases.

If the most secure crypto algorithms are the ones that are public, can we ensure the security of a bank’s apps by publicizing it?

You trade security by obscurity for security by expert oversight. I'm not a lawyer or baking auditor, but I'd say while zero-days are problematic for open source software projects; they can be life-ending for banks.

Is there a technical reason they don’t publicize their code or is it just purely corporate greed and nothing else?

This is a false dichotomy. Financial reasons to not publicize the code are technical reasons. Finance is technical.

The only false dichotomy I see here is the claim that you can have FOSS /OR/ expert oversight. There’s no reason why you cannot have both and hire expert oversight on a FOSS project (at least apart from reasons of the corp bottom line).

You also appear to equate FOSS with “security by obscurity”, which makes no sense. FOSS is not obscure, it’s the contrary. Non-free software makes use of obscurity, but that obscurity is not used as a basis for security. So neither FOSS nor non-FOSS inherently makes use of security by obscurity.

Financial reasons to not publicize the code are technical reasons. Finance is technical.

This is an equivocation fallacy. The OP’s use of “technical reasons” implied technological feasibility. You’ve introduced a strangely broad version of the OP’s use of that term in order to muddy the waters.

I think you might have read it backwards, I equated closed source with security by obscurity. And obviously you can have both, if you pay extra.

Sure, finance is not technology, but I think it’s worth it pointing out that it’s not arbitrary or just greed or whatever, it has technicalities too.

That was quite vague and still hard to interpret the trade you mention. But I’ll say generally security benefits from:

  1. a good number of careful eyes on the code
  2. bug bounty programs
  3. audits
  4. red teams

Closed source has the false sense of security pitfall, which stems from the mentality that code secrecy is a protection of some kind. That pitfall is avoidable simply by not using it as a crutch for lacking security. Open source automatically avoids that pitfall. Bug bounties (2) help get motivated eyes (1) on the code (eyes motivated by generous legit rewards, as opposed to the reward of a zero day in the wrong hands). From there, I see no advantage to closed-source here.

I'm in total agreement that OSS builds more secure software. What I'm saying is that these companies are not in the business of building safe software.

From there, I see no advantage to closed-source here.

I think the easiest mental map is this: doing things well has a cost; doing things poorly can be cheaper; if it's way cheaper and there's some method available to de-risk it even if a little bit, no matter how little effective it is, it might be financially advantageous to pick the inferior option. This is not just for security, but pretty much everything.

Banks are opposed to anything that is "free".

Unless it's free to them exclusively.

Not quite sure what you mean. In the US, banks are constantly giving away free money and free stuff to open an account. Some people make a hobby out of opening accounts just to grab the free stuff and close the account as soon as the rules allow. Works great on college kids who can be bought cheaply.. just offer a free t-shirt. Or if you’re in a red state you might get a free shotgun for opening an account (not joking.. see Michael Moore’s film).