Difference between revisions of "AqBanking"

From GnuCash
Jump to: navigation, search
(HBCI/FinTS Security Type: update link)
(HBCI/FinTS Security Type: link RFE)
Line 27: Line 27:
 
:::;Warning!:[https://www.redteam-pentesting.de/en//publications/mitm-chiptan-comfort Man-in-the-Middle Attacks against the chipTAN comfort Online Banking System]
 
:::;Warning!:[https://www.redteam-pentesting.de/en//publications/mitm-chiptan-comfort Man-in-the-Middle Attacks against the chipTAN comfort Online Banking System]
 
:::;manual:
 
:::;manual:
:::;several optical methods: GC does not generate the flickering image, but you can manually enter the displayed number in your ''TAN generator''
+
:::;several optical methods: GC does not generate the flickering image, but you can manually enter the displayed number in your ''TAN generator''. [{{BugURL}}/show_bug.cgi?id=667490 Bug 667490 - Support image-based TAN methods QR, photoTAN, and chipTAN optical "Flicker code"]
 
::::; Flicker code: The number is transferred in nibbles by an animated gif.
 
::::; Flicker code: The number is transferred in nibbles by an animated gif.
 
::::; QR code: can be decoded by smartphones.
 
::::; QR code: can be decoded by smartphones.

Revision as of 13:54, 20 December 2019

Aquamaniacs Banking (translation) is a library for online banking. In particular, the german online banking standard FinTS (Financial Transaction Services) is supported, which originally was named home banking common interface (HBCI) and that old name is still very common. Additionally, some other online banking standards are supported or have been, such as

  • Electronic Banking Internet Communication Standard EBICS, used in CH, DE and FR,
  • OFX Direct Connect, used mainly in the US, and
  • in some versions Paypal are supported.

Deutsche Version: De/HBCI (German version of this page)

Compatibility

GnuCash compiles with many available versions of AqBanking, except for combinations of new gnucash with old aqbanking and vice versa.

HBCI/FinTS Security Type

AqBanking for FinTS/HBCI needs the definition of a "security medium". Depending on the FinTS/HBCI version, there is a range of choices for this:

Single step authentication
HBCI 1
self-generated asymetric keypair with
  • public part given to the bank
  • private part stored on your harddisk, USB stick or floppy disk
supported on all OS, but many banks dropped single step authentication.
Two step authentication
HBCI 2, FinTS 3
PIN/TAN pairs
You have always to log in with your fixed Personal Identification number (PIN).
Then each transaction needs authentication with an own Transaction Authentification Number (TAN).
The way the TAN is generated varies by method:
PIN/TAN (classic)
from simple paper list: you can enter any unused TAN: supported on all OS
iTAN
from indexed paper list: the bank challenges TAN[i]: supported on all OS
mTAN
TAN per SMS on your mobile: supported on all OS
chipTAN
The TAN is generated by a chip, which is today integrated in the bank card. You need a card reader and the library libchipcard from the AqBanking family to access him.
Warning!
Man-in-the-Middle Attacks against the chipTAN comfort Online Banking System
manual
several optical methods
GC does not generate the flickering image, but you can manually enter the displayed number in your TAN generator. Bug 667490 - Support image-based TAN methods QR, photoTAN, and chipTAN optical "Flicker code"
Flicker code
The number is transferred in nibbles by an animated gif.
QR code
can be decoded by smartphones.

Setting up a HBCI PIN/TAN account

There are no currently documented instructions. There is no known test account with a testing bank server. To our knowledge anyone who wants to test this needs an account at a German bank. Sorry for that.

Debugging

If there are any problems during the HBCI or OFX connection, here are further options for debugging:

  1. In Gnucash in Edit->Preferences->Online Banking:
    1. Disable Close log window when finished,
    2. enable Verbose debug messages. Since Gnucash 2.3.x this is related to AQBANKING_LOGLEVEL.
  2. To see much more log messages of aqbanking, you can set several environment variables either before starting gnucash or in the shell script gnucash or gnucash.bat. For example, in a Unix shell you would type
    # General:
    export GWEN_LOGLEVEL=info
    export AQBANKING_LOGLEVEL=info
    # For OFX:
    export AQOFX_LOG_COMM=1 # Warning: Will reveal passwords!
    export AQOFXCONNECT_LOGLEVEL=info
    # For FinTS/HBCI:
    export AQHBCI_LOGLEVEL=info # Warning: Will reveal passwords!
    
Other possible values to all of these variables are
  • debug (more verbose) or
  • warn (less verbose) or
  • error (even less verbose, default value).
However, these log messages are all sent to stdout or stderr, which on Windows by default isn't available. To make these available on Windows, you need to change the exetype of gnucash-bin.exe from "Windows" to "Console", see Windows Debugging#Changing the Exetype to See Console Output.
  • Keep in mind that there are many many many different bank servers on this world, and every one of them might behave slightly differently. Hence, if you report a bug, please also state which bank server you are using (IP address and bank name).
  • If there is a crash, it would be good to provide a stack trace of the crash, see Stack Trace.

Log Location

As for aqbanking up to version 5.x.x: AqBanking stores log files for HBCI under Linux in

~/.aqbanking/backends/aqhbci/data/banks/<country code>/<Bank ID>/logs/*, with
.aqbanking a hidden directory in the user's home directory,
<country code> your ISO country code such as "de",
<Bank ID> the name or the routing number of your bank (in German: BLZ).

To enable logging of the OFX communication to /tmp/ofx.log (with warnings about revealing passwords), see Setting up OFXDirectConnect in GnuCash 2#Enabling the OFX Log.

References

Tip
use https://translate.google.com to get a usable tranlation of the pages.

Git Repositories

AqBanking Git repositories of source code can be found here (mirrored at ):

git clone https://git.aquamaniac.de/git/aqbanking   # the library
git clone https://git.aquamaniac.de/git/gwenhywfar  # its OS abstraction layer as dependency
git clone https://git.aquamaniac.de/git/libchipcard # optional for the use of chipcard readers

There are also gitweb browser interfaces at

http://git.aqbanking.de/gitweb/?p=gwenhywfar.git ,
http://git.aqbanking.de/gitweb/?p=aqbanking.git .

Unofficial GitHub Mirrors

Some community members set up (unofficial) github mirrors:

Christian Stimmig
https://github.com/cstim/aqbanking
https://github.com/cstim/gwenhywfar
There is also a continuous integration build test of gwenhywfar here: https://travis-ci.org/cstim/gwenhywfar
Felix Schwarz, Lukas Matt
https://github.com/aqbanking/gwenhywfar
https://github.com/aqbanking/aqbanking
https://github.com/aqbanking/libchipcard
A bot script updates the "github.com/aqbanking" mirror on a daily basis so it should always be up-to-date.

Currently Unsupported Open Standards

While many banks still think Security by obscurity is a good concept, some countries are changing their opinion:

AU
https://www.finder.com.au/open-banking
GB (UK)
https://www.openbanking.org.uk/