Aquamaniacs Banking (translation) is a library for online banking. In particular, the german online banking standard FinTS (Financial Transaction Services) is supported, which originally was named home banking common interface (HBCI) and that old name is still very common. Additionally, some other online banking standards are supported or have been, such as
- Electronic Banking Internet Communication Standard EBICS, used in CH, DE and FR,
- OFX Direct Connect, used mainly in the US, and
- in some versions Paypal are supported.
Deutsche Version: De/HBCI (German version of this page)
GnuCash compiles with many available versions of AqBanking and it's helper library Gwenhywfar, except for combinations of new gnucash with old aqbanking and vice versa.
Determinating the VersionsTo see your current versions, use the command
$ gnucash --version GnuCash 3.8 development version Build ID: git 3.8b-163-g0e6c9e219+(2020-02-19) $ aqbanking-cli versions Versions: AqBanking-CLI: 6.0.1 Gwenhywfar : 126.96.36.199 AqBanking : 188.8.131.52
$ flatpak run --command=sh org.gnucash.GnuCash [📦 org.gnucash.GnuCash ~]$ gnucash --version GnuCash 3.8 development version Build ID: git e6b3c56+(2020-01-26) [📦 org.gnucash.GnuCash ~]$ aqbanking-cli versions Versions: AqBanking-CLI: 6.0.2 Gwenhywfar : 184.108.40.206 AqBanking : 220.127.116.11 [📦 org.gnucash.GnuCash aqb]$ exit exits
In this example you can see, that the user had built a more recent version of GnuCash, but the nightly Flatpak had a more recent AqBanking than her distribution.
HBCI/FinTS Security Type
AqBanking for FinTS/HBCI needs the definition of a "security medium". Depending on the FinTS/HBCI version, there is a range of choices for this:
- Single step authentication
- HBCI 1
- self-generated asymetric keypair with
- public part given to the bank
- private part stored on your harddisk, USB stick or floppy disk
- supported on all OS, but many banks dropped single step authentication.
- Two step authentication
- You have always to log in your session with your fixed Personal Identification number (PIN).
- Then each transaction needs authentication with an own Transaction Authentification Number (TAN).
- To avoid Man-in-the-middle (MITM) attacks the TANs are ideally transmitted to you over a different medium.
- The way the TAN is generated varies by method:
- HBCI 2, FinTS 3
- PIN/TAN comes in several flavours:
- PIN/TAN (classic)
- from a simple paper list: you can enter any unused TAN: supported on all OS
- from an indexed paper list: the bank challenges TAN[i]: supported on all OS
- TAN per SMS on your mobile: supported on all OS
- The TAN is generated by a chip, which is today integrated in the bank card. You need a card reader to communicate with the chip. Some readers are stand alone devices, but others are connected with your computer. To access the connected readers the library libchipcard from the AqBanking family is required.
- Man-in-the-Middle Attacks against the chipTAN comfort Online Banking System
- several optical methods
- GC does not generate the flickering image, but you can manually enter the displayed number in your TAN generator. Bug 667490 - Support image-based TAN methods QR, photoTAN, and chipTAN optical "Flicker code"
- Flicker code
- The number is transferred in nibbles plus parity bit by an animated gif.
- QR code
- can be decoded by smartphones.
- Photo TAN
- The TAN is sent as a photo.
- There is a more precise description: Aqbanking Wiki: Implement Tan Methods
- For this standard methods some banks use own names created by their marketing department like sm@rtTAN.
Setting up a HBCI PIN/TAN account
There are no currently documented instructions. There is no known test account with a testing bank server. To our knowledge anyone who wants to test this needs an account at a German bank. Sorry for that.
If there are any problems during the HBCI or OFX connection, here are further options for debugging:
- In Gnucash in Edit->Preferences->Online Banking:
- Disable Close log window when finished,
- enable Verbose debug messages. Since Gnucash 2.3.x this is related to AQBANKING_LOGLEVEL.
- To see much more log messages of aqbanking, you can set several environment variables either before starting gnucash or in the shell script gnucash or gnucash.bat. For example, in a Unix shell you would type
# General: export GWEN_LOGLEVEL=info export AQBANKING_LOGLEVEL=info # For OFX: export AQOFX_LOG_COMM=1 # Warning: Will reveal passwords! export AQOFXCONNECT_LOGLEVEL=info # For FinTS/HBCI: export AQHBCI_LOGLEVEL=info # Warning: Will reveal passwords!
- Other possible values to all of these variables are
- debug (more verbose) or
- warn (less verbose) or
- error (even less verbose, default value).
- Other possible values to all of these variables are
- However, these log messages are all sent to stdout or stderr, which on Windows by default isn't available. To make these available on Windows, you need to change the exetype of gnucash-bin.exe from "Windows" to "Console", see Windows Debugging#Changing the Exetype to See Console Output.
- Keep in mind that there are many many many different bank servers on this world, and every one of them might behave slightly differently. Hence, if you report a bug, please also state which bank server you are using (IP address and bank name).
- If there is a crash, it would be good to provide a stack trace of the crash, see Stack Trace.
As for aqbanking up to version 5.x.x: AqBanking stores log files for HBCI under Linux in
- ~/.aqbanking/backends/aqhbci/data/banks/<country code>/<Bank ID>/logs/*, with
- .aqbanking a hidden directory in the user's home directory,
- <country code> your ISO country code such as "de",
- <Bank ID> the name or the routing number of your bank (in German: BLZ).
To enable logging of the OFX communication to
/tmp/ofx.log (with warnings about revealing passwords), see Setting up OFXDirectConnect in GnuCash 2#Enabling the OFX Log.
Most parts are stored by the setup assistent below $HOME/.aqbanking/. Gnucash stores only an association in the account's slots in the data file.Example from an uncompressed xml file:
<slot> <slot:key>hbci</slot:key> <slot:value type="frame"> <slot> <slot:key>account-id</slot:key> <slot:value type="string">1234567890</slot:value> </slot> <slot> <slot:key>account-uid</slot:key> <slot:value type="integer">9</slot:value> </slot> <slot> <slot:key>bank-code</slot:key> <slot:value type="string">121107882</slot:value> </slot> <slot> <slot:key>trans-retrieval</slot:key> <slot:value type="timespec"> <ts:date>2017-08-27 09:33:08 -0700</ts:date> </slot:value> </slot> </slot:value> </slot>
- The account number.
- AQBanking's internal id for the account.
- The bank id: In the US it's the Routing ID.
- Timestamp for the last time a retrieval attempt was made for this account.
- HBCI, now official called FinTS - Financial Transaction Services:
- use https://translate.google.com to get a usable tranlation of the pages.
AqBanking Git repositories of source code can be found here (mirrored at ):
git clone https://git.aquamaniac.de/git/aqbanking # the library git clone https://git.aquamaniac.de/git/gwenhywfar # its OS abstraction layer as dependency git clone https://git.aquamaniac.de/git/libchipcard # optional for the use of chipcard readers
There are also gitweb browser interfaces at
- http://git.aqbanking.de/gitweb/?p=gwenhywfar.git ,
- http://git.aqbanking.de/gitweb/?p=aqbanking.git .
Unofficial GitHub Mirrors
Some community members set up (unofficial) github mirrors:
Currently Unsupported Open Standards
While many banks still think Security by obscurity is a good concept, some countries are changing their opinion: