aqbanking support the optical chip tan since version 5.0.19. This security system is quite common in Germany. A sample implementation can be found in AqFinance 0.9.121beta. For the communication with the chipcard use this system a flicker picture. Video: http://www.youtube.com/watch?v=U7PnC1S-j4I
There are also requests at https://gnucash.uservoice.com/forums/101223-feature-request/suggestions/2654889-support-for-chiptan-comfort-smarttan-optic-flicke The problem is most specs are in German while almost none coders are speaking German. I started https://wiki.gnucash.org/wiki/Flicker to collect and tranfer information to English.
*** Bug 785411 has been marked as a duplicate of this bug. ***
In Bug 785411 - Display chipTAN "flicker" code for HBCI John Ralls [reporter] [GnuCash developer] 2017-07-25 18:31:13 UTC wrote: Many banks offering HBCI require authentication using the "chipTAN" system. In this system the bank sends an challenge code for the user to enter into a code generator that uses it to generate a "Transaction Authentication Number" or TAN to validate the transaction. The challenge code can be entered by hand (already supported by GnuCash) but that is cumbersome and error-prone. The code generators can also read the number from the screen using a so-called "flicker code". Specifications are available from https://github.com/willuhn/hbci4java/blob/master/doc/tan_hhd_uc_v14.pdf An MIT-licensed javascript implementation is available at https://github.com/my-flow/fintex/blob/master/lib/tan/flicker_code.ex Proposal: Retrieve the challenge code from AQBanking and open an html tab/window containing the javascript and pass it the challenge code to display.
Reassign version to 2.4.x so that individual 2.4 versions can be retired.
(In reply to Frank H. Ellenberger from comment #3) > In Bug 785411 - Display chipTAN "flicker" code for HBCI > John Ralls [reporter] [GnuCash developer] 2017-07-25 18:31:13 UTC wrote: > > Many banks offering HBCI require authentication using the "chipTAN" system. > In this system the bank sends an challenge code for the user to enter into a > code generator that uses it to generate a "Transaction Authentication > Number" or TAN to validate the transaction. The challenge code can be > entered by hand (already supported by GnuCash) but that is cumbersome and > error-prone. The code generators can also read the number from the screen > using a so-called "flicker code". > > Specifications are available from > https://github.com/willuhn/hbci4java/blob/master/doc/tan_hhd_uc_v14.pdf > > An MIT-licensed javascript implementation is available at > https://github.com/my-flow/fintex/blob/master/lib/tan/flicker_code.ex > > Proposal: Retrieve the challenge code from AQBanking and open an html > tab/window containing the javascript and pass it the challenge code to > display. "Proposal: Retrieve the challenge code from AQBanking and open an html tab/window containing the javascript and pass it the challenge code to display." The proposal works in theory, but how can I retrieve the challenge code? I can't seem to highlight it (to copy&paste).
That's a programming proposal, not something that a user can do.
add to CC
additional info (in case you missed it): - AqBanking supports chipTAN Flickercode since version 5.0.19 (and Gwenhywfar 4.3.1, both Dec 2011, current versions 5.7.8/4.20). Extracting and decoding of the bank challenge is already done by AqBanking, all GnuCash needs is a new dialog that calls the libaqbanking code and displays the Flicker code - Javascript doing this is already available (see comment 3) - and provides a text entry receiving the TAN.
The (new) interface description: https://www.aquamaniac.de/rdm/projects/aqbanking/wiki/ImplementTanMethods
Christian reported on aqbanking-user, we have already a stub: The function call is in gnucash/import-export/aqb/gnc-gwen-gui.c Zeile 1414ff But the utilization of the 3 parameters is still missing.
Does this bug also apply to support for optical TAN (aka PhotoTAN)? btw: I am a natively German speaking developer and would like to add support for ChipTAN/PhotoTAN to Gnucash (3.7)...
I'm locked out of my bank accounts due to this. I need photoTAN of Deutsche Bank.
For the record, photoTAN does not work with a chipcard like chipTAN, but a smartphone app and is bound to the smartphone instead of the chipcard. It also doesn't use a flicker image, but a static colored QR image. The user needs to scan/photograph this color image with his smartphone using an bank-specific Android/iOS app, which reads the color QR code, generates and displays a 7-digit TAN, and then the user needs to enter the TAN in the banking app. Info: * http://www.wikibanking.net/onlinebanking/verfahren/phototan/ * https://www.deutsche-bank.de/pk/digital-banking/sicherheit/phototan.html * https://www.commerzbank.de/portal/de/privatkunden/hilfe-kontakt/services/tan-verfahren/phototan/phototan.html Used by: * Deutsche Bank (largest bank in Germany) * norisbank * Commerzbank (one of the largest banks in Germany)
Created attachment 373416 [details] Support for PhotoTan I've added support for new challenges as delivered from aqbanking. Currently I could only test the PhotoTan challenge. This works for me. A flicker code I personaly would implement via generating an animated gif from the given code and present it the same way like the PhotoTan image. Currently I have no account which needs a flicker code.
Comment on attachment 373416 [details] Support for PhotoTan Thanks, but we already have a PR for phototan and chiptan-QR, https://github.com/Gnucash/gnucash/pull/586 I like an animated gif for the flicker code better than my idea, which was to use a GtkAnimation. The animated gif would be more portable to different GUI backends. Your patch appears to be against the 3.7 release. The codebase in git has moved substantially since then so it would have to be substantially redone to be acceptable. That's probably not worthwhile considering the almost-ready PR.
Since GnuCash 3.8 this should be included (?) but sadly I'm not presented with the animated optical flicker code. The window is popping up and expecting me to see it but it's not there. I can force the whole process to use the text input fallback but that's a bit more inconvenient.
3.8 implements the new photo and QR TAN methods but not Flicker. Sorry.
I'm currently only have a Flicker-Tan-Generator. I'm not sure whether is makes sense to implement the flicker code as the banks in germany seem to move to the QR method. Nonetheless, does anyone have experience how open the "flicker"-code standard is?
Pretty open, see comment 3.
I am not sure, how it can help us, but the CLI aqhbci-tool4 got a new parameter: [--opticaltan=PARAM] Specify an external tool to display optical TAN challenges There you can specify the path to gwenview or whatever program you prefer. Re comment 18: the easiest would be to display an animated GIF. Other options: Adobe Flash, JS or Java.
(In reply to max from comment #18) > I'm currently only have a Flicker-Tan-Generator. I'm not sure whether is > makes sense to implement the flicker code as the banks in germany seem to > move to the QR method. > > Nonetheless, does anyone have experience how open the "flicker"-code > standard is? cf. https://wiki.ccc-ffm.de/projekte:tangenerator:start
@jralls What would you suggest for creating the animated GIF from within GTK (to stay as portable as possible)? I think it will be a minor afford to port the existing bash/JS code... And at the moment, I have got spare (coding) time ;-)
Alright, when you try `aqbanking-cli --opticaltan=/bin/echo request --aid=2 --transactions`, then aqbanking-cli provides you with the output: text/x-flickercode XXXX111111 This means we have to find/write a C library to do the generation of the image series, right?
Ingo, GnuCash has WebKit built in. Just wrap the JS in html and stuff it in a gtkwebkitwebview like Frank suggested in comment 3.
I think the code from here should do the job: https://6xq.net/flickercodes/ I also played with the "offical" js code from the sparkasse which is from REINER SCT. It is quite a mess and there is no license information :/
(In reply to max from comment #25) > I think the code from here should do the job: https://6xq.net/flickercodes/ > > I also played with the "offical" js code from the sparkasse which is from > REINER SCT. It is quite a mess and there is no license information :/ I also stumbled across the "official" JS code from REINER SCT. It is used also bei DKB bank. Is it worth the effort to contact REINER SCT and ask for licensing terms or should we use the code from 6xq.net (btw: is it GPL/license-compatible to Gnucash)?
@Ingo the license from https://6xq.net/flickercodes/ is MIT. I'm no expert in licensing but it seems to be compatible: https://en.wikipedia.org/wiki/License_compatibility#GPL_compatibility I was also thinking about contacting REINER SCT. But maybe we can first try to use the open-source one and wait for bug reports. The "core" of the flicker code does not seem complex.
Created attachment 373656 [details] Code from 6xq.net
Thanks, Max! I looked superficially at the code, and it seems to be of good quality, very readable, and reasonable. Yes, MIT is compatible with GPL (as far as I know). Given that it's good quality code and a liberal license, I would recommend to use this and not bother with REINER SCT.
(In reply to Ben Bucksch from comment #29) > Thanks, Max! I looked superficially at the code, and it seems to be of good > quality, very readable, and reasonable. > > Yes, MIT is compatible with GPL (as far as I know). > > Given that it's good quality code and a liberal license, I would recommend > to use this and not bother with REINER SCT. Ok, then lets go ahead and integrate the 6xq-code as @jralls proposed. I wonder if it is necessary to add things like resizing of the flicker canvas, speed control and replay options (via buttons)?
I have started to work on the integration and am struggling with the webview. Here is my question: Should the HTML+JS be a) in a file and then loaded into the webview (if so, where to put the file and how to load it?), or b) "hardcoded" into a long gchar inside the source code. Suggestions are welcome :-)
Put it in a file and load it. The source location should be in gnucash/import-export/aqb and it should install to a new directory in share/gnucash/. The various chart reports can serve as examples although they're in Scheme rather than C.
@jralls Thanks, that helps 8-)
There was a new proposal for implementing the flicker code at the mailing list (https://lists.gnucash.org/pipermail/gnucash-de/2020-June/011622.html). I am still not sure what is the better way: a) webview+HTML+JS (as discussed above) or b) "native" implementation in C. Please comment/vote on this...
I imagine that the better UX would be a dialog box with the flicker code and a button to dismiss it. That would have to be in C/C++. But either way is a better UX than what we have now, so ISTM more important which one you think you can implement.
chipTAN optical (Flicker) was implemented with Commit #580975b and is available since 4.3.
Is there still something missing or can we close this bug?
I could not test yet the Flicker part on Linux, newest version in Debian is 4.2: rd@h370:~$ rmadison gnucash gnucash | 1:2.6.4-3 | oldoldstable | source, amd64, armel, armhf, i386 gnucash | 1:2.6.15-1 | oldstable | source, amd64, arm64, armel, armhf, i386, mips, mips64el, mipsel, ppc64el, s390x gnucash | 1:3.4-1 | stable | source gnucash | 1:3.4-1+b10 | stable | amd64, arm64, armel, armhf, i386, mips64el, mipsel, ppc64el, s390x gnucash | 1:3.10-1~bpo10+1 | buster-backports | source, mips gnucash | 1:3.10-1~bpo10+1 | buster-backports-debug | source gnucash | 1:4.2-1~bpo10+1 | buster-backports | source, amd64, arm64, armel, armhf, i386, mips64el, mipsel, ppc64el, s390x gnucash | 1:4.2-1~bpo10+1 | buster-backports-debug | source gnucash | 1:4.2-1 | testing | source gnucash | 1:4.2-1 | unstable | source gnucash | 1:4.2-1 | unstable-debug | source gnucash | 1:4.2-1+b2 | testing | amd64, arm64, armel, armhf, i386, mips64el, mipsel, ppc64el, s390x gnucash | 1:4.2-1+b2 | unstable | amd64, arm64, armel, armhf, i386, mips64el, mipsel, ppc64el, s390x rd@h370:~$
(In reply to Rainer Dorsch from comment #38) > I could not test yet the Flicker part on Linux, newest version in Debian is > 4.2: As long as they do not have it in backports, you can try https://wiki.gnucash.org/wiki/De/Flatpak.
(In reply to Frank H. Ellenberger from comment #37) > Is there still something missing or can we close this bug? In my opinion, the bug is fixed. However, I do not have the authorization to set the status to "Fixed".
I can confirm that it is working with gnucash 4.4 on gentoo using the latest ebuild. To set it up, especially the setTanMediumId, see https://www.aquamaniac.de/rdm/projects/aqbanking/wiki/SetupPinTan (cT:YOUR NAME_1 or something like this, see your settings on the online banking site) P.S. Why are there two bug trackers and actually two bugs for this? This bug here and one at https://github.com/Gnucash/gnucash/pull/819 which I only found by searching for the commit hash at the github repo mentioned in comment #36.
> Why are there ... two bugs for this? This bug here and one at > https://github.com/Gnucash/gnucash/pull/819 The latter is not a bug, but it's a "pull request", meaning the code contribution (which fixes this bug) and the discussion about the code. In fact, the pull request specifically mentions "Bug 667490" (= this bug here) in the title.
Or: here is the bugand in the PR on github is the fix. Closing…
