Let’s say, I create a bank with the caveat that all of my banking phone apps and webapps are FOSS (or if they depend on non-free components — banks probably do to communicate with each other —, then just OSS). Am I going to be behind the competition by doing this?

If the most secure crypto algorithms are the ones that are public, can we ensure the security of a bank’s apps by publicizing it?

Are they not doing this because they secretly collect a lot of data (on top of your payment history because of the centralized nature of card payments) through these apps?

EDIT: Clarifying question: Is there a technical reason they don’t publicize their code or is it just purely corporate greed and nothing else?

  • Melmi@lemmy.blahaj.zone
    link
    fedilink
    English
    arrow-up
    30
    ·
    edit-2
    1 year ago

    What incentive would a bank have to release their apps as FOSS?

    You probably could create an open source banking app and use it to run a bank on a primarily open source software stack. But banks are not software companies, and they have no reason to engage with the FOSS world. We could think up lots of potential reasons for why a bank might not want to release their apps as FOSS, but the simplest answer is “why would they?”

    I’d love to live in a world where free software is the norm, but we’re not in that world. So if the bank has no incentive to do it other than the comparatively niche interests of the FOSS community, they just won’t do it.

    • jamesravey@lemmy.nopro.be
      link
      fedilink
      arrow-up
      21
      ·
      1 year ago

      There is also a lot of “security by obscurity” in the corporate/fintech world - “it’s open source so everyone can see the code which makes it less secure”. The inverse is often true thanks to Linus’s Law.

      • wisplike_sustainer@suppo.fi
        link
        fedilink
        arrow-up
        2
        ·
        1 year ago

        The inverse is often true thanks to Linus’s Law.

        The article you linked seems to suggest that Linus’s Law is a mere suggestion, at best.

        No one is suggesting that open source is inherently less secure, just that the vulnerabilities are easier to find, and thus easier to get exploited. For a third party reviewer there’s a lot of incentive not to report bugs they would find in banking software.

        • jamesravey@lemmy.nopro.be
          link
          fedilink
          arrow-up
          8
          ·
          1 year ago

          No one is suggesting that open source is inherently less secure

          Unfortunately, I’ve met a number of people who genuinely do believe this! The same demographic who don’t know how copy and paste works or take photos of stuff on their monitor instead of print-screening and tend to end up running large corporations even though they’re completely out of touch.

  • wisplike_sustainer@suppo.fi
    link
    fedilink
    English
    arrow-up
    14
    ·
    1 year ago

    If your software makes your clients’ life easier and your internal operations cheaper/faster/whatever, it’s a competitive advantage. Why would you give it away? Corporate greed or healthy competition, I suppose, depending on your point of view.

  • sweng@programming.dev
    link
    fedilink
    arrow-up
    11
    ·
    1 year ago

    Thanks to PSD2 most european banks have APIs, so there isn’t actually any requireent to use the bank’s apps anymore.

    • leds@feddit.dk
      link
      fedilink
      arrow-up
      2
      ·
      1 year ago

      Tell me more? Are there opensource banking apps that work or can for example gnucash use these APIs?

    • debanqued@beehaw.org
      link
      fedilink
      arrow-up
      1
      ·
      1 year ago

      Absolutely, you are the company paying for all the work of the FOSS app, having to ensure it meets FCC regulations for banking. It’s a huge mess. Costs millions to do.

      FCC regs, really? That’s comms. First I’m hearing the FCC regulates banks. But surely those regs must be quite lax because banks in the US are quite sloppy. One-factor auth is good enough… if someone gets your username & PW they can spend your money. US banks are putting their websites on Cloudflare, so all sensitive banking info and transactions is shared with a tech giant. Pretty much everything is outsourced, even simply printing statements, which puts a lot of eggs in one basket. US banks get breached regularly, like Capone who didn’t even bother to encrypt data at rest on Amazon’s server, so an Amazon contractor leaked the data.

      With such lousy regulation, would it really be hard to get approval for a FOSS app?

  • ono@lemmy.ca
    link
    fedilink
    English
    arrow-up
    6
    ·
    1 year ago

    I don’t know of anything stopping banks from creating FOSS apps, but since it’s not their area of expertise, I think they’re more likely to license an app from a provider, and existing providers don’t have a compelling incentive to open-source their apps.

    If we want FOSS banking apps, I think the first and most important step would be legally requiring banks to provide standard APIs.

  • Pantherina@feddit.de
    link
    fedilink
    arrow-up
    6
    ·
    1 year ago

    License bullshit. Already had a call with a smaller sustainable bank (GLS) and they are mostly totally dependend on bigger mother banks and their weird security ideas

  • Victor Villas@beehaw.org
    link
    fedilink
    arrow-up
    3
    ·
    edit-2
    1 year ago

    Am I going to be behind the competition by doing this?

    Yes, because you are due a lot more diligence with open source, and that will slow down your releases.

    If the most secure crypto algorithms are the ones that are public, can we ensure the security of a bank’s apps by publicizing it?

    You trade security by obscurity for security by expert oversight. I’m not a lawyer or baking auditor, but I’d say while zero-days are problematic for open source software projects; they can be life-ending for banks.

    Is there a technical reason they don’t publicize their code or is it just purely corporate greed and nothing else?

    This is a false dichotomy. Financial reasons to not publicize the code are technical reasons. Finance is technical.

    • debanqued@beehaw.org
      link
      fedilink
      arrow-up
      1
      ·
      edit-2
      1 year ago

      The only false dichotomy I see here is the claim that you can have FOSS /OR/ expert oversight. There’s no reason why you cannot have both and hire expert oversight on a FOSS project (at least apart from reasons of the corp bottom line).

      You also appear to equate FOSS with “security by obscurity”, which makes no sense. FOSS is not obscure, it’s the contrary. Non-free software makes use of obscurity, but that obscurity is not used as a basis for security. So neither FOSS nor non-FOSS inherently makes use of security by obscurity.

      Financial reasons to not publicize the code are technical reasons. Finance is technical.

      This is an equivocation fallacy. The OP’s use of “technical reasons” implied technological feasibility. You’ve introduced a strangely broad version of the OP’s use of that term in order to muddy the waters.

      • Victor Villas@beehaw.org
        link
        fedilink
        arrow-up
        1
        ·
        1 year ago

        I think you might have read it backwards, I equated closed source with security by obscurity. And obviously you can have both, if you pay extra.

        Sure, finance is not technology, but I think it’s worth it pointing out that it’s not arbitrary or just greed or whatever, it has technicalities too.

        • debanqued@beehaw.org
          link
          fedilink
          arrow-up
          1
          ·
          1 year ago

          That was quite vague and still hard to interpret the trade you mention. But I’ll say generally security benefits from:

          1. a good number of careful eyes on the code
          2. bug bounty programs
          3. audits
          4. red teams

          Closed source has the false sense of security pitfall, which stems from the mentality that code secrecy is a protection of some kind. That pitfall is avoidable simply by not using it as a crutch for lacking security. Open source automatically avoids that pitfall. Bug bounties (2) help get motivated eyes (1) on the code (eyes motivated by generous legit rewards, as opposed to the reward of a zero day in the wrong hands). From there, I see no advantage to closed-source here.

          • Victor Villas@beehaw.org
            link
            fedilink
            arrow-up
            1
            ·
            edit-2
            1 year ago

            I’m in total agreement that OSS builds more secure software. What I’m saying is that these companies are not in the business of building safe software.

            From there, I see no advantage to closed-source here.

            I think the easiest mental map is this: doing things well has a cost; doing things poorly can be cheaper; if it’s way cheaper and there’s some method available to de-risk it even if a little bit, no matter how little effective it is, it might be financially advantageous to pick the inferior option. This is not just for security, but pretty much everything.

  • kent_eh@lemmy.ca
    link
    fedilink
    English
    arrow-up
    3
    ·
    1 year ago

    Banks are opposed to anything that is “free”.

    Unless it’s free to them exclusively.

    • debanqued@beehaw.org
      link
      fedilink
      arrow-up
      1
      ·
      1 year ago

      Not quite sure what you mean. In the US, banks are constantly giving away free money and free stuff to open an account. Some people make a hobby out of opening accounts just to grab the free stuff and close the account as soon as the rules allow. Works great on college kids who can be bought cheaply… just offer a free t-shirt. Or if you’re in a red state you might get a free shotgun for opening an account (not joking… see Michael Moore’s film).