Let’s say, I create a bank with the caveat that all of my banking phone apps and webapps are FOSS (or if they depend on non-free components — banks probably do to communicate with each other —, then just OSS). Am I going to be behind the competition by doing this?
If the most secure crypto algorithms are the ones that are public, can we ensure the security of a bank’s apps by publicizing it?
Are they not doing this because they secretly collect a lot of data (on top of your payment history because of the centralized nature of card payments) through these apps?
EDIT: Clarifying question: Is there a technical reason they don’t publicize their code or is it just purely corporate greed and nothing else?
What incentive would a bank have to release their apps as FOSS?
You probably could create an open source banking app and use it to run a bank on a primarily open source software stack. But banks are not software companies, and they have no reason to engage with the FOSS world. We could think up lots of potential reasons for why a bank might not want to release their apps as FOSS, but the simplest answer is “why would they?”
I’d love to live in a world where free software is the norm, but we’re not in that world. So if the bank has no incentive to do it other than the comparatively niche interests of the FOSS community, they just won’t do it.
There is also a lot of “security by obscurity” in the corporate/fintech world - “it’s open source so everyone can see the code which makes it less secure”. The inverse is often true thanks to Linus’s Law.
The inverse is often true thanks to Linus’s Law.
The article you linked seems to suggest that Linus’s Law is a mere suggestion, at best.
No one is suggesting that open source is inherently less secure, just that the vulnerabilities are easier to find, and thus easier to get exploited. For a third party reviewer there’s a lot of incentive not to report bugs they would find in banking software.
No one is suggesting that open source is inherently less secure
Unfortunately, I’ve met a number of people who genuinely do believe this! The same demographic who don’t know how copy and paste works or take photos of stuff on their monitor instead of print-screening and tend to end up running large corporations even though they’re completely out of touch.
Like, literally. That’s their job description.
If your software makes your clients’ life easier and your internal operations cheaper/faster/whatever, it’s a competitive advantage. Why would you give it away? Corporate greed or healthy competition, I suppose, depending on your point of view.
Thanks to PSD2 most european banks have APIs, so there isn’t actually any requireent to use the bank’s apps anymore.
Tell me more? Are there opensource banking apps that work or can for example gnucash use these APIs?
deleted by creator
Absolutely, you are the company paying for all the work of the FOSS app, having to ensure it meets FCC regulations for banking. It’s a huge mess. Costs millions to do.
FCC regs, really? That’s comms. First I’m hearing the FCC regulates banks. But surely those regs must be quite lax because banks in the US are quite sloppy. One-factor auth is good enough… if someone gets your username & PW they can spend your money. US banks are putting their websites on Cloudflare, so all sensitive banking info and transactions is shared with a tech giant. Pretty much everything is outsourced, even simply printing statements, which puts a lot of eggs in one basket. US banks get breached regularly, like Capone who didn’t even bother to encrypt data at rest on Amazon’s server, so an Amazon contractor leaked the data.
With such lousy regulation, would it really be hard to get approval for a FOSS app?
I don’t know of anything stopping banks from creating FOSS apps, but since it’s not their area of expertise, I think they’re more likely to license an app from a provider, and existing providers don’t have a compelling incentive to open-source their apps.
If we want FOSS banking apps, I think the first and most important step would be legally requiring banks to provide standard APIs.
License bullshit. Already had a call with a smaller sustainable bank (GLS) and they are mostly totally dependend on bigger mother banks and their weird security ideas
something something something, security by obscurity (of source code)
Am I going to be behind the competition by doing this?
Yes, because you are due a lot more diligence with open source, and that will slow down your releases.
If the most secure crypto algorithms are the ones that are public, can we ensure the security of a bank’s apps by publicizing it?
You trade security by obscurity for security by expert oversight. I’m not a lawyer or baking auditor, but I’d say while zero-days are problematic for open source software projects; they can be life-ending for banks.
Is there a technical reason they don’t publicize their code or is it just purely corporate greed and nothing else?
This is a false dichotomy. Financial reasons to not publicize the code are technical reasons. Finance is technical.
The only false dichotomy I see here is the claim that you can have FOSS /OR/ expert oversight. There’s no reason why you cannot have both and hire expert oversight on a FOSS project (at least apart from reasons of the corp bottom line).
You also appear to equate FOSS with “security by obscurity”, which makes no sense. FOSS is not obscure, it’s the contrary. Non-free software makes use of obscurity, but that obscurity is not used as a basis for security. So neither FOSS nor non-FOSS inherently makes use of security by obscurity.
Financial reasons to not publicize the code are technical reasons. Finance is technical.
This is an equivocation fallacy. The OP’s use of “technical reasons” implied technological feasibility. You’ve introduced a strangely broad version of the OP’s use of that term in order to muddy the waters.
I think you might have read it backwards, I equated closed source with security by obscurity. And obviously you can have both, if you pay extra.
Sure, finance is not technology, but I think it’s worth it pointing out that it’s not arbitrary or just greed or whatever, it has technicalities too.
That was quite vague and still hard to interpret the trade you mention. But I’ll say generally security benefits from:
- a good number of careful eyes on the code
- bug bounty programs
- audits
- red teams
Closed source has the false sense of security pitfall, which stems from the mentality that code secrecy is a protection of some kind. That pitfall is avoidable simply by not using it as a crutch for lacking security. Open source automatically avoids that pitfall. Bug bounties (2) help get motivated eyes (1) on the code (eyes motivated by generous legit rewards, as opposed to the reward of a zero day in the wrong hands). From there, I see no advantage to closed-source here.
I’m in total agreement that OSS builds more secure software. What I’m saying is that these companies are not in the business of building safe software.
From there, I see no advantage to closed-source here.
I think the easiest mental map is this: doing things well has a cost; doing things poorly can be cheaper; if it’s way cheaper and there’s some method available to de-risk it even if a little bit, no matter how little effective it is, it might be financially advantageous to pick the inferior option. This is not just for security, but pretty much everything.
Banks are opposed to anything that is “free”.
Unless it’s free to them exclusively.
Not quite sure what you mean. In the US, banks are constantly giving away free money and free stuff to open an account. Some people make a hobby out of opening accounts just to grab the free stuff and close the account as soon as the rules allow. Works great on college kids who can be bought cheaply… just offer a free t-shirt. Or if you’re in a red state you might get a free shotgun for opening an account (not joking… see Michael Moore’s film).
