All but one Dutch bank (newcomer Bunq) offer authentication methods that do not rely on owning a smartphone. Most often this takes the form of a complimentary card reader that uses your debit card as a hardware private key to generate OTP codes.
Most banks do try very hard to push you to use their Android or IOS app though. I agree that it is becoming increasingly hard to exist without either an Android or IOS smartphone.
The Dutch government is mandating the use of a stronger level of authentication to access your personal medical data. Currently, the only system that meets this standard is the government Android or IOS app. An alternative is being considered that allows people to use an NFC-reader on any modern computing platform with a suitable driver's licence or ID-card, but this won't be available to every citizen until 2029 due to the renewal cycle of these government issued cards. But even then I can't escape a certain sense of complacency with the government branch developing these techniques; they really seem to want everyone to either get an Android or IOS smartphone, or authorize a relative or friend to manage your digital affairs on your behalf. This latter option is of course geared towards the elderly and the digitally encumbered.
It was possible to participate digitally as citizen in the age of the personal computer even if you didn't get Windows or Mac OS X, but in the smartphone era this freedom does not seem to exist for much longer.
Well yes, all but one Dutch bank offer valid and secure alternatives, including ABN Amro. ABN also keeps nudging you about using their app instead at every turn (I'm a customer).
Although our own government really takes the cake in terms of 'gently nudging' people to use their app for authentication:
There's an option on the first screenshot ("ik heb geen smartphone") I don't know what would happen when you click that link (already have my digid on ios set up many years ago) but seems like the government have thought about that.
Of course there is an option not to use a smartphone (for now, and it will not be available if you want to access your medical records after 2020).
The problem lies in the presentation. The styling of the “no smartphone” link is meant to convey that you are doing something undesirable, unsafe, obsolete, weird. That's behavioural nudging. This is fine when the upgrade path is clear and available to all (e.g., “Don't use Internet Explorer, get automatically updating Chrome, Edge, or Firefox”), but it is not fine if the only upgrade path is buying a smartphone and going into an agreement with (foreign) Apple or Google (for the required use of their respective app-stores).
The government should simply not be mandating citizens to own a smartphone just because they can't be arsed to embrace authentication solutions that work on any modern computer (e.g., WebAuthn, or accelerated roll-out of NFC-chip ID-passes and a way to use these with an NFC-reader on any modern OS).
Banks in the US and EU are required to have the identity on file for all bank accounts (ostensibly to combat terrorism), so sharing your phone number with them shouldn’t change the level of privacy. If it is cost people are worried about they can get a prepaid card and never use it except to receive sms. That’s effectively free.
Combined with the push to get rid of anonymous accounts and phone numbers there has also been a push to get rid of cash. I expect to see a time in my lifetime where a country will fully do away with all anonymous forms of payment, effectively making it impossible to be anonymous.
> sharing your phone number with them shouldn’t change the level of privacy
It's not sharing that is lowering the privacy level, it's having to disclose all the information to the mobile operator, in addition to the hassle of needing an additional contract with a third, unrelated party.
I'm not sure how common it is, but in the UK I've known people who have been forced to use their 'free' SIM or risk having the number revoked and the SIM disabled.
Eventually. Old numbers are held out of use for, I think, five years before being reissued specifically to address security and privacy issues like this
Let's be clear about this. Sorry I didn't make myself clearer in my post that I'd never entertain the idea of doing internet banking from a smartphone or any online PC or other facility (except an auto-teller using my card).
In fact, the last internet banking transaction I would have made would have been at least 10 years ago!
Since the inevitable conclusion is impossibility of being anonymous, I think we should push to ensure full transparency for all. Otherwise, it ends badly for those not in power.
This was John Brunner's solution in Shockwave Rider. So does it work for preventing scammers and telemarketers? I guess it does since you would know who is calling you.
The problem with this is the asymmetry of power relationships - if everything is transparent it is very easy for a powerful group to use that against an individual but much harder the other way around
> I expect to see a time in my lifetime where a country will fully do away with all anonymous forms of payment, effectively making it impossible to be anonymous.
That would mean either the elimination of poverty or a country that so hates its poor, it's willing to remove them from the economy altogether. I highly doubt that will happen, even in the US, where the poor are despised and hated by almost everyone. But then again, you never know.
Many poor people already use digital forms of money. The others will probably have to resort to barter. Money is really hard to kill, though; if cash is unavailable, people will create informal alternatives.
As I understand your point it has absolutely nothing to do with it being illegal to not have a SIM card. Your point is simply that it is impractical not to have a SIM card because that makes it difficult to do bank transactions. Big difference, and using 'illegal' in this context is highly misleading.
I think the implication is that if you wanted to function without a SIM card, your only way to do that would involve eschewing all above-board fiscal infrastructure and working with the grey/black market instead.
It's like being an outlaw, or a member of an untouchable caste: sure, you could just hide in a hole forever and wouldn't be breaking any laws, but in order to do anything you'd have to do it in a way that breaks a law.
And some banks (ING, bunq, but also others) don’t require anything else than just the mobile app, using either a pincode or biometric validation through your mobile OS. That’s way more practical, because you don’t need to have a reader in your pocket in order to do payments.
Except that you are now required to get into an agreement with Apple or Google for use of their app-stores (banks don't offer alternatives to that route).
Bunq is also a troubling development, because it is the first Dutch bank to require the use of their app, offering no alternative authentication methods (like the larger banks do). If they are allowed to do that, then what is stopping the other banks besides good customer service? ING is already notorious for having waited as long as possible before offering an alternative to their app to users of their former outdated numbered one-time code system.
Be careful what you wish for. Probably if banks are forbidden from using SMS they'll force you to use a mobile app on your Google mobile implant. (And the app will refuse to run if you have root on the phone, facilitated by strong DRM mechanisms)
They're referring to the Revised Directive on Payment Services ("PSD2") passed by the European Union which imposes a requirement to use "Strong Customer Authentication" for certain financial transactions (online or contactless) to reduce fraud, among other things.
When you make a payment over a certain size, you're required to verify that it's you making the payment. It's 2FA for payments essentially, you enter the code sent by SMS or you tap the approval button in your banking app, or enter your PIN again for contactless transactions.
It seems a lot of payment institutions have allegedly implemented SMS verification for these transactions. I bank with Monzo (https://monzo.com) which offers an approval notification in their app.
Unless you switch to a "challenger" bank like Monzo, you're going to be getting SMS to verify transactions (otherwise the transaction won't go through) and while I consider it hyperbole to mark this as "practically illegal", it does make things rather difficult for those with no phone or SIM card.
Most institutions I know have chosen SMS for Strong Customer Authentication which means sooner or later you in practical life will need your personal SIM card (banking, doctor visit, e-prescription, e-government etc.). Unless you chose to live off the grid for real.
But also, I think you have that situation understood the other way around.
SMS was chosen because everyone has it already. So it's not a matter of being forced to have it, it's a matter of "all other alternatives are less widespread."
I think there are actually more people globally with access to mobile phones than people who have access to basic sanitation, i.e. flushing toilets.
I'm sure that many or most of those organizations have alternative, non-electronic means of interaction - such as phone, paper (writing checks), or in-person. That is the alternative to using a SIM card.
Yes but situation before September was that I could use my account without SIM card. Now access to my account requires having a SIM card and a phone.
Now imagine taking all my six SIM cards on vacation to Thailand just because you may be in need to urgently use one of my multiple bank or brokerage accounts ;-)
This article summarizes a document that's titled "opinion". As long as there is no definite legal outlawing of SMS, many banks will continue to use it.
Well the document provided is an opinion on the implementation and further clarifies the specifications. It clears states that SMS is not PSD2 compliant. Banks found in breach will be forced to comply. I think is more a banking license issue than a "legality" issue.
>> To fulfil its statutory objective of contributing to supervisory convergence in the EU/European Economic Area (EEA), and to do so in the specific context of the RTS, the EBA is issuing a further opinion with a view to responding to the large number of queries that the EBA and national competent authorities (CAs) have received from market participants on SCA and, in particular, on what procedure or combination of authentication elements may or may not constitute SCA
In Poland most banks I use (Citibank, Santander, Millenium and others) require confirming logging into account via SMS at least once in two weeks. Some require confirmation via mobile app. (That wasn't obligatory before)
Its rather that banks have phased out other methods like tokens as too expensive and troublesome.
This isn't so. Yes you can use banking app but this might be even worse for privacy. It depends a lot on implementation details of the app. For example Santander app won't even start without permission to manage you phone on Android.
One thing I did is to use Twillio to get a mobile phone number (5.-/mo) and forward the SMS to email or whatever. It works pretty well and was easy to setup.
One big advantage is that number-porting attacks are much harder to pull-off with them as they have better security than most phone companies.
One downside is that the SMS must come from the same country. It's a weird limitation of their platform.
Most banks in Austria mandate their own proprietary push-TAN apps and don't support SMS as a second factor. Depending on your POV this could be better or worse.
> most online payments above €30 to go through an extra level of verification such as entering a code received via a text message. [2]
Most banks unwisely chosen SMS as Strong Customer Authentication providing little choice to customers.
https://ec.europa.eu/info/law/payment-services-psd-2-directi...
[2] https://www.paypal.com/uk/webapps/mpp/psd2