FinTS

Last updated April 01, 2019

FinTS (Financial Transaction Services), formerly known as HBCI (Home Banking Computer Interface), is a bank-independent protocol for online banking, developed and used by German banks.

Germany, officially the Federal Republic of Germany, is a country in Central and Western Europe, lying between the Baltic and North Seas to the north, and the Alps to the south. It borders Denmark to the north, Poland and the Czech Republic to the east, Austria and Switzerland to the south, France to the southwest, and Luxembourg, Belgium and the Netherlands to the west.

HBCI was originally designed by the two German banking groups Sparkasse and Volksbanken und Raiffeisenbanken and German higher-level associations as the Association of German Banks (in German: Bundesverband deutscher Banken e.V.). The result of this effort was an open protocol specification, which is publicly available. The standardisation effort was necessary to replace the huge number of deprecated homemade software clients and servers (some of them still using BTX emulation). While IFX (Interactive Financial Exchange), OFX (Open Financial Exchange) and SET (Secure Electronic Transaction) are tailored for the North American market, HBCI is designed to meet the requirements of the European market.

Volksbanken und Raiffeisenbanken is a brand of co-operative banks in Germany. "Volksbank" derives from People's Bank institutes and "Raiffeisenbanken" refers to banks founded on initiatives by Friedrich Wilhelm Raiffeisen. Many co-operative banks in Germany have either "Volksbank" or "Raiffeisenbank" in their name – the nationwide services and associations in the co-operative branch of the German financing industry used the compound of the plurals of these words.

The Association of German Banks is the association of private banks in Germany and the main lobby group for Germany's financial sector. In the traditional pillar system of the German banking industry this represents all banks that have evolved from merchant banks unlike the co-operative branch or regional state banks. The association is a member of the Central Credit Committee governing the banking industry in Germany and a member of the European Banking Federation. The President of the association is Hans-Walter Peters.

Bildschirmtext was an online videotex system launched in West Germany in 1983 by the Deutsche Bundespost, the (West) German postal service. Btx originally required special hardware which had to be bought or rented from the British General Post Office. The data was transmitted through the telephone network using V.23 modems and the content was displayed on a television set.

The FinTS-specification is publicly available on a website run by the ZKA (Central Credit Committee).

Features

Support for online-banking using PIN/TAN one time passwords.
Support for online-banking with SWIFT.
DES and RSA encryption and signatures.
Making use of XML and SOAP for data-exchange, encryption and signatures.
Implemented on top of HTTP, HTTPS and SMTP as communication layer.
Multibanking: The software clients are designed to support accounts on multiple banking companies.
Platform Independence: The specification allows software development for various types of clients.
Storage of the encryption keys on an external physical device (smart card) for improved security.
Possibility to use so called "Secoder" smart card readers to allow the user to cross check the transaction data on a secure device before signing it to uncover manipulations caused by malware. To use Secoder, the bank as well as the home banking software have to support the Secoder protocol extension of FinTS.^[1]^[2]

A transaction authentication number (TAN) is used by some online banking services as a form of single use one-time passwords (OTPs) to authorize financial transactions. TANs are a second layer of security above and beyond the traditional single-password authentication.

The Data Encryption Standard is a symmetric-key algorithm for the encryption of electronic data. Although its short key length of 56 bits, criticized from the beginning, makes it too insecure for most current applications, it was highly influential in the advancement of modern cryptography.

XML Markup language developed by the W3C for encoding of data

Extensible Markup Language (XML) is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. The W3C's XML 1.0 Specification and several other related specifications—all of them free open standards—define XML.

HBCI has been superseded by its successor FinTS, and as of 2011, 2000 financial institutions in Germany are supporting FinTS.

Versions

HBCI 2.2 PIN/TAN

HBCI 2.2 PIN/TAN (or HBCI+) is an extension to HBCI that added a security method based on PINs and TANs, which had already been in use with BTX and web banking.

FinTS 3.0

For version 3.0, which formally introduced the PIN/TAN method, the specification was renamed to FinTS, whereas the original DSA- and RSA-based security method retained the name HBCI.

FinTS 4.0

In version 4.0, the basic message syntax was switched over to XML. Further, the number of roundtrips necessary was reduced, allowing asynchronous communication (e.g. via SMTP) for simple transaction dialogues.

Related Research Articles

The Simple Mail Transfer Protocol (SMTP) is a communication protocol for electronic mail transmission. As an Internet standard, SMTP was first defined in 1982 by RFC 821, and updated in 2008 by RFC 5321 to Extended SMTP additions, which is the protocol variety in widespread use today. Mail servers and other message transfer agents use SMTP to send and receive mail messages. Proprietary systems such as Microsoft Exchange and IBM Notes and webmail systems such as Outlook.com, Gmail and Yahoo! Mail may use non-standard protocols internally, but all use SMTP when sending to or receiving email from outside their own systems. SMTP servers commonly use the Transmission Control Protocol on port number 25.

SOAP is a messaging protocol specification for exchanging structured information in the implementation of web services in computer networks. Its purpose is to provide extensibility, neutrality and independence. It uses XML Information Set for its message format, and relies on application layer protocols, most often Hypertext Transfer Protocol (HTTP) or Simple Mail Transfer Protocol (SMTP), for message negotiation and transmission.

Smart card pocket-sized card with embedded integrated circuits

A smart card, chip card, or integrated circuit card (ICC) is a physical electronic authorization device, used to control access to a resource. It is typically a plastic credit card sized card with an embedded integrated circuit. Many smart cards include a pattern of metal contacts to electrically connect to the internal chip. Others are contactless, and some are both. Smart cards can provide personal identification, authentication, data storage, and application processing. Applications include identification, financial, mobile phones (SIM), public transit, computer security, schools, and healthcare. Smart cards may provide strong security authentication for single sign-on (SSO) within organizations. Several nations have deployed smart cards throughout their populations.

The Organization for the Advancement of Structured Information Standards (OASIS) is a global nonprofit consortium that works on the development, convergence, and adoption of open standards for security, Internet of Things, energy, content technologies, emergency management, and other areas.

Transport Layer Security (TLS), and its now-deprecated predecessor, Secure Sockets Layer (SSL), are cryptographic protocols designed to provide communications security over a computer network. Several versions of the protocols find widespread use in applications such as web browsing, email, instant messaging, and voice over IP (VoIP). Websites can use TLS to secure all communications between their servers and web browsers.

Electronic cash was until 2007 the debit card system of the German Banking Industry Committee, the association which represents the top German financial interest groups. Usually paired with a Transaction account or Current Account, cards with an Electronic Cash logo were only handed out by proper credit institutions. An electronic card payment was generally made by the card owner entering their PIN at a so-called EFT-POS-terminal (Electronic-Funds-Transfer-Terminal). The name “EC” originally comes from the unified European checking system Eurocheque. Comparable debit card systems are Maestro and Visa Electron. Banks and credit institutions who issued these cards often paired EC debit cards with Maestro functionality. These combined cards, recognizable by an additional Maestro logo, were referred to as “EC/Maestro cards”.

Open Financial Exchange (OFX) is a data-stream format for exchanging financial information that evolved from Microsoft's Open Financial Connectivity (OFC) and Intuit's Open Exchange file formats.

Web Services Security is an extension to SOAP to apply security to Web services. It is a member of the Web service specifications and was published by OASIS.

Online banking, also known as internet banking, is an electronic payment system that enables customers of a bank or other financial institution to conduct a range of financial transactions through the financial institution's website. The online banking system will typically connect to or be part of the core banking system operated by a bank and is in contrast to branch banking which was the traditional way customers accessed banking services.

Wireless Transport Layer Security (WTLS) is a security protocol, part of the Wireless Application Protocol (WAP) stack. It sits between the WTP and WDP layers in the WAP communications stack.

A hardware security module (HSM) is a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing. These modules traditionally come in the form of a plug-in card or an external device that attaches directly to a computer or network server.

In computing, Network Security Services (NSS) comprises a set of libraries designed to support cross-platform development of security-enabled client and server applications with optional support for hardware TLS/SSL acceleration on the server side and hardware smart cards on the client side. NSS provides a complete open-source implementation of cryptographic libraries supporting Transport Layer Security (TLS) / Secure Sockets Layer (SSL) and S/MIME. Previously tri-licensed under the Mozilla Public License 1.1, the GNU General Public License, and the GNU Lesser General Public License, NSS upgraded to GPL-compatible MPL 2.0 with release 3.14.

WISPr or Wireless Internet Service Provider roaming is a draft protocol submitted to the Wi-Fi Alliance that allows users to roam between wireless internet service providers in a fashion similar to that which allows cellphone users to roam between carriers. A RADIUS server is used to authenticate the subscriber's credentials.

SMS banking is a form of mobile banking. It is a facility used by some banks or other financial institutions to send messages to customers' mobile phones using SMS messaging, or a service provided by them which enables customers to perform some financial transactions using SMS.

The Chip Authentication Program (CAP) is a MasterCard initiative and technical specification for using EMV banking smartcards for authenticating users and transactions in online and telephone banking. It was also adopted by Visa as Dynamic Passcode Authentication (DPA). The CAP specification defines a handheld device with a smartcard slot, a numeric keypad, and a display capable of displaying at least 12 characters. Banking customers who have been issued a CAP reader by their bank can insert their Chip and PIN (EMV) card into the CAP reader in order to participate in one of several supported authentication protocols. CAP is a form of two-factor authentication as both a smartcard and a valid PIN must be present for a transaction to succeed. Banks hope that the system will reduce the risk of unsuspecting customers entering their details into fraudulent websites after reading so-called phishing emails.

The Electronic Banking Internet Communication Standard (EBICS) is a German transmission protocol developed by the German Banking Industry Committee for sending payment information between banks over the internet. It grew out of the earlier BCS-FTAM protocol that was developed in 1995, with the aim of being able to use internet connections and TCP/IP. It is mandated for use by German banks and has also been adopted by France and Switzerland.

eMudhra SecMsg is mobile application designed to secure the SMS channel. It allows users to send SMS's that are encrypted and signed using PKI technology and ensures that it is decrypted only by the intended user.

The German Banking Industry Committee (GBIC), previously known as the Central Credit Committee is an industry association of the German banking industry. Its decisions are held normative for the national banking sector – either directly by interbank treaties or indirectly by preparing a corresponding ministerial or Bundesbank decision.

ISO 9564 is an international standard for personal identification number (PIN) management and security in financial services.

Autocrypt is a standardized guideline for e-mail clients, enabling end-to-end encryption in a user-friendly way. Version 1.0 of the Autocrypt specification was released in December 2017. It builds on and is compatible to OpenPGP, and primarily automates the exchange of cryptographic keys between users.

References

↑ Secoder 2.0-Standard in StarMoney starmoney.de, Star Finanz-Software Entwicklung und Vertriebs GmbH, Retrieved on November 18, 2015.
↑ ZKA: Spezifikation FinTS 3.0 Alternative ZKA Sicherheitsverfahren (PDF; 1,2 MB)

External links

hbci-zka.de / fints.de - Documentation and protocol information by the ZKA
FinTS-v4.0 on hbci-zka.de - FinTS version 4.0 (including link to SEPA adaptions to FinTS)
aquamaniac.de/aqbanking/ - AqHBCI / OpenHBCI2 free software project
www.pecuniabanking.de - Pecunia, Online Banking on the Mac, GPL

This Germany-related article is a stub. You can help Wikipedia by expanding it.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Secoder 2.0-Standard in StarMoney starmoney.de, Star Finanz-Software Entwicklung und Vertriebs GmbH, Retrieved on November 18, 2015.

[2] ZKA: Spezifikation FinTS 3.0 Alternative ZKA Sicherheitsverfahren (PDF; 1,2 MB)