mailto: blog -at- heyrick -dot- eu

Fun with bank security

First - Certicode. According to some new EU law (their excuse, but it's interesting that the fastidious anally retentative bank (my other account) does not do this), one needs to have a second numerical code to "prove" that they are really them. This second code will need to be entered every 90 days, and it apparently requires the use of the app with which to do it.
I'm not sure how that goes for people who don't have a phone capable of running apps. There are a few girls at work that hate the idea of smartphones and have devices that can't even take photos.


Yesterday I went to check my bank account to see if my pay had come in. As I couldn't use the app because it no longer worked on my phone.
So I went to the website, signed in, and then was unceremoniously booted out.

The computer says NO.
The computer says NO.

I then logged in again, this time selecting to use desktop mode to get the full site. This time I was able to get to a screen where I could start the authentication process.

Screenshot edited to fit.
Screenshot edited to fit (less whitespace).

I went ahead with this even though I was at work, because the last time I tried it, they posted my code. It took about a week.

Oddly enough, the (re)activation code was sent by "Verified by Visa" rather than "La Banque Postale", so I'm wondering if this is something that Visa are pushing? My other bank uses Mastercard, which may be why it isn't doing all this?


When I got home after walking around town and shopping, I fired up the tablet (where the bank app worked) and tried to activate the "Certicode" service on the tablet. It was 19h34, or a little after half past seven in the evening.

The interesting thing is that the tablet actually let me into my account. So I quickly transferred some money to my other account (saving up for a newer car) before it changed its mind.
Then, upon activating the Certicode service, I was greated with:

The code has expired.
The code has expired.

Apologies for the naff picture. The app does not permit screenshots to be taken, so I had to take a photo of the screen - a literal "screen shot". ☺

I left it until this morning.

This morning, as I needed a new code, I signed into the desktop website, and was put on hold awaiting a confirmation code sent by SMS to my telephone.

When it arrived, I signed back into my account on the tablet and noted that I had an email in my mailbox stating that my activation code had expired at 10h18 this morning. That's not what the app told me yesterday.

I asked for a new code, and thankfully received one by SMS rather than post, and was able to set up the tablet to be the special trusted device as far as the bank is concerned. So now, roughly every three months, logging into my account using the six digit PIN will fail until I start up the app (on another device) and enter the second five digit PIN on that (trusted) device.


I get that the bank is trying to make account access more secure, but it falls down in two ways.

Firstly, it becomes a giant inconvenience if the app no longer works. I uploaded a video demonstrating the problem to YouTube four weeks ago and sent them a link. To date, it has received zero views. It wasn't that they were on holiday, the app has been updated since then. Twice, if I remember correctly. Probably fixing other bugs...
I have also offered to run a debug build that generates a log file so we can determine exactly where in the process it is failing.
As for whether or not this problem is going to be fixed - it appears that they were able to reproduce the problem (in an email dated the 1st of December), so I guess it just means waiting until it actually gets fixed.

Secondly, while it was certainly useful to me to be able to receive codes by SMS, it seems a bit suspect to claim to be increasing security, while using a person's mobile phone as a reliable contact. Because phones never get stolen or cloned, do they?
Perhaps this ought to be combined with something that only the client themselves would know. And no, not something stupid like "your date of birth". Anybody reading this blog will know mine - day, month, and year. It is personal information, but it shouldn't be considered private.
Perhaps listing five or six direct debits (prélevements in French) and asking which ones (don't specify a number - could be only one, could be all six) are genuine. If the client doesn't get that right, block access until they have called the bank's phone number and spoken to an actual person.


Twelfth night

As is customary, I took the decorations down. I don't need bad luck, thank you. Not after 2020!

I didn't like the idea of packing up the lights. They were nice to come home too on these cold winter nights. So I unclipped them from the tree and wrapped them around the planters. They were no longer Christmas decorations, and just decorations. It helps that they are fixed orange and not multicolour or twinkly. ☺

The lights are on, but is anybody home?


Beans, beans, the musical fruit

Yesterday I thought long and hard about going to a shop called Noz. Noz is weird, it's like Aladdin's Cave gone horribly right. A lot of unwanted, end of line, or overstock stuff. Prices used to be fairly cheap, but they went up in recent years, perhaps due to the number of unscrupulous people who would buy things from Noz and flog it off at twice the price in vide greniers.

I picked up a Scotland calendar, plus one of British Wildlife. You don't ask how these came to be in a little town in rural Brittany, the place is just like that. Mom once got what I think is an M&S crochet kit. Uh... yeah.
Anyway, there were two tins of baked beans remaining. I had to have them.

Exactly what it says on the tin.

Bottle of coke for scale. Given that a regular single can of beans costs about €0,90 (if on promotion) or around €1,40 otherwise, I wasn't going to turn my nose up at 2.62kg of beans for €2,99. I paid six euros for a little over five kilograms of beans.

Step one - find some tupperware so I can split the beans into portions when opened, and put them in the fridge.
Step two - bean recipes. ☺


Soon a new tablet?

I recently received both an email and a letter from ADLpartner to state that my magazine subscription will begin on the 12th of January. However the large size red tablet is currently out of stock due to the unprecedented demand of their offer (really, Covid and people not able to go out and this was a surprise to them?!). They are in the process of being restocked and will be sent as soon as possible...


Soon a new security camera?

To date, I have had/used three connected security cameras.

A little tilt-and-turn VGA model, that unfortunately suffered a serious security flaw (of the "never connect this to the internet" level). At least the simple MJPEG video could be watched in a browser.

A fixed position 720p HD model. I still use this today, but note that it doesn't seem to like streaming outside of the LAN except by the app, even though the RTSP port is open so it should stream directly into SMPlayer. Also, the "snapshot" function is utterly useless, as can be seen from the example in the link. I can't watch the stream in a browser, it relies upon an ActiveX plug-in, like this is 1999 or something.

A Chinese tilt and turn model (1080p FHD). There's a lot to like about this, it is damned fast to boot, it is quick to respond, and the picture quality is pretty good for a €30 camera. The massive downside is that by necessity it talks to China. It seems as if a third party server acts as a gateway between the app and the camera. When present on the network, the only ports open are 23456 and 34567, with no obvious means of control (they aren't Ovnif, RTSP, or http). Which means that I can't fire off requests to control the camera from, say, my Pi. There is a method to link the camera with Alexa, but controlling it manually? Hmm...
Additionally, whilst it looks like it ought to be able to save snapshots to a µSD card, it seems as if this might not work until the cloud subscription is set up. There's a free option, but I'm not keen on data from here going god knows where. Especially for something as seemingly simple as writing information to a connected memory card.


Wouldn't it be nice if I could just make a simple camera that, you know, does logical stuff like:

  • Watch the stream on the device of my choosing.
  • Have it save snapshots of a reasonable quality to an SD card.
  • Have some sort of detector (PIR?) so it saves snapshots when something is detected, not every single time a cloud passes in front of the sun, or a branch of a tree wobbles.
  • Doesn't depend upon an app, can work with a browser.
Is that so much to ask?

Well, I ordered a kit from Amazon for... what was it... €15 or somesuch. It's one of those ESP32 boards, with a little camera module and a µSD interface. There's also what looks like an IR sensor, and an audio sensor.

ESP32-CAM kit
ESP32-CAM kit (image from vendor).

It looks like the camera module is an OV2640, with a theoretical maximum resolution of UXGA (1600×1200), though it would be acceptable to store snapshots in that resolution and stream at a lower resolution such as SVGA (800×600) - I must consider that my internet upstream is ~750kilobit, so streaming near FHD needs to be frugal on how much data it actually uses.

I'm not looking forward to warming up the Arduino IDE for this thing again, especially as it looks like it will present a fairly complicated software package. God knows it took long enough to deal with the small source code used in my net radio.
Still, it will be nice to have a camera doing what I'd like it to do without making do with the often half-built commercial firmware; or worse, commercial firmware that is more interested in pushing a cloud service than being a camera.

It's coming from China, so it will be here, um.....



Your comments:

Please note that while I check this page every so often, I am not able to control what users write; therefore I disclaim all liability for unpleasant and/or infringing and/or defamatory material. Undesired content will be removed as soon as it is noticed. By leaving a comment, you agree not to post material that is illegal or in bad taste, and you should be aware that the time and your IP address are both recorded, should it be necessary to find out who you are. Oh, and don't bother trying to inline HTML. I'm not that stupid! ☺ ADDING COMMENTS DOES NOT WORK IF READING TRANSLATED VERSIONS.
You can now follow comment additions with the comment RSS feed. This is distinct from the b.log RSS feed, so you can subscribe to one or both as you wish.

Zerosquare, 8th January 2021, 10:14
Regarding the camera, you could also do something like this:
Rick, 8th January 2021, 11:46
Thanks for the link, but wow, that looks complicated.
Bernard, 8th January 2021, 16:56
Off topic, but is registered to an actual EU Citizen, as implied by a para in this article? britain-after-brexit
Rick, 8th January 2021, 18:10
It says "individuals based in the EU". I am British (sadly, these days...) but I live in France and the domain is registered to that (French) address. 
According to EURid thenselves, one is eligible to register a .eu domain name if they are "a natural citizen who is not a Union citizen and who is a resident of a Member State". That's me. 
VinceH, 9th January 2021, 15:45
Indeed, that's why - ironically - Leave.EU have changed their registration address of their domain to somewhere in Ireland.
David Pilling, 9th January 2021, 23:07
'Cause I'm a redneck woman 
I ain't no high class broad 
I'm just a product of my raising 
I say, "hey ya'll" and "yee-haw" 
And I keep my Christmas lights on 
On my front porch all year long 

Add a comment (v0.11) [help?] . . . try the comment feed!
Your name
Your email (optional)
Validation Are you real? Please type 96174 backwards.
Your comment
French flagSpanish flagJapanese flag
«   January 2021   »

(Felicity? Marte? Find out!)

Last 5 entries

List all b.log entries

Return to the site index



Search Rick's b.log!

PS: Don't try to be clever.
It's a simple substring match.


Last read at 12:50 on 2024/05/30.

QR code

Valid HTML 4.01 Transitional
Valid CSS
Valid RSS 2.0


© 2021 Rick Murray
This web page is licenced for your personal, private, non-commercial use only. No automated processing by advertising systems is permitted.
RIPA notice: No consent is given for interception of page transmission.


Have you noticed the watermarks on pictures?
Next entry - 2021/01/08
Return to top of page