Chipcard based HBCI with KMyMoney in Debian Wheezy/sid

by

Sparkasse Chemnitz decided that PIN/iTAN based authentication for bank transactions are obsolete. The new methods which are currently advertised as the "more secure alternatives" are chipTAN and smsTAN. Both are not known for their strong security and vendor specific implementations seemed to be even worse. The only acceptable solution for me is HBCI/FinTS using chipcards and a decent smart card reader with pinpad. At least this method was not yet dropped by them and I still hope that my application for it will be granted after 13 years (August 23 will be the anniversary).

I've decided to test a ReinerSCT cyberJack and use it together with KMyMoney. At least the AqBanking integration of KMyMoney provided a good support for PIN/TAN based import of transactions and should be even better for chipcard access through PC/SC. The best part seems to be the opensource userspace driver for Linux which can be downloaded from the official webpage and is still maintained. Ubuntu Wiki also provides a guide for the installation. Unfortunately, the guide is outdated and the binary distribution doesn't seem to work on a recent Debian sid system. It is still possible to get everything to work as expected.

The most important part is to install KMyMoney with the AqBanking HBCI integration in libaqbanking*-plugins and the support for chipcards through libchipcard-libgwenhywfar*-plugins. A PC/SC daemon called pcscd and the actual ReinerSCT must also be prepared. The latter one needs to be compiled by us and installed system-wide using dpkg. It is highly recommended to have pbuilder or cowbuilder configured to create the Debian packages. It is easier and cleaner than building it with debuild and installing all dependency by hand on the actual system.

$ apt-get install usbutils kmymoney pcscd dpkg-dev libaqbanking33-plugins libchipcard-libgwenhywfar60-plugins
$ lsusb |grep Reiner
Bus 001 Device 003: ID 0c4b:0300 Reiner SCT Kartensysteme GmbH cyberJack pinpad(a)

The source code of the cyberjack Debian packages is slightly outdated and cannot be build on current system. The newest version was 3.99.5_SP02 from 2011-06-14. Only smaller modifications have to be made to fix the build failures. The pbuilder can create the Debian binary packages after we supplied him with the fixed Debian source package.

$ wget https://support.reiner-sct.de/downloads/LINUX/V3.99.5_SP02/pcsc-cyberjack_3.99.5final.SP02.tar.gz
$ tar xfz pcsc-cyberjack_3.99.5final.SP02.tar.gz
$ patch -d pcsc-cyberjack-3.99.5final.SP02 -p1 -i ../20110806-0-pcsc-cyberjack.patch
patching file debian/control
patching file debian/rules
patching file ifd/ifd.cpp
$ dpkg-source -b pcsc-cyberjack-3.99.5final.SP02
dpkg-source: warning: no source format specified in debian/source/format, see dpkg-source(1)
dpkg-source: info: using source format `1.0'
dpkg-source: info: building pcsc-cyberjack in pcsc-cyberjack_3.99.5final.SP02.tar.gz
dpkg-source: info: building pcsc-cyberjack in pcsc-cyberjack_3.99.5final.SP02.dsc
$ cowbuilder --build pcsc-cyberjack_3.99.5final.SP02.dsc --buildresult pscs-cyperjack_debs/
....

Some special packages have to be installed before the .deb files can be used. The tool killall from psmisc must be available or the postinst script of libifd-cyberjack6 will fail. The hal package is required to enable the detection of supported devices in the cyberjack integration. The functionality can be tested by running either the console application cyberjack or the graphical interface fxcyberjack.

$ apt-get install psmisc hal
$ dpkg -i pscs-cyperjack_debs/*.deb
$ apt-get install -f
$ cyberjack
BEGIN: ermittle Distribution (0/5)
END  : ermittle Distribution (1/5) [OK]
BEGIN: ermittle Systeminformationen (1/5)
END  : ermittle Systeminformationen (2/5) [OK]
BEGIN: ermittle Gruppeninformation (2/5)
END  : ermittle Gruppeninformation (3/5) [ERROR]
BEGIN: ermittle laufende Dienste (3/5)
END  : ermittle laufende Dienste (4/5) [OK]
BEGIN: ermittle und teste angeschlossene Leser (4/5)
END  : ermittle und teste angeschlossene Leser (5/5) [OK]

Es wurden 3 Dateien im aktuellen Verzeichnis angelegt:
- cyberjack-report.log: Enthaelt die Ergebnisse der Tests
- cyberjack-hints.log : Enthaelt moeglicherweise Hinweise
                        zu gefundenen Problemen und deren
                        Behebung.
- cyberjack.xml       : Enthaelt die Testergebnisse in fuer
                        den Support aufbereiteter Form.
Bitte senden Sie bei Problemen die Datei "cyberjack.xml"
an den Linux-Support von Reiner SCT.
$ fxcyberjack

The cyberjack tool correctly recognized that there is no group called cyberjack and normal users have to be part of that group to use the card reader. Also a udev rule has to be added to set the access rights of the device correctly.

$ groupadd cyberjack
$ adduser sven cyberjack
$ echo 'ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="0c4b", GROUP="cyberjack", MODE="660"' > \
  /etc/udev/rules.d/z80_cyberjack.rules

The AqBanking integration can now be configured in KMyMoney through "Tools" - "Configure AqBanking". It is important to create the "aqhcbi" account before trying to use anything related to "User account" (there seems to be a small bug which causes an assertion to fail).