Burkina Faso General

Ebanking in Afrika

Wir können’s noch gar nicht glauben: seit kurzem haben wir Online-Zugriff auf das Laafi-Projektkonto in Burkina Faso. Willkommen in der Zukunft. Ebanking wird zudem in ganz Ouagadougou auf Plakaten beworben – in einer Stadt, in der die meisten Einwohner weder Strom- noch Wasseranschluss haben, von Internet ganz zu schweigen.

Recht praktisch finde ich die Möglichkeit, online Barauszahlungen zu veranlassen – Empfänger können sich die definierte Summe dann direkt vor Ort abholen – siehe Screenshot. Schließlich haben die meisten Leute kein Konto, auf das man überweisen könnte.

Ebanking BACB

Der Haken an der ganzen Sache ist allerdings, dass keine TANs verwendet werden – Kundennummer und Passwort reichen. Bin mir nicht sicher, ob wir dieses Risiko eingehen wollen..

3 replies on “Ebanking in Afrika”

I’m not sure about TANs. Austrian banks seem quite into them but UK banks aren’t.

TANs certainly sound secure, but are they?

TANs mean you have to have a list of all your codes in your drawer, and cross off the ones you’ve already used. So if someone physically gains access to the place where you keep them, they can conduct transactions.

My Austrian account has a password and a TAN. The password is about 15 characters long, random numbers and letters. No way to remember that. So I have to have that in a drawer as well. One is not supposed to keep the password and the TANs in the same drawer, but I wonder how many people really don’t.

In the UK, my bank has a password (dictionary word and number) and a 4-digit code. On login, it asks you to type in your password and a specific 2 digits out of your 4-digit code. That way if someone sees the web request go past, and try and fake a login, they’ll get asked for other digits from your code and won’t know them.

And I think the chances of listening in to a HTTPS (or even HTTP) conversation are quite low anyway. I don’t know of anywhere where this has happened and money has been stolen as a result. For example, Amazon allow you to pay via credit card using insecure HTTP, and say they will cover you fully in the case of any fraud. So they must be pretty certain that even HTTP is secure.

That means for my Austrian account, I have two documents in different drawers. If someone looks through all my drawers they’ll have access to my account. I don’t have a choice about this. In the UK I know both the password and the code and have destroyed all the documents.

So the UK system in this case is much more secure. Although it’s a combination of factors, not just not using TANs.

A much bigger threat than physical robbery or HTTP-listening is spyware and trojans. I’d reckon that more than 10% of people’s PCs are infected with at least some kind of adware. It’s quite easy for such programs to find out your bank credentials (and after some sessions also your UK-PIN-code) and mail them somewhere. (Also, TANs probably are necessary to keep stupid people from walking into the phishing trap.)

More sophisticated trojans even spy your TANs at input, block them at your side and have them used at a remote location in real time..

I think it’s easier to solve your password memory problem than to be really safe with those issues. (Using linux helps ;-)


ich erinnere mich an Zeiten in Ouagadougou, wo dicke CFA-Bündel aus den Automaten kamen (in meinem Fall zum Teil auch wieder drin verschwunden sind… und erst nach zweitägigem Recherchieren in der Bank wieder aufgetauscht sind:-)) – da ist so eine Entwicklung natürlich ein Quantensprung.

Comments are closed.