[Postbank] Cannot log in

[pmoscode]

Hi Folks,

I try to get my account balances and I configured my "clientConfig" like discussed here #41
But I always get this:

MessageAcknowledgement for message 1 (0): Code: 9800, Position: none, Text: 'Dialoginitialisierung abgebrochen.' SegmentAcknowledgement for message 0 (), segment 2: Code: 9040, Position: none, Text: 'Anmeldung fehlgeschlagen.'

I guess that this ('Dialoginitialisierung abgebrochen.') points to 2FA?
Btw. how long should the account number be? I tried with 9 / 10 numbers, but no luck.

[mitch000001]

Hi @pmoscode, can you try to run your request with debug logging enabled and share it with us? To do so you need to set the EnableDebugLogging Field of the client Config to true. Please do keep in mind that those logs also contain sensitive data, so you should scrape the output about data you don't want to share, like your PIN/Password or your account information.

[pmoscode]

I have debugging enabled. But posted the error message only.
In the log: Are the account data and pin plaintext only? Or are they f.ex. base64 encoded too?
So, which not obvious text should I scrape?

[mitch000001]

Hi @pmoscode, sorry for coming back so late. I have investigated in your error. As I am no Postbank customer I implemented an anonymous client function which fetches the bank parameter data. Those data define how the bank institute wants to be talked to. As I do not know which Postbank you use I just chose one as an example (BLZ 10010010, Postbank Berlin) and sent the requets to it. It successfully returned. What I go was the following:

meta:
  createdAt: "2024-04-07T09:34:15+02:00"
parameterData:
  version: 52
  countrycode: 280
  id: "10010010"
  bankName: Postbank
  maxTransactionsPerMessage: 0
  maxMessageSize: 9999
  minTimeout: 0
  maxTimeout: 0
  pinTanBusinessTransactions:
    DKPAE: true
    HKBBS: false
    HKBMB: false
    HKBME: true
    HKBML: true
    HKBSA: true
    HKBSE: true
    HKBSL: true
    HKCCM: true
    HKCCS: true
    HKCDB: false
    HKCDE: true
    HKCDL: true
    HKCDN: true
    HKCMB: false
    HKCME: true
    HKCML: true
    HKCSA: true
    HKCSB: false
    HKCSE: true
    HKCSL: true
    HKCUB: false
    HKCUM: true
    HKDBS: false
    HKDMB: false
    HKDME: true
    HKDML: true
    HKDSA: true
    HKDSE: true
    HKDSL: true
    HKIPS: false
    HKIPZ: true
    HKKAZ: false
    HKPAE: true
    HKPRO: false
    HKSAL: false
    HKSPA: false
    HKTAB: false
    HKTAN: false
    HKWPD: false
  supportedSegments:
  - id: HIPINS
    version: 1
    parameters:
      MaxJobs: 1
      MinSignatures: 1
      PinTanSpecificParams:
        PinMinLength: 5
        PinMaxLength: 50
        TanMaxLength: 6
        UserIDText: ""
        CustomerIDText: ""
        JobSpecificPinTanInformation:
        - segmentID: HKPAE
          needsTan: true
        - segmentID: HKCME
          needsTan: true
        - segmentID: HKBME
          needsTan: true
        - segmentID: HKDML
          needsTan: true
        - segmentID: HKBSL
          needsTan: true
        - segmentID: HKDME
          needsTan: true
        - segmentID: HKDSA
          needsTan: true
        - segmentID: HKBSA
          needsTan: true
        - segmentID: DKPAE
          needsTan: true
        - segmentID: HKSPA
          needsTan: false
        - segmentID: HKCSA
          needsTan: true
        - segmentID: HKBSE
          needsTan: true
        - segmentID: HKIPS
          needsTan: false
        - segmentID: HKPRO
          needsTan: false
        - segmentID: HKCUB
          needsTan: false
        - segmentID: HKCML
          needsTan: true
        - segmentID: HKCCS
          needsTan: true
        - segmentID: HKDMB
          needsTan: false
        - segmentID: HKCUM
          needsTan: true
        - segmentID: HKWPD
          needsTan: false
        - segmentID: HKCCM
          needsTan: true
        - segmentID: HKIPZ
          needsTan: true
        - segmentID: HKSAL
          needsTan: false
        - segmentID: HKCDL
          needsTan: true
        - segmentID: HKKAZ
          needsTan: false
        - segmentID: HKCSB
          needsTan: false
        - segmentID: HKBMB
          needsTan: false
        - segmentID: HKCDE
          needsTan: true
        - segmentID: HKDBS
          needsTan: false
        - segmentID: HKCDB
          needsTan: false
        - segmentID: HKCDN
          needsTan: true
        - segmentID: HKBML
          needsTan: true
        - segmentID: HKCMB
          needsTan: false
        - segmentID: HKDSL
          needsTan: true
        - segmentID: HKCSL
          needsTan: true
        - segmentID: HKTAN
          needsTan: false
        - segmentID: HKDSE
          needsTan: true
        - segmentID: HKCSE
          needsTan: true
        - segmentID: HKTAB
          needsTan: false
        - segmentID: HKBBS
          needsTan: false
  - id: DIPINS
    version: 1
    parameters:
      businesstransactionparamssegment:
        segment: {}
        maxjobs: 1
        minsignatures: 1
        params:
        - segmentID: HKCME
          needsTan: true
        - segmentID: HKBME
          needsTan: true
        - segmentID: HKDML
          needsTan: true
        - segmentID: HKBSL
          needsTan: true
        - segmentID: HKDME
          needsTan: true
        - segmentID: HKDSA
          needsTan: true
        - segmentID: HKBSA
          needsTan: true
        - segmentID: DKPAE
          needsTan: true
        - segmentID: HKSPA
          needsTan: false
        - segmentID: HKCSA
          needsTan: true
        - segmentID: HKBSE
          needsTan: true
        - segmentID: HKIPS
          needsTan: false
        - segmentID: HKPRO
          needsTan: false
        - segmentID: HKCUB
          needsTan: false
        - segmentID: HKCML
          needsTan: true
        - segmentID: HKCCS
          needsTan: true
        - segmentID: HKDMB
          needsTan: false
        - segmentID: HKCUM
          needsTan: true
        - segmentID: HKWPD
          needsTan: false
        - segmentID: HKCCM
          needsTan: true
        - segmentID: HKIPZ
          needsTan: true
        - segmentID: HKSAL
          needsTan: false
        - segmentID: HKCDL
          needsTan: true
        - segmentID: HKKAZ
          needsTan: false
        - segmentID: HKCSB
          needsTan: false
        - segmentID: HKBMB
          needsTan: false
        - segmentID: HKCDE
          needsTan: true
        - segmentID: HKDBS
          needsTan: false
        - segmentID: HKCDB
          needsTan: false
        - segmentID: HKCDN
          needsTan: true
        - segmentID: HKBML
          needsTan: true
        - segmentID: HKCMB
          needsTan: false
        - segmentID: HKDSL
          needsTan: true
        - segmentID: HKCSL
          needsTan: true
        - segmentID: HKTAN
          needsTan: false
        - segmentID: HKDSE
          needsTan: true
        - segmentID: HKCSE
          needsTan: true
        - segmentID: HKTAB
          needsTan: false
        - segmentID: HKBBS
          needsTan: false
  - id: HIPAES
    version: 1
  - id: DIPAES
    version: 1
  - id: HITANS
    version: 6
    parameters:
      MaxJobs: 1
      MinSignatures: 1
      SecurityClass: "0"
      Tan2StepSubmissionParameter:
        OneStepProcessAllowed: false
        MoreThanOneObligatoryTanJobAllowed: false
        JobHashMethod: "0"
        ProcessParameters:
        - SecurityFunction: "920"
          TanProcess: "2"
          TechnicalIDTanProcess: BestSign
          ZKATanProcess: BestSign
          ZKATanProcessVersion: ""
          TwoStepProcessName: BestSign
          TwoStepProcessMaxInputValue: 6
          TwoStepProcessAllowedFormat: "2"
          TwoStepProcessReturnValueText: BestSign
          TwoStepProcessReturnValueTextMaxLength: 999
          MultiTANAllowed: false
          TanTimeAndDialogReference: "1"
          JobCancellationAllowed: false
          SMSAccountRequired: "0"
          IssuerAccountRequired: "2"
          ChallengeClassRequired: false
          ChallengeStructured: true
          InitializationMode: "00"
          TanMediumDescriptionRequired: "2"
          HHD_UCResponseRequired: false
          SupportedActiveTanMedia: 9
  - id: HITABS
    version: 2
  - id: HITABS
    version: 4
  - id: HIPROS
    version: 3
  - id: HISPAS
    version: 1
  - id: HIKAZS
    version: 5
  - id: HIKAZS
    version: 6
  - id: HISALS
    version: 5
  - id: HISALS
    version: 6
  - id: HIWPDS
    version: 6
  - id: HICUBS
    version: 1
  - id: HICUMS
    version: 1
  - id: HICCSS
    version: 1
  - id: HICSES
    version: 1
  - id: HICSBS
    version: 1
  - id: HICSAS
    version: 1
  - id: HICSLS
    version: 1
  - id: HICDES
    version: 1
  - id: HICDBS
    version: 1
  - id: HICDNS
    version: 1
  - id: HICDLS
    version: 1
  - id: HICCMS
    version: 1
  - id: HICMES
    version: 1
  - id: HICMBS
    version: 1
  - id: HICMLS
    version: 1
  - id: HIDSES
    version: 1
  - id: HIDBSS
    version: 1
  - id: HIDSAS
    version: 1
  - id: HIDSLS
    version: 1
  - id: HIBSES
    version: 1
  - id: HIBBSS
    version: 1
  - id: HIBSAS
    version: 1
  - id: HIBSLS
    version: 1
  - id: HIDMES
    version: 1
  - id: HIDMBS
    version: 1
  - id: HIDMLS
    version: 1
  - id: HIBMES
    version: 1
  - id: HIBMBS
    version: 1
  - id: HIBMLS
    version: 1
  - id: HIIPZS
    version: 1
  - id: HIIPSS
    version: 1

As stated in the HIPINS bpd segment the institute expects a tan process of 2, whereas we always create TAN process 4 and fetch the supported TAN process params afterwards. So I suspect that this could interfere with the authentication.
Apart from that, the error on its own, which I also got with a non-anonymous client, don't tell much about where the error exactly is. So the only way finding out is somewhat brute force :/
If you also want to get the BPD, there is a branch called issue-44 and a release called v0.5.1-issue-44.

[pmoscode]

Hi @mitch000001,
thanks for the test, and sorry for my late response.
Can you provide some sample code to test this?

[mitch000001]

Hey @pmoscode , sorry for coming back to you so late.
I have put some thought into the problem. When I wrote last time I somewhat "simplified" the problem by writing we only need to send a segment containing a process 2 TAN preparation. However in real life the things is more complicated:
Not only do we need to send a process V2 but also we need to honor the settings necessary to comply. That is: If there is a value of TanMediumDescriptionRequired: "2" we need to read it from the bank parameter data and provide it in the request.

Currently we do not fetch the BPD upfront nor do we use most of the aspects mentioned in there. So, in order to be able to create a request we need some kind of builder which reads the BPD and creates an according segment from it. There is already a way to fetch the BPD and storing them is also prepared, so we have to teach the dialog to look for the data and use them accordingly.

[pmoscode]

Hi @mitch000001,
sorry for asking: But what does it mean? I'm not a hbci expert...

[cgroschupp]

If there is a value of TanMediumDescriptionRequired: "2" we need to read it from the bank parameter data and provide it in the request.

@mitch000001 How can I specify the TanMedium in the request?

[mitch000001]

@cgroschupp You can't set it currently. See

go-hbci/dialog/dialog.go

Lines 467 to 472 in 61c8b35

	// TODO: proper handling of each case, see FINTS3.0 docu -> Ask user which to use
	for fn, name := range supportedSecurityFns {
	newSecurityFn = fn
	newSecurityFnName = name
	break
	}

The code currently just chooses the first one from the supported ones. We would need to propagate the user specified version down from the client (where it needs to be set via Config) down into the dialog.