Sparkasse Bochum always requires a TAN

[e7p]

Since some time now, Sparkasse Bochum always requests a TAN, eventhough with other FinTS applications (such as hibiscus) this happens only every three months. I expect python-fints to show similar behavior, especially when it is only used to passively fetch transactions. My humble guess is that the very first message decides whether a TAN is required subsequentally or not, especially the session ID. See the first output of the test script in the attached log file python_fints.log (I replaced sensitive data with "REDACTED"). This includes everything before the TAN request.

As a comparison, here is the first message of Hibiscus connecting to the same account, which already differs a lot, so I feel very lost having no knowledge about this complicated FinTS standard:

HNHBK:1:3+000000000486+300+0+1'HNVSK:998:3+PIN:2+998+1+1::2e5c638ad4444af3845bfe898bbd2d+1:20241017:152241+2:2:13:@8@:5:1+280:43050001:REDACTED:V:0:0+0'HNVSD:999:1+@296@HNSHK:2:4+PIN:2+911+2141179847+1+1+1::2e5c638ad4444af3845bfe898bbd2d+1+1:20241017:152238+1:999:1+6:10:16+280:43050001:REDACTED:S:0:0'HKIDN:3:2+280:43050001+REDACTED+2e5c638ad4444af3845bfe898bbd2d+1'HKVVB:4:3+14+0+1+A44C2953982351617D475443E+2.8'HKTAN:5:6+4+HKIDN++++N'HNSHA:6:2+2141179847++REDACTED''HNHBS:7:1+1'

And the first response of the server, cut before the UPD update, clearly stating "Starke Kundenauthentifizierung nicht notwendig.". This message does not arrive with python-fints:

HNHBK:1:3+000000002400+300+364504026171=678165671273BI4I=+1+364504026171=678165671273BI4I=:1'HNVSK:998:3+PIN:2+998+1+2::2e5c638ad4444af3845bfe898bbd2d+1:20241017:152241+2:2:13:@8@:5:1+280:43050001:REDACTED:V:0:0+0'HNVSD:999:1+@2146@HNSHK:2:4+PIN:2+911+2141179847+1+1+2::2e5c638ad4444af3845bfe898bbd2d+1+1:20241017:152241+1:999:1+6:10:16+280:43050001:REDACTED:S:0:0'HIRMG:3:2+3060::Bitte beachten Sie die enthaltenen Warnungen/Hinweise.'HIRMS:4:2:4+3050::UPD nicht mehr aktuell, aktuelle Version enthalten.+3920::Zugelassene Zwei-Schritt-Verfahren für den Benutzer.:910:911:912:913+0020::Der Auftrag wurde ausgeführt.'HIRMS:5:2:5+3076::Starke Kundenauthentifizierung nicht notwendig.'

[raphaelm]

Likely same as #165, I can only help debugging once my Sparkasse rolled it out too

[raphaelm]

Please try again with python-fints 4.2.0 and storing the system ID and passing it to the next run:
https://python-fints.readthedocs.io/en/latest/tans.html#system-ids

If the issue persists, feel free to reopen.

[e7p]

Thanks! The system ID argument feature works as intended.

[lutuh]

@e7p Would you kindly elaborate on your usage of the system ID in more detail?

I obtained my system ID like this:

client = FinTS3PinTanClient(...) # without specifying system_id
minimal_interactive_cli_bootstrap(client)
print(client.system_id)

The system ID is a string with 30 characters.
While doing so, my 2FA application presented an authorization request with the title "Gerät als vertrauenswürdig speichern", which I confirmed.

After confirmation, I assumed that my python application would show up in the Sparkasse settings interface ("Geräteverwaltung"). This was not the case.

I now passed the 30-char system_id to FinTS3PinTanClient and tried to access the balance of the first account:

client = FinTS3PinTanClient(..., system_id='6e8b6...')
accounts = client.get_sepa_accounts()

This fails with the following output:

ERROR:fints.client:Dialog response: 9050 - Die Nachricht enthält Fehler.
ERROR:fints.client:Dialog response: 9075 - Banking-Programm nicht PSD2-fähig, bitte aktualisieren.
...
fints.exceptions.FinTSNoResponseError: The bank's response did not contain a response to your request, please inspect debug log.

Did I forget something? Thank you very much for having a look at my code.

[e7p]

@lutuh I use it with https://github.com/pretix/pretix-banktool

There I also simply added a print(client.system_id) in the end, leading to a 30-digit hex-string as well. This one I could use afterwards in the constructor. Looking at your code altogether it is quite the same.

I assume it could have something to do with your bank? They all handle stuff a bit differently, so probably @raphaelm can help if you could name the bank.

[lutuh]

@e7p Thank you for your input.

My bank is Sparkasse Leipzig, see #173

[FabKn]

@lutuh I had the same issue with Sparkasse Ahrweiler. Try this - in my case it works:

client = FinTS3PinTanClient(*client_args, product_id=product_id, system_id=None)
with client:
    if client.init_tan_response:
        challenge = client.init_tan_response
        tan = input("Please press enter after confirming the transaction in your app:")
        client.send_tan(challenge, tan)
        system_id = client.system_id


client = FinTS3PinTanClient(*client_args,product_id=product_id, system_id=system_id)
client.selected_tan_medium = ''
minimal_interactive_cli_bootstrap(client)
accounts = client.get_sepa_accounts()

[raphaelm]

I also found a small bug in the release that I fixed today with a new release, not sure if it's related

[lutuh]

@FabKn @raphaelm Thank you very much for your help and input.

Using 4.2.3 with the approach that @FabKn mentioned, I got the access working again.

It is really strange that even once the system_id is assigned, one can not just call client.get_sepa_accounts() but has to do minimal_interactive_cli_bootstrap(client) first (which is not interactive because the system_id is already set).

@raphaelm I guess this approach is specific to Sparkassen. But since they are quite popular, would you mind a PR for the documentation where I extend the https://python-fints.readthedocs.io/en/latest/tans.html#system-ids section with the code from @FabKn ?