zlacker

[parent] [thread] 12 comments
1. antod+(OP)[view] [source] 2023-07-25 04:12:09
I dunno about banking sites, currently they seem to be some of the worst out there in terms of caring about modern security techniques. eg SMS 2FA at best, terrible password handling etc. They don't move very fast at all.

It feels weird that I'm now grateful for how crap they are.

replies(5): >>Gigach+F >>jasonj+Q >>MzHN+o4 >>pjmlp+9e >>dolive+xV
2. Gigach+F[view] [source] 2023-07-25 04:18:01
>>antod+(OP)
Banking apps seem to be the main users of root detection on android. One prominent bank in Australia doesn’t have a web UI at all and only allows access via app. And I suspect it’s partially for security reasons.

The average person is very likely to have malware on their computer, but not on their phone.

replies(2): >>nfried+s2 >>realus+k7
3. jasonj+Q[view] [source] 2023-07-25 04:19:34
>>antod+(OP)
.... which is why if this web integrity thing gets out, you know the next move they make will be to embrace it.
◧◩
4. nfried+s2[view] [source] [discussion] 2023-07-25 04:33:42
>>Gigach+F
Funny story: I had to root my phone to get the Fidelity app to work.

I installed lineageOS, which is passes the Google SafetyNet check out-of-the-box. So most things just work, including my local Credit Union's app.

But lineageOS fails the CTS profile check on my phone. Fidelity checks this after you log in and shows a "For security reasons your account has been blocked..." message.

So I had to root the phone to install a CTS profile fixer, and then more hacks to hide the fact it was rooted.

After that Fidelity worked, but requested root permission every time I launched it until I figured out how to permanently disable that.

Netflix was similar, but not quite as annoying.

5. MzHN+o4[view] [source] 2023-07-25 04:55:26
>>antod+(OP)
Since this is currently being built on Play Integrity API, and banking _apps_ are some of the most prominent users of it, I'm sure banking sites will follow if possible.

For example it is currently the reality in EU, that in order to use any of the native banking apps, a user has no choice but to expose themselves to privacy violations by either Google or Apple, i.e. US companies.

While at least one alternative exists, https://grapheneos.org/articles/attestation-compatibility-gu..., these alternatives are not being used in practice.

I see no way of preventing this happening on the web as well, if the Web Environment Integrity API ships.

replies(2): >>hilios+38 >>omnimu+5l
◧◩
6. realus+k7[view] [source] [discussion] 2023-07-25 05:18:49
>>Gigach+F
> The average person is very likely to have malware on their computer, but not on their phone.

Is that sarcasm? Their computer is likely more secure than the jungle of manufacturer modified roms where who knows what's inside.

◧◩
7. hilios+38[view] [source] [discussion] 2023-07-25 05:23:30
>>MzHN+o4
So far I haven't encountered ans issues with banking apps using MicroG in Germany. Could be our banking apps are even more backward though. Also given PSD2 there is always the option of someone developing 3rd party banking apps.
replies(1): >>iggldi+gW
8. pjmlp+9e[view] [source] 2023-07-25 06:23:45
>>antod+(OP)
> SMS 2FA at best

Because their customers aren't security nerds that have smartphones with authentication apps.

They want people that barely get smartphones, or still use feature phones, to be able to access their services with some improved security workflows.

replies(1): >>pmontr+8C
◧◩
9. omnimu+5l[view] [source] [discussion] 2023-07-25 07:25:57
>>MzHN+o4
I have heard podcast with lead dev of local bank app talking about how they wish PWAs would be possible. Because right now they have to secure and audit web, ios, android. Instead having one platform would be easier and probably more secure.

Maybe web is the right platform for these. But of course Google will use this to close things down.

◧◩
10. pmontr+8C[view] [source] [discussion] 2023-07-25 10:03:45
>>pjmlp+9e
The apps of the banks often generates an OTP or intercept a push notification, ask for fingerprint and send an authorization response back to the server. I go through that with each of my banks every time I login or make some money transfer.

I got codes via SMS when I installed those apps and I had to prove that I owned the phone number I was associating with the app.

replies(1): >>pjmlp+wC
◧◩◪
11. pjmlp+wC[view] [source] [discussion] 2023-07-25 10:07:38
>>pmontr+8C
Good example of what many non-techie people will never understand, or even have phones capable of doing it.
12. dolive+xV[view] [source] 2023-07-25 12:38:16
>>antod+(OP)
I have 4 banking apps and about 8 government apps in my phone. All of them require device attestation. I have no doubt they will use the Web Integrity API as well.
◧◩◪
13. iggldi+gW[view] [source] [discussion] 2023-07-25 12:42:20
>>hilios+38
> Also given PSD2 there is always the option of someone developing 3rd party banking apps.

1. From what I've seen, the PSD2 APIs haven't really been created with end users in mind – there are non-trivial accreditation requirements on people/entities wishing to make use of those APIs, the expectation being that only professional middlemen will dally with those APIs.

2. The PSD2 APIs don't necessarily cover the full functionality of a bank's online banking functionality.

3. While you can probably still get quite far with "just" the ability to query the current account data and recent transactions, as well as being able to initiate payments, this doesn't sidestep the bank's authorisation requirements – meaning that unless you can use a hardware TAN generator or something like that, you're still dependent on the bank's app for payment and account access authorisation.

[go to top]