zlacker

That's exactly what I'm saying. They don't let you take actions using only a web browser. If you don't use a mobile app they issue you with trusted hardware that performs a similar function (although usually less secure and not as convenient).

My bank does still allow login and txns to be authorized with a smart card reader. You have to type in fragments of the account number to authorize a new recipient. After that you can send additional transactions to that account without hardware auth.

Pure NFC tokens don't work because you need trusted IO.

>>mike_h+(OP)
Alright, I think I misunderstood you. I know most banks allow alternatives other than the app.

But just the fact that there are options which have the side effect of making you choose between convenience and digital autonomy is wrong, and I don't think remote attestation should even exist in the toolbox. We should make dedicated hardware solutions work better instead.

>>mike_h+(OP)
Not necessarily. In Poland you can do banking with a web browser + SMS code or one-time code card, no special hardware needed.

>>niutec+d7
An SMS code can only be received by a phone (special hardware, not a browser). An OTC smart card is likewise special hardware, not a browser.

>>ulrikr+32
Dedicated hardware solutions are remote attestation. The smartcard OTC readers are doing exactly that: you sign a challenge with a private key that never leaves the smartcard and is paired to the bank at the factory. This is what remote attestation is doing behind the scenes, the only difference is the smartcard user interaction is much more limited. It's of no use for protecting your financial privacy, for example, only for stopping a hacked display device authorizing transactions.

If you evolve the smartcard based systems with better I/O capabilities, then you end up with a modern smartphone. At which point you may as well let the user supply their own rather than charging them lots of money for a dedicated device that's not much different.

>>mike_h+le
Google voice is not special hardware. You’re confusing attestation with 2fa and that’s why you’re getting downvoted.

>>kortil+Th
Yeah but Google Voice isn't something you're meant to use to receive SMS codes. That's very US specific, and if you go there you've undermined the security the bank was trying to provide.

The reason they used SMS codes for a while is because phones have always tried to block malware from reading your screen or SMS storage whereas PCs don't, and because phones can do remote attestation protocols to the network as part of their login sequence. The SIM card contains keys used to sign challenges, and the network only allows authorized radio firmwares to log on. So by sending a code to a phone you have some cryptographic assurance that it was received by the right user and viewed only by them.

2FA and RA are closely related for that reason. The second factor is dedicated hardware which enforces that only a human can interact with it, and which can prove its identity cryptographically to a remote server. The mobile switching center, in the case of SMS codes.

Obviously, this was a very crude system because malware on the PC could intercept the login after the user authorized, but at least it stopped usage of the account when the user wasn't around. Modern app based systems are much more secure.

>>mike_h+gf
No, I reject the idea that general purpose computing devices should be locked down to satisfy a very narrow security use case. I really don't believe that you end up with a smartphone, and I don't think you give a very good argument for why.

I am fine with locking down devices that have very limited security purposes. I am fine with my passport containing locked down hardware if it makes it harder to forge. But I am also not browsing the web on my passport, and therefore its security requirements cannot prevent me from removing ads.

>>ulrikr+qm
OK, use a browser that lets you remove ads then! Android isn't iOS, you can run browsers that aren't Chrome and nothing about this change would stop you installing a custom browser with whatever features you want. Your banking app doesn't care what browser you use.

>>mike_h+by
You are fundamentally misunderstanding my point about freedom.

Yes, I can do it now, but this is only because Google allows me to do that on their approved Android distribution, not because they are unable to prevent me from doing it. I don't trust them to not take away that freedom from me as soon as they can be sure that they can afford the anti-trust lawsuit since their core business model is to show me ads.

I know that my bank doesn't care about my browser, but by relying on Play Integrity they are indirectly forcing me to operate in Google's control regime in every other aspect on my device.

I don't want them to control my software stack, period. I don't care if they act as the good guys right now, they have been steadily doing downhill in the moral department and I expect them to continue to do so.

I don't understand how you can act like there is no problem at all with technology like this.

>>mike_h+ik
The SMS stuff seems like theatre when SS7[1] has been known to need a nuclear-powered auto bailer for how porous it is.

[1] https://en.wikipedia.org/wiki/Signalling_System_No._7

>>Shroud+3H
... which is why none of the banks I've used support it for many years now. It's a legacy example. Modern banks all rely on apps that bind to the secure element in the phone or they issue a smartcard reader.

>>mike_h+3G2
Not all modern banks, e.g. Santander Bank in Poland still uses one-time SMS codes.

>>mike_h+ik
Don’t know what to tell you dude but you’re really out of touch on this one. Anyone with osx and iPhone also gets text messages on their laptops.