zlacker

My bank blocks my mobile with Lineage OS, and it's not even possible to login to the web site without the mobile app. Absolutely pathetic.

Now I have to keep my 4 year old phone with 2 year outdated Android to access the bank application. Which deemed more safe then my mobile with latest security updates. Haha

>>t_mahm+(OP)
last time I walked into the bank to do something, they tried to peddle their app. I giggled and said no, their developers don't understand security.

my phone is rooted and their app won't work.

>>exe34+82
Unfortunately, I can say with 100% confident, the customer service of my bank will not freaking understand what is a rooted phone, or LineageOS ...

And my bank's web app developer couldn't even fix their log in bug for several months. I realize, now, it's because they want to sunset their web portal.

Which is extremely annoying ... what if I don't have my mobile!!

Lazy, and greedy corporates, just trying to save their costing with shortcuts, never realizing security is never achieved by taking shortcuts.

>>t_mahm+(OP)
It's even better than that. Banks (for example Revolut) consider several years old phones, running ancient OS (last I checked they allowed A10) without security updates for some 7 years, so riddled with zero-click/RCE vulnerabilities, but they do not allow GrapheneOS, which is currently the safest OS in mobiles (on par/beating iOS, depending whom you ask).

Yes, banks* claim phones riddled with maximum severity security issues are secure. Also phones that are rooted but using magisk modules to conceal this fact, and use spoofed signatures from ancient hardware, but the most safe platform is not secure enough for them.

Go figure.

*not all, there are notable exceptions explicitly supporting secure platforms through the modern Hardware Attestation model.

>>t_mahm+(OP)
You do have the option to change your bank when they consistently do dumb stuff you don't approve of. Shopping around will probably get you a better savings rate anyway.

>>subscr+j7
These are the same banks that very often have no app-based MFA login, and refuse to do anything other than send me an SMS TOTP.

The irony is that they'd rather suffer losses from fraud if the fraud is less than the cost of setting up App-based TOTP and a campaign to get customers to use the app. Yet they suddenly get all in a huff about PCI compliance as CYA so they don't have to pay an app developer to figure out how to check "is phone rooted? Yes. Which OS?"

>>yummyp+na
Unfortunately, not an option right now. Setting up foreign currency payout is difficult in my country, a lot of paperworks needed, we don't even have PayPal. Also, the previous autocratic government, that was forcefully expelled after a bloody movement, left most of the banks in ruin. So not a lot of options left.

>>t_mahm+i3
They don’t care much about security as long as it doesn’t cost them much.

>>exe34+82
> I giggled and said no, their developers don't understand security.

Their developers usually understand security well enough.

The problem, especially for banks, is that they're zero-risk driven, their ideal world is the one where risk doesn't exist. So instead of mitigating it they chase risk elimination (!= reduction) at any cost, while middle management needs to report that they improved something for the quarter. This results in all these kinds of stupid policies, where a 6 year old mobile, unmaintained for 4, is considered more secure than the weekly build of the community-based custom ROM running with locked bootloader signed with user-managed keys with strong protection (these days it's almost infeasible).

EDIT: to be clear, it's normally not the developers thinking up these policies, I have worked in a bank.

>>t_mahm+ug
There is also the issue that other factors can keep you tied to a bank. Like having a mortgage there and getting a discount on home owner insurance for it, as well as getting a discount on the mortgage interest for banking with them.

Changing banks is easy when it's just about cash in a savings account. Not so easy in other cases.

>>plqbfb+4l
> So instead of mitigating it they chase risk elimination (!= reduction) at any cost,

I don't actually believe that. They chase risk elimination at any cost to you. If there's a significant cost to them, they're going to be all about quantitative tradeoffs.

>>exe34+82
It's their security and not your security, don't mix up

>>out_of+Cv
and yet their website works fine on my desktop Linux using a browser...

>>out_of+Cv
'their security' in what way? Is an app more likely to be exploited than a web browser?

>>t_mahm+(OP)
If you're going so far as to install Lineage, couldn't you take the small step further and download alternate browsers to change the user agent? (Unless the default Lineage browser can do this already.)

I run a Google'd OS for now but I haven't used my bank's terrible app in years and years. I use their terrible website via desktop mode instead.

>>Andrex+gQ1
Well, to add insult to the injury, this bank does not allow website login without the mobile app. Which is absolutely infuriating. I did mention that on my comment :-)