zlacker

[parent] [thread] 7 comments
1. exe34+(OP)[view] [source] 2025-08-27 08:14:21
last time I walked into the bank to do something, they tried to peddle their app. I giggled and said no, their developers don't understand security.

my phone is rooted and their app won't work.

replies(3): >>t_mahm+a1 >>plqbfb+Wi >>out_of+ut
2. t_mahm+a1[view] [source] 2025-08-27 08:28:47
>>exe34+(OP)
Unfortunately, I can say with 100% confident, the customer service of my bank will not freaking understand what is a rooted phone, or LineageOS ...

And my bank's web app developer couldn't even fix their log in bug for several months. I realize, now, it's because they want to sunset their web portal.

Which is extremely annoying ... what if I don't have my mobile!!

Lazy, and greedy corporates, just trying to save their costing with shortcuts, never realizing security is never achieved by taking shortcuts.

replies(1): >>markus+Pi
◧◩
3. markus+Pi[view] [source] [discussion] 2025-08-27 11:06:24
>>t_mahm+a1
They don’t care much about security as long as it doesn’t cost them much.
4. plqbfb+Wi[view] [source] 2025-08-27 11:07:02
>>exe34+(OP)
> I giggled and said no, their developers don't understand security.

Their developers usually understand security well enough.

The problem, especially for banks, is that they're zero-risk driven, their ideal world is the one where risk doesn't exist. So instead of mitigating it they chase risk elimination (!= reduction) at any cost, while middle management needs to report that they improved something for the quarter. This results in all these kinds of stupid policies, where a 6 year old mobile, unmaintained for 4, is considered more secure than the weekly build of the community-based custom ROM running with locked bootloader signed with user-managed keys with strong protection (these days it's almost infeasible).

EDIT: to be clear, it's normally not the developers thinking up these policies, I have worked in a bank.

replies(1): >>Hizonn+tn
◧◩
5. Hizonn+tn[view] [source] [discussion] 2025-08-27 11:39:36
>>plqbfb+Wi
> So instead of mitigating it they chase risk elimination (!= reduction) at any cost,

I don't actually believe that. They chase risk elimination at any cost to you. If there's a significant cost to them, they're going to be all about quantitative tradeoffs.

6. out_of+ut[view] [source] 2025-08-27 12:16:59
>>exe34+(OP)
It's their security and not your security, don't mix up
replies(2): >>exe34+rI >>dpolon+YC1
◧◩
7. exe34+rI[view] [source] [discussion] 2025-08-27 13:42:54
>>out_of+ut
and yet their website works fine on my desktop Linux using a browser...
◧◩
8. dpolon+YC1[view] [source] [discussion] 2025-08-27 18:16:46
>>out_of+ut
'their security' in what way? Is an app more likely to be exploited than a web browser?
[go to top]