top | item 38910336

(no title)

donkeyd | 2 years ago

> I also almost never use apps like dedicated banking apps or social media apps; instead, using Safari.

Nearly every bank I know of recommends using apps over their website, since in general they're safer than using their websites. But I'm in The Netherlands and I don't know whether banking apps in different countries have the same security standards.

discuss

astrange|2 years ago

That is probably true because phones are less susceptible to keyloggers or evil browser extensions, but "security standards" have approximately nothing to do with it beyond "using HTTPS".

The security model for US banks is that it's illegal to do crimes to people's bank accounts. It doesn't involve "super secure apps", bank account numbers and credit card numbers are super insecure and there is little reason you should care about this insofar as you're not liable for leaking them.

cameronh90|2 years ago

The difference is that with an app, the server can ensure it's running on a safe non-compromised/jailbroken device using remote attestation (Play Integrity, App Attest).

With a web browser, there's no way of doing that by design as the user has full control over their user agent, so you need to trust the end user is following good security practices and hasn't allowed their user agent to become compromised.

However, in the EU, banks are legally liable for financial loss caused by unauthorised transfers, so they are increasingly not willing to trust that the user hasn't just loaded their browser up with malicious extensions and malware.

pc86|2 years ago

This might be true for credit cards but for the vast majority of people, even completely irrespective of income, getting your checking account number leaked to a nefarious party can absolutely cause you a hell of a lot of trouble.

Credit cards will give you the benefit of the doubt with a credit while they investigate. Banks (and credit unions) are going to be VERY hesitant to give you a 5-figure advance into a new checking out while they investigate how your account got drained when it initially looks like you did it. Even the most pro-customer policies practicable won't help when now all your automatic payments start failing. It's certainly a recipe for ruining your week and you'll likely spend the next month or two dealing with the fallout, and that's assuming you don't face crippling financial penalties because of it, which the majority of Americans would.

ChrisMarshallNY|2 years ago

> as you're not liable for leaking them.

But it's fun when you get your checking account drained, and it takes weeks to get it back.

I've seen that happen to a couple of folks.

That's also why I don't like to link my account to sites like PayPal and Venmo.

ChrisMarshallNY|2 years ago

I solve that, by not doing banking with my phone.

Social media and store loyalty apps are basically just PID harvesters.

In fact, I have a couple of solitaire games that are constantly nagging me to join leaderboards and take community challenges.

All my financial transactions are done with my Mac, which sits behind a fairly robust home network.

I know, for certain, that banking apps are the #1 first target, for hackers.

alpaca128|2 years ago

Where I live having the app for 2FA is mandatory for online banking unless you can convince them to give you a hardware TAN generator. So transferring money is actually much less convenient in the browser because everything I do has to be confirmed with my pin in the app, so I might as well just do it in the app directly and only login on one device instead of two.

Of course this is actually "phone factor authentication" and not two-factor authentication, but I kinda need a bank account.

downut|2 years ago

> I solve that, by not doing banking with my phone.

Even though some scum corps like Chase make it a PITA to manage my account from a desktop through firefox, that's the only way I'm going to interact with them.

"Download the app!"

Hard no!

In fact these are the only apps I think that appear regularly on my phone, but only when I'm traveling: AirBnB, Uber/Lyft, and whatever airline I'm currently flying on next. I think if I'm crossing borders I've installed whatever gov spyware makes TSA/Global Entry easier. They're already groping me hard, why not.

LA Fitness gets to stay because it's dumb and silent. I don't see anything else not security related. On mobile I talk to the outside world with K-9, firefox, signal, whatsapp, sms. I'm happy.