top | item 46556612

(no title)

Aspos | 1 month ago

Well, I've built a bunch of mobile banking apps and we did detect if the phone was rooted, was in dev mode, etc. and it is not because we were "stupid, consumer-hostile, and anti-competitive".

If someone steals the secrets from a rooted phone and steals customer's money the bank is on the hook, so banks do everything they can to minimize this risk.

There is no way to store customer's secrets in a PC browser securely, so all the "dangerous" transactions were outright prohibited in the web app or made available only via temporary QR login.

All this is just is a negative side effect of customer protection laws.

discuss

elric|1 month ago

These practices are strengthening the Google/Apple hegemony and are ultimately damaging user freedoms and consumer protections. I'm sure that's not your employer's intention, but it is a negative thing that they're contributing to. And because of how essential banking is, banks have a big thumb on this particular scale, and I wish they'd use it for good rathet than for enriching and entrenching evil.

Zak|1 month ago

I understand (but vehemently oppose) the argument for root detection. What risks to banks see from having developer settings enabled?

realusername|1 month ago

Great, so the no-name iPhone clone in China passes your test but EOS doesn't.

There's no way to assess the security of a rom from an app and it's about time that banks learn this reality.

Software on mobile is even more fragmented and less standardized than on desktop

izacus|1 month ago

> If someone steals the secrets from a rooted phone and steals customer's money the bank is on the hook, so banks do everything they can to minimize this risk.

Now that's just not true now, is it? Sure the lawyers told you that (the ones that get paid to tell you that), but nowhere in EU was a bank actually fined for not root checking a device.

They were plenty fined by being utterly incompetent with security practices and doing them poorly - like trying to inject wierd .SOs to do the root detection you're defending.

mike_hearn|1 month ago

Literally three days ago: https://www.complianceweek.com/regulatory-policy/eu-agrees-r...

"Payment service providers (PSPs) operating in the EU will have to cover customers’ losses from fraud if their fraud protection regimes are inadequate or poorly implemented under new EU rules."

Other places like the UK had such rules already.

Aspos|1 month ago

No bank got fined for not root checking, correct. However banks are on the hook for unauthorized transactions. And "unauthorized" means different thing in different countries.

In some jurisdictions if bank can prove that transaction was made with customer's key then customer can not demand their money back. That's the best case, but there are only few of such jurisdictions and even there the burden of proof is on the bank and it costs a lot.

In other jurisdictions bank must reverse a transaction even if it was proven that the transaction was signed with a legitimate key, but the key _may_ have been stolen.

In some jurisdictions (i.e U.S.) banks are required to reverse a transaction at a customer’s request, even if the customer does not dispute having made the transaction.

In any case dealing with all this is too expensive and risky.

abdullahkhalids|1 month ago

Why don't banks just make desktop computer applications?

Aspos|1 month ago

Practically impossible to store secrets in a desktop app too. Besides, customers would not willing to install a desktop app. And those who would, will require support.

mike_hearn|1 month ago

PC platforms don't have remote attestation infrastructure working.

elric|1 month ago

They used to, and some still kind of do, but no longer for consumers.