WingNews logo WingNews
top | item 47046697

(no title)

fodmap | 13 days ago

> It's mind boggingly stupid that they lock down apps like this, when you can just open the thing in a website anyway. I can use my bank on some linux distro...

Not in Spain. I can access my bank's website but I can't do anything without their bank app. Even sometimes they require to confirm my identity using their app in order to access their website.

I have several linux phones but I can only do banking with their app downloaded from Aurora Store in my Vollaphone.

discuss

order

shevy-java|13 days ago

This should be illegal that the government forces people into apps controlled by private, commercial entities. I call such a government corrupt.

Here in central Europe I can still access the bank website fine without smartphone. I need a physical device to yield a TAN though, but I can access and do online transactions fine. So I think something is wrong with the spanish government. People need to protest.

dotancohen|13 days ago

  > This should be illegal that the government forces people into apps controlled by private, commercial entities. I call such a government corrupt.
Or how about schools requiring parents to use WhatsApp to receive updates and information? Luckily my ex forwards to me the important stuff, but not everyone is as lucky to have an ex like mine ))

phantom784|13 days ago

Especially in Europe! They shouldn't be forcing you to run an OS from an American company.

antonyh|13 days ago

I switched bank in the UK due to enforced app use, from Starling to Nationwide. They use a card reader to issue codes, so I can still use the web. I see this as a much of a must-have as physical bank branches with real cashier services.

Mindwipe|13 days ago

The DSA European digital wallet spec currently requires Google or Apple attestation, so not for much longer.

And that is mandated by the EU.

microtonal|13 days ago

My bank still supports TAN codes with a device too. Unfortunately, once it breaks or the battery goes dead you cannot get a new one and have to use their app. Fortunately, their app works on GrapheneOS without issues.

nazcan|12 days ago

As long as it includes websites made by commercial entities. Only standardized API endpoints!

tranq_cassowary|12 days ago

Where is the government forcing you here? Does Spain have regulation that obliges the use of apps for banking for certain functionality and disallows websites? Or what are you talking about?

Tharre|13 days ago

> Not in Spain. I can access my bank's website but I can't do anything without their bank app.

I don't know about Spain specifically, but as far as I understand it no bank in the European Economic Area + UK should allow banking via just the website alone anymore, because of the "Revised Payment Services Directive" (PSD2) regulation.

Essentially, banks are required to implement "strong customer authentication", which in essence is just multi-factor authentication with a password + either biometrics or a security device of some sort.

And in practise that means a banking app, because most people do not want a separate token they have to buy and can lose. Though a lot of banks do offer those as well.

askonomm|13 days ago

In Estonia you can easily do banking via the website on all the banks (LHV, Swedbank, SEB). That said, we do have it all integrated with our digital-ID (which every ID card has private keys encoded into with a PIN you know) so it's not like you can access it with a simple password (our online voting works the same way).

gunapologist99|13 days ago

TOTP not accepted?

(When will people learn that biometrics are not another factor: they're entirely public and irrevocable. It's not just security theater, but Apple & Google know that this forces you into their ecosystem, which should be illegal. Of course, Brussels is full of rubes anyway.)

severino|13 days ago

> And in practise that means a banking app, because most people do not want a separate token they have to buy and can lose.

It can be SMS. As said in another comment, the main banks in Spain offer this authentication method while being PSD2 compliant. Some also offer a card with coordinates. So it's not mandatory in any way to use a banking app.

severino|13 days ago

I don't know which banks you are using but in my case I work with five Spanish banks and I can do everything from their websites, no app required. Yes, they try to push you to use their app, some tried to activate mobile 2fa for me when this psd2 thing became mandatory but I always told them their app doesn't work on my phone (which is true) and they offered me alternate methods like sms.

dotancohen|13 days ago

In my country we have a large religious population who eschew the smartphone. This means that no government, banking, or other services require a smartphone.

fodmap|12 days ago

Can you access their websites without the need to confirm 'who you are' with their app? In my case, not anymore.

My bank used to have other options but it has made mandatory the use of their app.

lejalv|13 days ago

> Not in Spain. I can access my bank's website but I can't do anything without their bank app. Even sometimes they require to confirm my identity using their app in order to access their website.

https://triodos.es has 2FA via SMS, for what is worth.

fodmap|12 days ago

My bank used to have it as well but not anymore. I wonder for how long Triodos will be able to keep that option.

FullMetalBitch|13 days ago

I have been using GrapheneOS for a few months in Spain with and out of three banking apps only one gave me trouble, I had to enable "Exploit Protection Compatibility Mode" on "app information". Personally I refuse to pay with the phone so I am okay not having that option.

If someone wants to try Graphene os maybe that option will work on their banks too.

b112|13 days ago

Not in Spain. I can access my bank's website but I can't do anything without their bank app. Even sometimes they require to confirm my identity using their app in order to access their website.

I've seen this elsewhere, and it's absolutely ridiculous.

Why?

Because in almost all cases, the apps may only be installed with Google Play, and require the framework to work correctly. And that means?

If you are not in good standing with Google, you cannot bank!!

I cannot stress how inane it is, to have Google or Apple as the gatekeeping to identify verification. How not having an active, in good standing account with one of these two, means you cannot bank.

And it's happening more and more.

Meanwhile, banks -- which tend to make billions in profits quarterly, do this to save on infrastructure costs. They do it so they don't have to stand up their own push servers, or have an app which doesn't require firebase.

Well cry me a river, boo-hoo Mr Banker, I'm not even remotely interested in you saving on infra-structure costs at the loss of autonomy. And on top of this, many banks are reducing hours, closing branches, claiming that they don't need them.

Leaving absolutely no other choice.

This sort of thing should be illegal. Being in Spain, but requiring a US megacorp to tell your own bank, that you're you.

jlokier|13 days ago

> They do it so they don't have to stand up their own push servers

I don't agree with this dependency on being in good standing with Google either.

But there is a technical reason that isn't wanting to avoid using their push servers. It is about battery usage and radio bandwidth.

Keeping open an idle connection over WebSocket, long-poll HTTP or TCP/IP needs regular pings (typically 30 seconds are used), one ping per connection. Otherwise your app can't be sure to receive messages from the server in real time, as the connection can disappear into CGNAT or similar hole where it doesn't receive messages sent by the server. To an app not using pings to check, such a blackholed connection is indisinguishable from an idle connection with no pending messages.

Waking the radio every 30 seconds, times 2 (back and forth), times the number of registered applications, would be quite battery draining. It drains battery both for background CPU usage and radio processing. Those pings in aggregate can even amount to a significant amount of data usage for users on smaller plans.

So there is a battery and radio advantage in using a shared push service, which only need a single idle connection to be kept live with 30 second pings.

There's another level to this, not available to regular developers using TCP/IP, HTTP or WebSockets.

The mobile network itself has to maintain handset connection liveness to the nearest tower, at a lower level than IP pings, and this is obviously optimised for battery and radio performance, and always running.

With arrangements in place with the mobile networks (which Google and Apple have), the mobile OS can leverage that for more reliable, lower power push notifications, by either guaranteeing the network will send something technically similar to a low-level SMS when there's an outstanding message, or by guaranteeing their special push IP connection will stay live by itself (no CGNAT blackhole) or be notified if something happens to it.

This allows the mobile OS to offer a shared push service that's fairly reliable at real-time notifications, with zero continuous CPU and radio power overhead for the idle connection.

afpx|13 days ago

I thought this was what Larry meant when he said surveillance will keep citizens on their best behavior. If one’s reputation score is low, sorry no money. Also, if anyone in one’s network has bad behavior, no money and no friends. Maybe the kids will learn to accept it, but being of the last analog generation, to me it seems like a painful future.

vladms|13 days ago

As far as I remember, last time I needed to use Google play on a shared phone I could just create a random Google address (I mean, completely invented name, etc.) and it allowed me to do anything, just as my normal Android.

I am too lazy to test, but did this change? Can't you just make a "fake" account and continue with your life? The phone company knows where you are, the bank knows what you purchase. Compared to that Google will know far less (ofc, if you don't activate everything)

I find it much more insane that it was possible for so long to do banking WITHOUT strong authentication (however implemented) by just providing those 3 numbers on the back of the card (strong security!)

bytejanitor|13 days ago

In Germany for some banks you can buy a TAN generator and then you do not need a smartphone app anymore. Is this an option in your area as well?

derbOac|13 days ago

It seems like the right time to advocate for open standards in things like banking.

FullMetalBitch|13 days ago

Why? Technofeudalism is not going to impose itself

bergheim|13 days ago

Especially with how things are currently, I whole heartedly agree - you cannot operate as a human being in Europe without having a good standing with either Alphabet or Apple.

Absolute madness.

abdullahkhalids|13 days ago

Similar in Canada.

- RBC 2FA is that if I try to login through my browser, the phone app will ask if I authorize the login. I think I can disable this and use sms/call, but that's even more insecure, so I don't.

- TD lets me login fine and do everything in the browser. But any online transaction that is moderately large or presumably fishy, will force me to authorize the transaction via the app.

These are among the largest banks in Canada.

rglynn|12 days ago

Other than the inconvenience, is there any privacy risk in just having a separate device purely for those apps and nothing else?

Or is it more of a principle to resist this being forced on us?