Remix.run Logo
Zak a day ago

I'm pretty sure I'm against this. I could be convinced otherwise by documentation of significant fraud involving compromised devices (especially Android phones) that would have been stopped by a device attestation scheme.

I should note Google has such an attestation scheme, and there are reliable defeats for it in most situations given root access. Apps have been able to insist on hardware-backed attestation which has not been defeated for some time, but that isn't available for old devices. Almost none do so.

If this had a meaningful impact on fraud, more apps would insist on the hardware-backed option, but that's quite rare. Even Google doesn't; I used Google Pay contactless with LineageOS and root this week. I'm currently convinced it's primarily a corporate power grab; non-Google-approved Android won't be a consumer success if it doesn't run your banking app, and the copyright lobby loves anything that helps DRM.

ulrikrasmussen a day ago | parent [-]

Also, online banking has been a thing for so long on PCs which never had that kind of remote attestation. I also do not believe the security argument, but I believe that the banks believe it.

Zak a day ago | parent | next [-]

I suspect the banks want to do checkbox-based compliance with regulators and insurers without any deep understanding of the underlying issues.

gmueckl a day ago | parent | prev [-]

Online banking doesn't need remote attestation. Some additional locked down hardware with its own minimal display is enough. My banks force me to use devices like those made by Kobil or ReinerSCT.