| ▲ | plqbfbv 2 days ago | |
> I giggled and said no, their developers don't understand security. Their developers usually understand security well enough. The problem, especially for banks, is that they're zero-risk driven, their ideal world is the one where risk doesn't exist. So instead of mitigating it they chase risk elimination (!= reduction) at any cost, while middle management needs to report that they improved something for the quarter. This results in all these kinds of stupid policies, where a 6 year old mobile, unmaintained for 4, is considered more secure than the weekly build of the community-based custom ROM running with locked bootloader signed with user-managed keys with strong protection (these days it's almost infeasible). EDIT: to be clear, it's normally not the developers thinking up these policies, I have worked in a bank. | ||
| ▲ | Hizonner 2 days ago | parent [-] | |
> So instead of mitigating it they chase risk elimination (!= reduction) at any cost, I don't actually believe that. They chase risk elimination at any cost to you. If there's a significant cost to them, they're going to be all about quantitative tradeoffs. | ||