In some sense they are. But being protected either from a consequence of my own stupidity or a consequence of their lack of security. I think the worst part of all is that these "bandaids" are being used in place of actual security. I don't need to be protected from my own stupidity nor do I need security theater.

▲

mr_mitm 10 hours ago | parent | next [-]

I think the threat model here is that a different, malicious app (compromised, installed accidentally or by the means of social engineering) might take screenshots of your screen and forward them to take advantage of you. You can file this under one's "own stupidity" as well, sure, but in the end they're not protecting you, they're protecting themselves, because banks might be liable for these kind of things, and by imposing these restrictions, they're reducing the amount of fraud and thus improve their bottom line.

▲

shmel 6 hours ago | parent | next [-]

Are you implying that Google is unable to distinguish whether a screenshot is triggered via a combination of hardware buttons vs via a software call from another app that isn't even on the foreground in their own ecosystem? That's a quite sad state of affairs, isn't it?

	▲	Zak 4 hours ago \| parent [-]
		I've been unimpressed with Google's commitment to making the fundamentals of Android great. They seem to prefer doing the minimum required there and putting all their efforts into something more sexy, like generating fake photos that look like they were taken with a 2400mm lens. I don't want my phone to generate fake photos; I do want it to always let me manually take screenshots, but require turning on a permission that's a little awkward to find to allow an app to do so.

▲

franga2000 8 hours ago | parent | prev | next [-]

I see this argument everywhere and I've never heard of a case where a bank was liable because a customer was phished. I've even asked for examples and nobody ever provided them.

It's one thing to argue in court that they should be liable because they didn't provide you with the necessary security tools (like MFA), but they all provide at least SMS 2FA these days and their apps run on iOS and Android, both of which have plenty of security features.

	▲	cwillu 7 hours ago \| parent \| next [-]
		If a bank is required to reverse fraudulent charges (and they are), that means they're liable for those charges.
	▲	izacus 7 hours ago \| parent \| prev [-]
		In reality what happened is that some security auditor put it into a checklist for the mobile app "Security ISO certificate++" and now everyone implements it for compliance. Fighting against that is insane paperwork and professional exposure for software engineers that do it (since if people get phished, the C-suite will point a finger at a tech lead which went against the "professional security audit"). Most of other posts here are just post-rationalization and victim blaming.

▲

FuriouslyAdrift 4 hours ago | parent | prev | next [-]

There was a Microsoft Terminal Server "monitoring" application that worked by recording the screen through a series of JPG screenshots. It worked surprisingly well and bypassed all kinds of controls.

▲

AnthonyMouse 7 hours ago | parent | prev [-]

> they're protecting themselves

[citation needed]

The theory here is that it provides a marginal security improvement if there is malware on the phone, but if there is malware on the phone then there are a hundred other things it can do to the same effect and you're likely screwed anyway. And by doing this, you also block the user from taking screenshots, which is bad, because screenshots are harder for computers to parse, and that's a marginal security advantage. If the user is going to send e.g. their account number to someone else (for a legitimate reason), it's better that they do it as a screenshot than that you force them to type it as text, because text is machine searchable. Which is worse when that messaging system gets compromised and then the attacker can do a text search for a pattern matching a bank routing number and be more likely to discover that message than if it was only there in a JPG.

Meanwhile the primary consequence of preventing screenshots is to inconvenience customers, which is an actual cost to the bank, because there is only a threshold amount of BS customers will put up with before switching banks and banks are constantly pushing up against that line already with all of their other BS.

But then the lower-quality banks do it anyway because there is a box they can check which sounds like it's locking something down, so they check it without thinking. Which is a great canary for customers who want to know if their bank is dumb -- if they require this then they probably do all kinds of other dumb stuff and it's a strong indication you should switch banks before you get screwed by them doing some other foolish nonsense.

	▲	high_na_euv 5 hours ago \| parent [-]
		>because screenshots are harder for computers to parse, and that's a marginal security advantage. If the user is going to send e.g. their account number to someone else (for a legitimate reason), it's better that they do it as a screenshot than that you force them to type it as text, because text is machine searchable. Which is worse when that messaging system gets compromised and then the attacker can do a text search for a pattern matching a bank routing number and be more likely to discover that message than if it was only there in a JPG. Tbf it is 2025, not 2010, it isnt that hard

▲

Aerroon 10 hours ago | parent | prev [-]

It doesn't really protect anything though, because you can always just use an external camera to take a picture of your screen.

▲

Cloudef 10 hours ago | parent | next [-]

Its probably meant to try mitigate damage in case bad actor gets remote access to your phone or you have malware.

	▲	const_cast 5 hours ago \| parent [-]
		If your phone is remotely rooted, the screenshot is providing no security.

▲

ncruces 6 hours ago | parent | prev [-]

It protects less proficient users from accidentally taking a screenshot.