| ▲ | Arbortheus a day ago |
| Do those same banks have websites that you can access from a computer with root access? Most likely, yes. |
|
| ▲ | tux3 a day ago | parent | next [-] |
| There's a trend of online banks forcing the use of an app. I can't login to one of my banks' website since last year without using a QR code from their app. Of course they slathered the app with tracking, 'security', and analytics SDKs, so rooted devices are rejected. I had no way to log into this bank account after they made that change, which is simply wonderful. Anyways, they're not yet at the point where they've learned to do the checks server-side. For now it's a one line patch to skip the root screen. But the Play Integrity API is designed correctly, if they learn to use it, there will be no workaround without someone finding a hardware vulnerability somewhere. |
| |
| ▲ | ljm a day ago | parent | next [-] | | Depends on what country you're in. In the UK, the banks are often held liable for various scams that involve the transfer of money, so they up the security over and over again. A bank will rightly argue why it's responsible for an old granny sending her life savings to her new lover in Namibia, so it seeks to block that transaction in the first place. Some of that liability is fair but most of it is the government telling the banks to account for the loss when someone is scammed. They are obviously going to mitigate that as much as they can. | | |
| ▲ | jdiff a day ago | parent | next [-] | | Rooted devices don't enable that transaction. That's all social engineering. | | | |
| ▲ | themafia a day ago | parent | prev [-] | | > so they up the security They're upping the surveillance, not the security, quite demonstrably. This is meant to protect /them/ from liability and not /you/ from loss. |
| |
| ▲ | cons0le a day ago | parent | prev | next [-] | | Yep, hardware attestation is becomming more common, even with websites. This is why LineageOS is actually dead in the water, even though they're "in talks with hardware vendors". It doesn't matter when people can't use the apps and services they need. | | | |
| ▲ | adrr a day ago | parent | prev | next [-] | | Bunch of fintechs only let your signup from an app. Easier to secure and prevent bots. Pin certs, detect virtualization, etc. | | |
| ▲ | lenerdenator a day ago | parent [-] | | And, of course, easier to get the valuable data about the person setting up an account. | | |
| ▲ | adrr a day ago | parent [-] | | Like what data? Curious because I built and launched a challenger bank. | | |
| ▲ | Ritewut a day ago | parent | next [-] | | What app developers find most valuable is what other apps you use and what competitors apps you have so they can target you more effectively. If you have Peloton or Tonal, they want to know if you have the Strava app on your phone for example. | | |
| ▲ | adrr a day ago | parent [-] | | Only on older versions of Android. Apps are very locked down on what you can get. I would have loved to be able to fingerprint a device when i was at the challenger bank and application list is very good for fingerprinting.. We would fingerprint on the web to detect bots. | | |
| |
| ▲ | lenerdenator a day ago | parent | prev [-] | | Theoretically any sort of data that apps in a given OS can access through an API. |
|
|
| |
| ▲ | jacobthesnakob a day ago | parent | prev | next [-] | | Normiefication. Normies do everything on their phones; it’s the companies meeting the masses where they are. I’ve seen people fight for their lives to do a spreadsheet on their phones when there’s a laptop they own gathering dust less than 50 feet away. | | |
| ▲ | nitwit005 a day ago | parent | next [-] | | Possibly, but companies seem strangely set on getting people to install apps, even when the feedback is negative. Offering a monetary reward for installing apps seems fairly common. Chevron had someone at my gas station offering something like $5 of free gas, plus $1 a gallon off of the next three purchases. If it was something the customers wanted, they wouldn't need to pay people to do it. | |
| ▲ | fuzzzerd a day ago | parent | prev [-] | | This term needs to catch on, this is the first I've seen it, bit it explains why so many prodict decisions are made and those who know better/different are just too small a minority to get any say. We're dragged into this kicking and screaming and yet normies think we're the crazy ones. |
| |
| ▲ | al_borland a day ago | parent | prev | next [-] | | This trend makes me want to find a small town credit union. I chose my current bank because it was one of the few that had proper token based access for 3rd party integration. An overwhelming majority of banks were relying on a 3rd party holding your actual username/password and saying "trust me bro". I wasn't comfortable with that. | | | |
| ▲ | bugbuddy a day ago | parent | prev [-] | | This is a very condescending toward Vietnamese tech people. According to Twitter/X, Vietnam’s GDP just surpassed Thailand and it’s on its way to joining the Great East Asian prosperity zone by becoming the last country to become fully industrialized and very rich. Many tech jobs in the US will move to Vietnam in the coming few years. You will be surprised where your future Tech conferences will be located. | | |
| ▲ | lenerdenator a day ago | parent [-] | | You're on the money with the rest of this, but... > Many tech jobs in the US will move to Vietnam in the coming few years. It would seem to me that India has that on lock. |
|
|
|
| ▲ | dingaling a day ago | parent | prev | next [-] |
| Eventually though I suspect that web access to banks will be rescinded too, much like HMRC in the UK no longer permits companies to submit their taxes through the websites. In the future, everything will need an 'app'. |
| |
| ▲ | SketchySeaBeast a day ago | parent | next [-] | | Don't like that. I'm of the "if you're going to do something important, do it on your PC" generation. I do not want a future where I lose my phone and I can no longer access my bank. | | |
| ▲ | immibis a day ago | parent [-] | | Claim you don't have a phone, and they'll find a solution. | | |
| ▲ | kube-system a day ago | parent | next [-] | | What is that supposed to accomplish? The service providers that require a phone will require one whether you have one or not. | | |
| ▲ | ryandrake a day ago | parent | next [-] | | We need to act now, while there are still service providers that don't require a phone. If my bank said they wouldn't do business with me unless I used a phone and an app, I would immediately take my business and all my accounts to a different bank. Banks have no moat. You can pretty easily move accounts to a different one or to a credit union who won't abuse you. | | |
| ▲ | kube-system a day ago | parent [-] | | You and the four other people who might do this are just delaying the inevitable. | | |
| ▲ | ranger_danger a day ago | parent | next [-] | | Only if people roll over and take it. The squeaky wheel gets the grease. | | |
| ▲ | a day ago | parent | next [-] | | [deleted] | |
| ▲ | kube-system a day ago | parent | prev [-] | | 99.9999% of people are “rolling over and taking it” because they don’t have an aversion to installing their bank’s app on their phone. Most people would find this viewpoint to be strange. | | |
| |
| ▲ | keybored a day ago | parent | prev [-] | | Or they’re arguing with like four FUD contrarians on a website. No no no shut up, don’t speak up. No one thinks like you. |
|
| |
| ▲ | themafia a day ago | parent | prev [-] | | It builds a case. You're not going to win with one clever move. We need to show that these policies systematically deprive honest customers. |
| |
| ▲ | pessimizer a day ago | parent | prev | next [-] | | They won't find a solution to your problem, when one is obvious: buy a phone. They'll find a solution to their problem, which is you: apologize for losing you as a customer, and express a hope that you'll consider them again after you've bought a phone. | | |
| ▲ | immibis a day ago | parent [-] | | There can be laws like the right to have a bank account, that might say your bank can't require you to have anything they don't provide you with for free. In some places. |
| |
| ▲ | NoMoreNicksLeft a day ago | parent | prev [-] | | Unless you are a multimillionaire, they will tell you to go do business elsewhere, you're not worth their trouble. |
|
| |
| ▲ | tengwar2 a day ago | parent | prev | next [-] | | With HMRC, the reasoning is that this forces the company to have an accounting package. They don't care which, they just define the API. Not unreasonable. There are more issues with MTD IT (making tax digital, income tax) due to some detailed requirement decisions such as the need to report different income streams separately. | |
| ▲ | silisili a day ago | parent | prev | next [-] | | That seems to be the way the wind is blowing. Most new 'challengers' I've tried in the US either have no web access at all, or limited access that lets you view balance but not do things like transfers. | | |
| ▲ | Barbing a day ago | parent | next [-] | | Recalling Venmo winding down web beginning in… let’s see… 2018! https://www.digitaltrends.com/phones/venmo-shutters-web-plat... | | |
| ▲ | drnick1 a day ago | parent [-] | | Why do people need these crappy fintech apps at all? Can you not give your friends cash or send a wire? | | |
| ▲ | silisili a day ago | parent | next [-] | | In the US, in my experience, young people don't want to deal with cash at all. Older people do, but it's not always convenient to meet up. Most banks charge a fee for sending a wire. Sending an ACH is free, but most restrict that to your own account. Revolut is the only one I've seen that lets you just spam ACH to anyone. In both cases, it isn't instant. Zelle largely fixes those issues, but has its own issues, like a lot of banks not supporting it and/or arbitrarily low send limits. | |
| ▲ | pluralmonad a day ago | parent | prev [-] | | I don't understand either. My contact surface with my bank is so small. I log in once a month to download transactions. What is everyone doing that they need constant immediate access on their phones? I'd probably debank before buying a special iPhone to access a bank account. | | |
| ▲ | Macha a day ago | parent [-] | | Let me give you a preview of a world coming to you, and present day reality in Ireland: 1. Your employer pays your salary by bank transfer, which requires you to have a conventional bank account. 2. You then want to spend that money, how do you do that? Debit card? You need the phone app to retrieve the PIN when the bank first sends you the card. Cash withdrawals in the branch? For amounts less than €10,000, the staff will direct you to the ATMs in the branch. These require an activated debit card to withdraw money, and activating that card requires the phone app. Manual money transfers in the branch? Once again, for amounts less than €10,000, the staff won't do it - they'll instead direct you to the PCs in the branch. These are just loading the same website you can access on yours, which will ask you to the confirm with a 2FA push notification to log in. Try another bank? The legacy banks all got the same auditor who advised them that app based 2FA is the easiest way to implement PSD2, and reduce the likelihood they get held liable when customers get scammed, so they all implemented that as the only option. The neobanks of course, are accessed solely by apps. |
|
|
| |
| ▲ | marssaxman a day ago | parent | prev [-] | | I long ago decided never again to use anything but a credit union, and this makes me glad that credit unions tend not to ride the forefront of tech trends. | | |
| |
| ▲ | acedTrex a day ago | parent | prev | next [-] | | It's moreso everything will need a signed hardware key of some sort. The app is just the easiest expression of that. | |
| ▲ | simlevesque a day ago | parent | prev | next [-] | | First it'll be apps, then it'll be one app. | | | |
| ▲ | mothballed a day ago | parent | prev | next [-] | | Would make a lot of sense for banks just to shut off online/mobile access and switch to in person only. That seems to be the way things are moving with KYC/AML and ensuring there is a material presence of the person in the banking jurisdiction in which they operate. Knowing the password / keys and providing a video 'proof of life' is no longer sufficient to presume you're dealing with the person you think you are and not just sold 'darks'. I've heard 3rd hand of some banks already doing this in i.e. Armenia where a foreigner can come in and open account easily but they block any online access to lock the control of funds in country to make it harder for the FATF psychopaths to find fodder to clamp down on them. | |
| ▲ | dangus a day ago | parent | prev [-] | | This seems like a massive jump to conclusions. | | |
| ▲ | homebrewer a day ago | parent | next [-] | | It's already reality in my country, where you cannot access online banking for any banks except via their mobile applications, which (of course) refuse to work on anything rooted or running non-stock firmware. | | |
| ▲ | dangus a day ago | parent [-] | | So, I guess it’s a country-dependent jump to conclusions? I have had a lot of banks and credit cards, mobile payment apps like Venmo/PayPal in the US and they almost all work on mobile web and desktops. But I recognize that wealthy western countries didn’t really skip the personal computer like many mobile-first regions have done. |
| |
| ▲ | TheGamerUncle a day ago | parent | prev | next [-] | | It is a massive observation of how things look already no more, no less. | | |
| ▲ | dangus a day ago | parent [-] | | Let me clarify my statement: one government agency’s election to use an app for a single purpose isn’t an indicator of much. It’s not like the UK sent out a mandate to private banks or any other private industry on this issue. It’s also only one small country of hundreds. I’d have to question this idea that this is how things “already look.” I can think of very few businesses that I interact with that force me to use an app. | | |
| ▲ | warkdarrior a day ago | parent [-] | | This type of election to use an app by a government agency sets the tone, and more importantly tends to redefine "best practices." Would you want to be the one private entity known to not be using best practices? Would your risk officers or lawyers be OK with that decision? | | |
| ▲ | dangus 7 hours ago | parent [-] | | Since when does government set trends in private industry? I’d like to know what private businesses are copying the kind of workflows and customer experience you get at the USPS or DMV. |
|
|
| |
| ▲ | margalabargala a day ago | parent | prev [-] | | You should make a mat for that. |
|
|
|
| ▲ | whs a day ago | parent | prev | next [-] |
| Thai banks are required by regulation to have facial recognition when transferring over 50k THB in one transaction or cumulative in a day. I believe most banks have shutdown their internet banking as it's not worth it for the low number of users to implement web-based secure facial recognition that don't allow you to feed spoofed video input. One of the bank that I use will send a push notification to their mobile app for you to confirm the transaction. I believe that previously internet banking, even before mobile banking, will limit the number of transfer recipients you can add per day/month. With the rise of QR payment I could see this limit being regularly hit if you scrape the web-based banking. Since the Bank of Thailand claims that they technically don't block many things (mobile banking technical requirements seems to also require blocking root, but they never banned internet banking), I wish there's a new bank that try to disrupt the existing players. But the latest "branchless" banking license were only acquired by existing banking groups, so API-first personal banking remain impossible. |
|
| ▲ | agumonkey a day ago | parent | prev | next [-] |
| Maybe a tiny difference though is that a phone is moved all day long, with a lot of people around to mess with or pick it. Your laptop is a bit larger and your desktop .. well is behind your door. But yeah ultimately a bank should not rely on phone OS to have security. |
|
| ▲ | abdullahkhalids a day ago | parent | prev | next [-] |
| TD Canada is forcing me to use their app. Every time I make an online transaction which to them is too large or fishy in some way, they make me login into the app on my phone to approve the transaction. That's the only way. |
| |
|
| ▲ | Elfener a day ago | parent | prev | next [-] |
| In Hungary, where the central bank created the same rule about not allowing banking apps on "unoffical" devices, they do, but you need either the app or SMS for 2FA. Apparently they consider SMS secure... |
| |
| ▲ | drnick1 a day ago | parent | next [-] | | The idea is that while SMS may not be "secure" in general, it is secure enough when used as the second authentication factor. | |
| ▲ | d3nit a day ago | parent | prev [-] | | Tbh it's way less annoying, than I tought when they introduced. |
|
|
| ▲ | kube-system a day ago | parent | prev | next [-] |
| There has been a trend away from this over the past decade. Some banks require mobile apps for some or even all interactions. The banks that allow you to do everything on their website trend towards legacy and US-centric. |
|
| ▲ | harvie a day ago | parent | prev | next [-] |
| yes. and the websites require you to verify transactions with (unrooted?) phone. on the other hand phone does not require you to verify with your pc, so there's no second factor unless there is some unacessible secure island within the phone itself. funny enough, you can probably use that website directly on the phone that you use as 2F, which probably circumvents the 2F idea (at least as long as you use SMS 2F instead of app that checks for root) |
|
| ▲ | karel-3d a day ago | parent | prev | next [-] |
| They usually have a mobile companion app where you need to confirm login. |
|
| ▲ | varenc a day ago | parent | prev | next [-] |
| I assume the bank apps have functionality that their websites lack. Like being able to tap to pay for things, etc. Where a rooted phone might make fraud easier. If not, then this really makes no sense. |
| |
| ▲ | hirako2000 a day ago | parent | next [-] | | Malware is more easily spread onto rooted phone, that's for sure. From they you can keylog. Highjack input listeners, basically do anything you want. | | |
| ▲ | SkiFire13 a day ago | parent [-] | | That's what a malware can do on a rooted phone, _once it gets root access_, but that doesn't mean a rooted phone is easier for malware to attack. There's not even that many people using rooted phones, and many are tech savvy people that are generally a bit more careful, so even if a rooted phone gets infected by some malware chances are the malware won't even be written in such a way to try to obtain root permissions through the standard procedure and exploit it. |
| |
| ▲ | eastbound a day ago | parent | prev [-] | | The only way an app can contact a company is through REST APIs. | | |
| ▲ | immibis a day ago | parent [-] | | True. All internet packets are REST API packets - there's no other type of packet. And all cell radio traffic is internet packets (which are REST API packets). | | |
|
|
|
| ▲ | a456463 a day ago | parent | prev | next [-] |
| JPMCB Chase only allows an APP for 2FA auth |
|
| ▲ | Macha a day ago | parent | prev | next [-] |
| I mean, if it's like Ireland, then no. While they (mostly) have websites, a computer with root access is not sufficient by itself to access them. You also need to perform 2FA via push notification to a proprietary app on an Apple or Google approved device. |
|
| ▲ | edent a day ago | parent | prev | next [-] |
| Yes, but a web browser doesn't run HTML + JS as root. |
| |
| ▲ | wdrw a day ago | parent | next [-] | | Dependence on a secure client is generally a bad idea. Security should be server-side. | | |
| ▲ | edent a day ago | parent [-] | | This isn't about the bank's security - it is about the users'. Users are losing billions worldwide due to fraudulent apps. If a user has root and runs a malicious app, it can intercept what a legitimate banking app does. A scam app with root can draw over the screen and tell users to transfer money, or it can run a series of actions when the banking app is running, or do any of a hundred things to steal money. | | |
| ▲ | hackyhacky a day ago | parent | next [-] | | > A scam app with root Sure. But the people who are actually rooting their phones are advanced users and aren't going to install a malicious custom OS. Are naive users getting tricked into rooting their own phones? I'm dubious what the security benefit is of this decision. | | |
| ▲ | mike_hearn a day ago | parent [-] | | These types of discussions on HN get confused because people aren't always clear what they mean by the word "rooting". There are two ways to root a phone: 1. Unlock the bootloader, install a well designed and highly secure aftermarket OS, relock the bootloader. The device is still just as secure against malware as it was before. Remote attestation shows the vendor that you're running Graphene or Lineage or whatever. 2. Exploit a local vulnerability to drop a sudo binary somewhere. RA shows you're running an exploitable version of Pixel Android, etc. (2) is absolutely exploitable by fraudsters. They convince the user to run an app or visit a website that exploits their browser or whatever, and the vulns are used to escalate to root and keep it. Now when the user logs into their banking app the HTTP requests are rewritten to command the bank to send money to the adversary. This is why devices that allow escalation to root are excluded via remote attestation. (1) isn't but it requires more coordination than the industry has proven capable of so far. Binary images of a custom OS could in theory be whitelisted by banks if it was known to be as secure as other operating systems. But there's no forum in which that information can be exchanged. Like, RandOS turns up and the maintainer "xyzkid", identity: anime avatar, claims his OS is super secure. How does random overworked bank developer John Smith know if this is true or not? RandOS doesn't come with any audits, it doesn't have a well paid security team. The brand is a big question mark. And if John makes the wrong call, maybe the bank is now on the hook for millions in losses because someone installed RandOS to get the shiny icon theme or whatever, and then got hacked. So it's a hard problem. It's not actually a technical problem. Remote attestation is very general. The hard part isn't the tech. It's a social problem. How do you create and rapidly communicate trust in a new binary OS image if you don't have the security resources of an Apple or a Google or a Samsung? Google runs a whole accreditation programme for Android where you can turn up as a phone OEM and get your custom OS builds considered to be secure by passing a huge test suite. So the only issue is OS hackers who fall below the threshold where they can do that. There's an alternative of course: go full libertarian. Means, just use a "bank" that doesn't care if its users get hacked. This is what the Bitcoin community enabled. It's there if you want it. | | |
| ▲ | Magnusmaster a day ago | parent | next [-] | | I doubt banks or the government would ever white list something like Lineage that's not made by some megacorporation. Also IIRC most phones don't allow you to relock the bootloader after flashing a custom ROM. | |
| ▲ | hackyhacky a day ago | parent | prev | next [-] | | Thanks for clarifying. I was unaware that (2) was a widespread issue. | |
| ▲ | jacobthesnakob a day ago | parent | prev [-] | | >These types of discussions on HN get confused because people aren't always clear what they mean by the word "rooting". Well it’s more the Dunning Krugerites who see the word “rooting” written by someone in a cyber context, lack that context entirely, and proceed to enter the discussion anyway based on their experience rooting their Android phone 3 years ago after clicking through a few UI buttons. |
|
| |
| ▲ | dvngnt_ a day ago | parent | prev [-] | | > A scam app with root can draw over the screen and tell users to transfer money On android, I believe this can be done rootless via accessibility permissions that can display on top of apps | | |
| ▲ | NoGravitas a day ago | parent [-] | | Yes, but you very much have to grant that permission in Settings. An app can't get it non-interactively. |
|
|
| |
| ▲ | SkiFire13 a day ago | parent | prev [-] | | A rooted android device doesn't run apps as root either, not does it generally allow them to get root access without the user accepting a system prompt. |
|
|
| ▲ | bakugo a day ago | parent | prev | next [-] |
| In some countries, it's already impossible to make online payments without the bank's phone app. Only a matter of time until all banking is restricted to phones. |
|
| ▲ | ranger_danger a day ago | parent | prev [-] |
| Many people also use their bank's app for mobile NFC payments though (more of a thing in EU than US), which you can't easily do with a device that doesn't fit in your pocket. |
