| ▲ | ecshafer a day ago |
| When I used to work on the Vanguard authentication team, we blocked Vietnam from access because of too much fraud (not my choice). But it was funny because we had Vietnam based clients, so there were a couple HNW clients in the logs that you could see who would log in from Vietnam/Russia/Wherever, get blocked, open their vpn, then log in from England. This was a while back, but even then there was a push for things like yubikey, and hardware tokens, so its not surprising the wind is blowing in this direction of just hardware authenticated people. Financial companies are just constantly fighting fraud in a million ways. |
|
| ▲ | Zak a day ago | parent | next [-] |
| I'd be really interested to know whether a significant amount of fraud and fraud attempts involve devices with root or non-stock operating systems. This has always struck me as a matter of checkbox compliance rather than a commonly-exploited attack vector, though I'll grant that's partially because few people actually use such devices. |
| |
| ▲ | array_key_first a day ago | parent | next [-] | | Intuitively I'd say no, there's no way it's a significant amount of fraud. Number one because, as you said, it's rare, but number two because you just don't need a rooted phone to scam someone. You can very easily scam people on perfectly legitimate phones and with perfectly legitimate apps. | | |
| ▲ | pix128 a day ago | parent [-] | | Keyloggers would be considered a form of fraud, right? Customers can be protected by not allowing rooted phones which may contain malware and steal credentials, but then again Windows is a nightmare for security and nobody is banning banking from Windows. | | |
| ▲ | array_key_first a day ago | parent [-] | | Right, but you don't need a rooted phone to keylog someone. You can just ask their password over the phone, and people do, and it works. Or, you can install a plethora of perfectly legitimate remote access apps available on the play store. |
|
| |
| ▲ | browningstreet a day ago | parent | prev | next [-] | | I worked in fraud compliance architecture at a bank.. they didn't checkbox anything. They had a lot of gathered data and justification for the limits they enabled. I'm sure not every bank does it that way, but they weren't trying to limit legit customer access, and they pained at enforcing limitations like this. | | |
| ▲ | Zak a day ago | parent | next [-] | | Can you share what limits they did and did not impose? | |
| ▲ | IshKebab a day ago | parent | prev [-] | | Yeah I call bullshit. The number of people with rooted phones is going to be way less than 1%, and the number of those that are unsophisticated enough to fall for scams/malware is going to be miniscule. This is pretty clearly a case of "oh there's an option here that says 'allow on rooted phones', do we want to allow that?" "No that sounds scary and risky! Of course not. We must not allow it." The option is there, and nobody is going to try to sell not ticking it. |
| |
| ▲ | blueg3 8 hours ago | parent | prev | next [-] | | In my experience, people don't really care about rooted devices and non-stock Android -- if those devices are actually phones in the hands of human users. The big fraud vector is running emulators in datacenters or skipping running the app entirely and talking directly to endpoints. Requiring that an entity making a request is from a real phone and is from (approximately) your app adds friction and is effective at reducing fraud. | |
| ▲ | itake a day ago | parent | prev | next [-] | | I work at Grab (SEA rideshare and licensed bank, but not licensed in VN). A significant amount of fraud comes from scammers convincing victims to installed malicious apps. They fake being a customer service provider. Banks don't want their customer's to lose their money and they don't have the tools to protect them from themselves. For all the privacy reasons, app stores don't even banks enough tools to identify and block this fraud. | | |
| ▲ | Zak 14 hours ago | parent [-] | | Tricking someone into installing a malicious app usually doesn't involve them having a third-party or modified operating system on their phone. I'm asking about that because I believe it's a hypothetical risk rather than a problem in practice and I'm curious about any evidence to the contrary. |
| |
| ▲ | mike_hearn a day ago | parent | prev [-] | | Devices that are easily rooted absolutely originate fraud. It's not like this is some wild claim. Look at how much financial fraud is driven by botnets running on old Windows PCs. | | |
| ▲ | morshu9001 a day ago | parent [-] | | Also even if they aren't hijacked devices, any kind of phone farm is harder to run with locked down devices. |
|
|
|
| ▲ | morshu9001 a day ago | parent | prev | next [-] |
| When I was running a home server as a kid, I IP-blocked the entire continent of Asia because I was constantly getting pings, portscans, HTTP path guesses, SSH auth attempts, etc randomly from there. Of course I secured my stuff to the best of my knowledge, but I still didn't want that harassment cause 1. who knows 2. could be ddos'd. When finding help on how to do this, people were saying it's useless cause they can proxy/VPN anyway, but obviously that has some cost to them because they weren't doing that. So seeing how I had no legitimate traffic from there, it was an easy choice and cut out like 99% of abuse. |
| |
| ▲ | chrneu a day ago | parent [-] | | lol you should see how bad it is nowadays. Like 90% of my traffic is from SE Asia or germany trying to scrape my site. I blocked like a dozen countries because of it. Singapore itself is an insane amount of traffic for me. | | |
| ▲ | akdor1154 a day ago | parent [-] | | Singapore could be due to being a common VPN exit node for within SE Asia? Close by and avoids the most common regional blacklists (and gov firewalls of course). | | |
| ▲ | sunaookami 18 hours ago | parent | next [-] | | I think it's due to Tencent Cloud providing cheap servers in Singapore. I had the same issue and blocked all of their offending IP ranges from these ASNs and it was all Tencent or Huawei Cloud. | |
| ▲ | morshu9001 a day ago | parent | prev [-] | | I saw lots of Singapore traffic back in the early 2010s too, and often see it listed on random free VPN and proxy sites |
|
|
|
|
| ▲ | kccqzy a day ago | parent | prev [-] |
| Oh yeah I remember adding my Yubikey to Vanguard as early as 2019! It felt amazingly modern compared to any other bank. I assume this is your or your team’s work. Thank you! I’ve also had other banks do the same. They provided me with a debit card that supports international transactions but they did not allow logging in from most Asian countries. So I would log in from Asia, be blocked, turn on my VPN and log in from the U.S. to check the balance on my card. |
| |
| ▲ | venusenvy47 a day ago | parent [-] | | I always thought Vanguard was behind the curve on these types of things. They don't even have support for TOTP from an authenticator, do they? Separately, I couldn't even log onto their system this week from my desktop browser because of some bug. (Accessing from the US). It didn't recognize my username or password, let me change my password, then said it didn't recognize the new password. |
|
