Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
Zak a day ago

I'd be really interested to know whether a significant amount of fraud and fraud attempts involve devices with root or non-stock operating systems.

This has always struck me as a matter of checkbox compliance rather than a commonly-exploited attack vector, though I'll grant that's partially because few people actually use such devices.

array_key_first a day ago | parent | next [-]

Intuitively I'd say no, there's no way it's a significant amount of fraud. Number one because, as you said, it's rare, but number two because you just don't need a rooted phone to scam someone. You can very easily scam people on perfectly legitimate phones and with perfectly legitimate apps.

pix128 a day ago | parent [-]

Keyloggers would be considered a form of fraud, right? Customers can be protected by not allowing rooted phones which may contain malware and steal credentials, but then again Windows is a nightmare for security and nobody is banning banking from Windows.

array_key_first a day ago | parent [-]

Right, but you don't need a rooted phone to keylog someone. You can just ask their password over the phone, and people do, and it works. Or, you can install a plethora of perfectly legitimate remote access apps available on the play store.

browningstreet a day ago | parent | prev | next [-]

I worked in fraud compliance architecture at a bank.. they didn't checkbox anything. They had a lot of gathered data and justification for the limits they enabled. I'm sure not every bank does it that way, but they weren't trying to limit legit customer access, and they pained at enforcing limitations like this.

Zak a day ago | parent | next [-]

Can you share what limits they did and did not impose?

IshKebab a day ago | parent | prev [-]

Yeah I call bullshit. The number of people with rooted phones is going to be way less than 1%, and the number of those that are unsophisticated enough to fall for scams/malware is going to be miniscule.

This is pretty clearly a case of "oh there's an option here that says 'allow on rooted phones', do we want to allow that?" "No that sounds scary and risky! Of course not. We must not allow it."

The option is there, and nobody is going to try to sell not ticking it.

blueg3 8 hours ago | parent | prev | next [-]

In my experience, people don't really care about rooted devices and non-stock Android -- if those devices are actually phones in the hands of human users.

The big fraud vector is running emulators in datacenters or skipping running the app entirely and talking directly to endpoints. Requiring that an entity making a request is from a real phone and is from (approximately) your app adds friction and is effective at reducing fraud.

itake a day ago | parent | prev | next [-]

I work at Grab (SEA rideshare and licensed bank, but not licensed in VN).

A significant amount of fraud comes from scammers convincing victims to installed malicious apps. They fake being a customer service provider.

Banks don't want their customer's to lose their money and they don't have the tools to protect them from themselves. For all the privacy reasons, app stores don't even banks enough tools to identify and block this fraud.

Zak 14 hours ago | parent [-]

Tricking someone into installing a malicious app usually doesn't involve them having a third-party or modified operating system on their phone. I'm asking about that because I believe it's a hypothetical risk rather than a problem in practice and I'm curious about any evidence to the contrary.

mike_hearn a day ago | parent | prev [-]

Devices that are easily rooted absolutely originate fraud. It's not like this is some wild claim. Look at how much financial fraud is driven by botnets running on old Windows PCs.

morshu9001 a day ago | parent [-]

Also even if they aren't hijacked devices, any kind of phone farm is harder to run with locked down devices.