In principle I'm certainly on board with the idea, but the problem is - at least in the Anglosphere, probably further - that the financial system is part of the military and policing systems. They are a powerful and persistent lobby that want a phone to be able to provide enough who-what-when-where to be able to put someone in jail or in extreme cases drop a missile on them.

That is one of the reasons the crypto market is behaving like some radical innovation instead of just a group of bozos speedrunning financial history. For the first time since the invention of capital we have an asset class where it doesn't take the cooperation of a group of armed thugs to guarantee the integrity of the system.

I don't see how a separate dedicated piece of hardware is less secure. It has zero contact whatsoever with your other comm devices. It can be switched off when not needed, to prevent any chance of tracking you. Think of it as of an advanced yubikey.

It's not money-preserving though. You need an extra device, and an extra phone number. The separate phone number is another privacy-preserving feature though.

There's a second layer to the conflict here, in that (e.g.) the banks will want to move the entire flow into whatever secure device, enclave, or "agent" they supply - meanwhile, the whole point of me having a general-purpose computer is to be able to do general-purpose computing that I want within this flow.

My favorite, basic example is this: I'd like to create my own basic widget showing me my account balance on my phone's home screen. Doesn't have to be real-time, but accurate to +/- few minutes to what the bank app would say when I opened it. It has to be completely non-interactive - no me clicking to confirm, no reauthorizing every query or every couple hours. Just a simple piece of text, showing one number.

As far as I know it, there's no way of making it happen without breaking sandboxing or otherwise hacking the app and/or API endpoints in a way that's likely to break, and likely to get you in trouble with the bank.

It should not be that way. This is a basic piece of information I'm entitled to - one that I can get, but the banks decided I need to do it interactively, which severely limits the utility.

This is my litmus test. Until that can be done easily, I see the other side (banks, in cooperation with platform vendors) overreaching and controlling more than they should.

The point of the exercise isn't to just see the number occasionally; I can (begrudgingly) do that from the app. The difference here is that having the number means I can use it downstream. Instead of a widget on the phone screen, I could have it shown on a LED panel in my home office or kitchen[0], or Home Assistant dashboard. Or I could have a cron job automatically feeding it to my budgeting spreadsheet every 6 hours. Or I could have an LLM[1] remind me I've spent too much this week, or automatically order a pizza on Saturday evening but only if I'm not below a certain threshold. Or...

Endless realistic, highly individual applications, of a single basic number. The whole point of general-purpose computing empowering individuals. If only I could get that single number out.

--

[0] - Why would I want that is besides the point.

[1] - E.g. via Home Assistant.

Yet you're paying to get a passport etc...

And exactly who's going to pay for that?

Even elected governments already have the ability to take whatever they want from you, and force you to act against your own interests; this seems like a comparatively minor infringement.

But with kernel level attestation, the banks can start requiring this on computers as well...

(From the kernel-level anti-cheat discussion the other day)

My (Canadian) bank extorted me into installing their app, literally blocking me from doing transfers of my own money without it - I had to install it and take a picture of myself and my ID. After this I was able to switch to sms authentication and delete it, but they’re obviously trying to force people onto the app, and eventually they will do so more aggressively.

Of course in Canada we have a banking oligopoly that is effectively there just to rob people, but ironically any of the “challenger” startup banks are 100% app based afaik

Does not work anymore for many banks in Germany. I have 2 accounts that require me to have different second factor apps installed. For one bank I would have to open a separate account with a debit card to use hw tan generator. For the other AI would have to switch bank account after the regulators banned SMS and indexed paper TANs.

How are people on HN of all places still this short-sighted to not understand that this will stop being an option? It's incredible to see like 10 individuals commenting this all over threads like these. Think before you comment.

Assuming the browser has feature parity. I was visiting my parents over Xmas and my dad couldn’t make a payment because the number of saved payees was capped to 100. There was literally no option to delete a payee in the website, the only way we found was to install the app, authenticate, and do it in there. It’s happening already.

Until they decide that they only support 2FA by app push notification.

My bank turned their website off. Mobile app only now.

If your bank has a website.

If buying is not owning, pirating is not stealing.

Piracy isn’t merely a virtue, but a moral imperative, an obligation to uphold civic freedom.

It is immoral not to pirate. It is everyone’s duty to do their part in normalizing and encouraging piracy.

Where in Europe? Some countries are making some efforts to get away from cloud providers like those but all I know of are increasing dependency on Apple and Android.

That's not exactly correct, at least in the U.S. Banks don't take away the right to modify, banks discriminate against modification.

Businesses, in general, have the right to refuse service to anyone for any reason except when their refusals either explicitly, or implicitly by pattern of behavior, derive from one or more characteristics that are protected from discrimination under law. The characteristic of having rooted, and/or having modified, a device is not currently protected from discrimination, and so businesses — who are self-serving to the extreme and minmaxing risk vs. profit just like any good video game player would — are within their legal rights to discriminate against users who modify their mobile phones.

You can see a similar pattern taking effect in the car modification industry; California requires tens of thousands of dollars to assess whether a car modification is "legal" to sell there, due to the intersections of gas vehicle smog laws and the tendency of vehicle owners who modify their vehicle to be likely to, just as businesses do above, selfishly minmax lower-emissions vs. higher-performance behaviors in the car's components and programming. As there exists no categorical protection against undue discrimination for "those who modify their property", one such as myself who modifies their vehicle without intent to reduce or defeat low-emissions behaviors has no recourse to claim that the state's $20,000 test fee is discriminatory against personal use by individuals. I support the societal-level necessity of enforcement in this area, but that doesn't excuse charging $20,000 to a for-profit business and then $20,000 to a personal-use resident.

So, the true solution, in a U.S. constitutional context anyways, is to amend the protected categories under the Bill of Rights to include "individuals who modify their own possessions" as a category that is protected from undue discrimination. It's a simple enough change from a written perspective. Perhaps California or the E.U. will enact it first?

Note, however, that undue does not mean always. Digital ID checks should be restricted to devices booted into sealed-attested mode for the same reason that notarization apps should — faked/stolen digital IDs carry severe and broad-spectrum risks to an entire society of individuals — but banks simply trying to decrease their fraud reimbursement expenses have insufficient cause to discriminate against account holders accessing their accounts. I would absolutely accepted "not permitted to initiate outbound transfers in excess of $10,000" as a compromise.

It becomes more unclear when you consider e.g. Apple Pay, and Apple Music. Both currently deny service to those whose macOS is not sealed and attested. One could make a very convincing case that digital wallets are a case where the benefits of sealed attestations are a necessary case of discrimination against those who modify their devices; financial fraud is a nightmare for both users and banks, after all! But there is no convincing case that being able to listen to music albums with a modified device is somehow a threat both to users and to the music industry, and so Apple would find their demand for sealed+attested to be illegal discrimination by Apple Music.

I suspect the outcome here is that we see devices that offer a sealed-attested 'wallet' mode, activated by a hardware switch function of some fashion, that temporarily seizes control of the device in order to create a protected environment — with some sort of indicator that can't be falsified by any other software on the device, i.e. the camera green / mic orange LED — so that users can interact with attestation-critical services like ID checks, NFC payment, and MFA requests without having to reboot their device from modified mode. Those who want to install their own attested environment can do so, with the understanding that a great deal of legwork remains to not only earn the world's trust that third-party environments can be secured, but also that both government and corporate environments detest having to decide who to trust themselves and will do their very best to either reject all parties other than a single corporation (E.U. age checks, I'm looking at you!) or will create arcane bullshit obstacles that make it difficult to DIY a secure wallet. Some of that difficulty is completely appropriate for exactly the reasons that secure attestations are appropriate in specific, narrow cases only (same reason I appreciate paper currency having physical anti-counterfeiting technology, but not the stupid constellation): counterfeiting predates humanity, sealed-attestation environments are an excellent defense against entire categories of attacks, and a reasonable level of bureaucratic slowdown is an excellent defense against opportunistic hit-and-run fraud.

You do have that right. You just can't use banking apps in Vietnam on such devices.

This is really no different to the antivaxxer arguments in the peak pandemic era. Some people didn't want vaccines. Fine. Well, not fine. None of it is based on any kind of rational argument but nobody was strapped down and forced to have one. But not having one meant there were certain jobs you couldn't have. Just like for decades unvaccinated children couldn't go to public school.

You make a choice and if you don't like the consequences of that choice, that's a you problem.

Have you ever listened to any scammers operate? People are, for lack of a better word, stupid. They're far too trusting. Anything from Nigerian prince scams to buying Walmart gift cards and giving some random person the number to whatever.

You might say "ah but this is social engineering" and that's true but so is "Hi, this is Brian from tech Support. We need you to change these settings and to install this app on your phone".

Let me put it another way: how do you feel about backdoors into crypto? Just the existence of a backdoor creates an attack vector regardless of whether the designated users misuse use it or not. Just the ability to "opt in" to root access for almost everyone creates way more problems than it solves.

And this is the key point: what benefit does it give users? Because nobody can really answer that other than some hand-waving about "freedom".

Because when you don't do this, people get scammed out of money.

If there is a series of buttons you can press to circumvent the anti-scam measures, then the scammers simply walk you through pressing those buttons. If you cover them in giant warning labels the scammers simply add explanations into their patter. The buttons must physically not exist, for gullible people to not get scammed out of money.

The next response will be 'well maybe we shouldn't accommodate them'. They vote, and there's more of them than you.

The irony is that Apple started out by discovering the the hackability of the hardware and software they found in their time. Instead of leaving something like that behind for those who come after them, to pay back what was given to them, they build walled gardens where you’re just not allowed to “bump into the walls too much”.

> You can have sandboxing and system integrity while still giving the user overrides.

How? What kind of overrides? You mean that Safetynet could still report attestations?

I have no idea how it works, but doesn't it require a chain of trust, starting from a known boot image, then every process that can write to arbitrary memory needs to be a known image? (And even that might not be enough if there are ways to dynamically exploit them.)

> You can have sandboxing and system integrity while still giving the user overrides.

I think this is wishful thinking, and the most experienced organizations in the world in this field agree with me. You can’t square this circle.

We can pretend that these two things can coexist, but they cannot. Where there are overrides, there are youtube tutorials on how to disable the overrides to install malicious botnet vpn surveillance proxy apps to get free robux. (to borrow a turn of phrase from @ptacek iirc)

If you give users an escape hatch, they will get malware in ring 0 and Apple Pay will stop being a thing because people’s cards will start getting remotely skimmed at scale. (Or Amazon will give you 1.5% off all purchases to install a rootkit that uploads your complete realtime cc nfc purchase boop history and email receipts and location track so they can figure out which businesses to clone/dump on next.)

If you say “…but not the SEP” then you’re just admitting that you need a part of the phone the user does not and cannot control. Most users care about the privacy of their nudes and sexts so they’d rather it be the whole damn phone.

Did we forget that even the not-full-scale escape hatch that was enterprise app certs was abused by Meta (then Facebook) to install surveillance VPN backdoors on customer phones at scale? Apple didn’t even know bc they were sideloading them via enterprise certs and when they found out they revoked them across the board, but by then thousands of people had had 100% of their phone’s network traffic surveilled by an ad company without consent.

Okay, it is a full on spyware virus though, not super sure why people would love Bonzi on their system.

This is kind of a shitty compromise, the second you leave a tiny crack open in the security, maybe through root access, maybe some better sideloading, somehow people WILL be tricked into installing malware, and it baffles me...

I've seen it happen multiple times with my older (and younger, though less often) relatives and acquaintances, I'm really not sure how like a solid 5 dialogs that scream at them with sayings like "do not do this", "this is dangerous", "if someone is telling you to do this they're a scammer", and that somehow raises zero alarms, however if you tell them to consider the possibility that they're downloading a virus, or that the nice IT man on the phone is probably not that trustworthy, they will simply not believe you.

That's why I kind of get the paranoia, though most of it is just that and I really believe that software freedom is a whole lot more important.

> normal people can't be trusted with system-level access but some people can.

Why can "normal people" be trusted with a car then? Or firearms? Or kitchen knives?

In other areas of life, people self-select at their own risk. You can diagnose medical issues yourself, buy power tools you don't know how to use safely, and invest in assets that you don't understand.

All other things being equal, we should try to protect people. But we shouldn't force everyone to make the choices that are best for the people with the least comprehension of what they're doing.

If the only damage is personal (they lose their own money), why can't we make them responsible for their choices?

Normal people shouldn't have computers. The internet must be made back into something you sit down to use.

Non-ideal situation for those power users - have 2 phones. Annoying but also a perfect separation of free/personal and controlled/official spaces.

The main danger is a virus that infects everybody's phones and then takes control of the telephony modem, e.g. like a DDOS attack.

That's why you can't have root access to the modem even though you technically own it.

Viruses injecting code into the process of the app that you use to do online banking. obvsly. Or the app you use to do second-factor authentication.

You can protect against that by requiring the app to have a valid signature. You cannot guarantee that the signature is valid unless you can guarantee that the kernel has not been modified. You cannot guarantee that the kernel has not been modified if the phone has been rooted.

For what it's worth, my banking app for my Canadian bank (and the app which does second-factor authentication for web transactions when doing web-based online banking) will not run on a rooted phone. For good reason, I think.

My bank used to use SMS for second-factor authentication, but no longer does so. For good reason. When I do online banking from my desktop, I still have to use the second-factor authentication login on my phone. Or sim-less tablet, interestingly. Whatever the mechanism, is, it is not SMS based.