And surprisingly I can pay securely using my PC, fully rooted, on FOSS software. Hardware tokens have been a thing for decades. There are more second (or third) factor authentication and signing solutions than I can enumerate.

Do peope get defrauded using online banking? Sure. But usually not in a way that would be stopped by secure attestation.

▲

mike_hearn a day ago | parent | next [-]

The hardware token is itself a form of remote attestation. The reason you need extra hardware is because the PC can't do it.

▲

Magnusmaster a day ago | parent | prev [-]

Most banks don't know hardware tokens are a thing. They want everyone to use their app.

	▲	elric a day ago \| parent [-]
		Is this yet more evidence of how utterly broken US banks are? Assuming you are referring to US banks. For the past 20 or so years, every bank I've been with in Belgium has provided me with one of three types of hardware token: 1. An OTP token that's just a screen that displays a new 6 digit token every couple of seconds (haven't seen one of these in a few years now). This was used to supplement username/password on login and to verify every bank transfer. 2. A token with a screen and a display, which generates OTPs based on input. E.g. for a payment the bank would tell me to enter the amount + the last N digits of the bank account, the token then generates an OTP, which I can use to confirm the payment. That's what 2 of my 3 banks currently use. They have separate modes for logging in, for signing bank transfers, for signing 3D Secure online payments, etc. 3. A card reader where where I just slot in my card. I can then log in or sign payments using the card's chip & pin. This is what my third bank uses. There are a couple of variants on this, such as models which connect with USB and models which can read QR codes from your screen so you don't have to tap in anything except for your PIN.