Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
zaphirplane 6 hours ago

The redirect to a bank is worrying, isn’t it trivial to fake redirecting to a fake bank ?

tdrz 5 hours ago | parent | next [-]

You'll need to fake much more than just that. Usually the bank website will ask you to confirm the transaction by opening the banking app on your mobile phone.

deaux 4 hours ago | parent [-]

Trading a dependency on MasterCard and Visa for one on Google and Apple is at best a sidegrade. More likely you end up worse off.

locknitpicker 4 hours ago | parent [-]

> Trading a dependency on MasterCard and Visa for one on Google and Apple is at best a sidegrade.

That's really not how it works. You as the user are prompted to pick the bank you want to use, and then your bank prompts you to approve the transaction.

The only scenario I can think of that might involve google or apple is if you want to use Android or iPhone for mobile payments with NFC.

deaux 2 hours ago | parent [-]

Which part of "confirm the transaction by opening the banking app on your mobile phone." does not depend on a banking app installed on a Google/Apple-controlled environment?

lxgr 5 hours ago | parent | prev | next [-]

Not really, since in modern 3DS implementations, the redirect pretty much only shows a modal saying "check your phone for a notification and confirm this payment there".

Worst case, you'll be entering a one-time code received out of band, e.g. via SMS, and that message will mention what you are consenting to by entering it anywhere, so even MITM attacks are very hard.

The days of entering a static password in 3DS are long gone.

antonkochubey 5 hours ago | parent | prev [-]

not really, the redirect itself is happening at EMV DS level, not by the merchant himself. Merchant has no idea what bank your card belongs to, so he does not know which bank to redirect you to.