Comment by avhception
3 months ago
Banks seem to actually "want" Play Integrity. At least they act like it. I bet they would like for normal online banking on user-controlled devices to completely go away.
3 months ago
Banks seem to actually "want" Play Integrity. At least they act like it. I bet they would like for normal online banking on user-controlled devices to completely go away.
Of course they do, and of course they would. Banks are in a crazy legal position where they are financially liable for user stupidity. If my bank account gets breached, it doesn't matter that I didn't take any reasonable security measures, the bank will still have to refund me. If the bank could say "you didn't follow our recommended security practices to use a PW manager and MFA or passkeys, so it's a FAFO situation for you," then they wouldn't be pushing for this stuff. But they can't do that because the government doesn't allow them to.
There is even government regulator pressure now for financial services to be liable for cases where the user legitimately authorizes a transaction to a party that turns out to be a scammer. Of course the banks want to watch your every move and control your devices. They would be stupid not to given the incentives.
In what country do you live? In America, users are liable for the banks stupidity. If they don’t verify credentials and give away all of my money, I do NOT get it refunded, they are NOT responsible, and I am the victim of “identity theft.”
I live in America. I have got back every single cent I have lost due to fraudulent charges on my account. Furthermore, I was refunded instantly by the bank pending investigation.
6 replies →
On the flip side, banks have the worst fucking security outside of demanding you use an app. Let me use 2FA that isn't bespoke.
Most of that “app” security is requiring to use Symantec’s app which doesn’t actually require Symantec - there’s plenty of guides online showing how to register any authenticator app instead.
At least you have bespoke 2FA. All I have is SMS 2FA
I understand all that but I don't see how that's any less secure than a browser.
My bank doesn't allow access through a browser. It has to be the app or else you have to travel to their HQ in person (I guess) and close your account.
5 replies →
If they want to do it properly, they can use the Android hardware attestation:
https://grapheneos.org/articles/attestation-compatibility-gu...
Only because it's there. I don't think the would demand it if it wasn't offered, but once it's there imagine being in a bank and saying to management "it recommend we don't enable this security feature that works on 99.99999% of phones".
As someone who used to work for a bank building applications I would say no. This is definitely a feature companies and organizations like banks would request if it wasn't available.
There are a lot of scams targeting vulnerable people and these days attacking the phone is a very "easy" way of doing this.
Now perhaps there is a more forgiving way of implementing it though. So your phone can switch between trusted and "open" mode. But realistically I don't think the demand is big enough for that to actually matter.
Play integrity does almost nothing to prevent malicious actors. In fact, id say overall it's probably more harmful because it gives actors like Banks false confidence.
Even with play integrity, you should not trust the client. Devices can still be compromised, there are still phony bank apps, there are still keyloggers, etc.
With the Web, things like banks are sort of forced to design apps that do not rely on client trust. With something like play integrity, they might not be. That's a big problem.
42 replies →
Unfortunately, this kind of thinking leads to insane situations such as the South Korean banking cartel which requires users to install several pieces of "security software"[1] which make your computer more vulnerable to security issues[2] and almost certainly doesn't protect anyone from actual fraud -- classic security theatre.
There needs to be a point where enough is enough, and locking down devices so that you cannot install programs nor practically use custom operating systems on them anymore is way past that line.
[1]: https://palant.info/2023/01/02/south-koreas-online-security-... [2]: https://ee.kaist.ac.kr/en/research-achieve/in-south-korea-ma...
1 reply →
> This is definitely a feature companies and organizations like banks would request if it wasn't available.
Really? Because they've been fine without this feature on desktop for literally decades.
On the other hand, it's not really up to the bank. It's my money, not theirs.
I really wish I wouldn't need to have my money managed by some corporate drones in suits but it's really hard these days to do without a bank account.
This is why I was really into crypto at the beginning; it envisioned giving us control abck over what's ours. But all the KYC crap and the wishes of the speculators for more oversight basically made crypto the same nasty deal as the public banking sector.
It is desired enough that plenty of developers license third party libraries that roll their own device attestation, instead of or in addition to Play Integrity.
What's absurd though is that they have never demanded it for browsers. I think there is a much higher risk of someone being tricked into downloading a compromised browser with a backdoor than someone being tricked into downloading a modified version of their particular banking app. It gives the attacker the same level of control though.
Is this not more or less what Manifest is attempting to do? The headline grabber is that it disables ad-blocking but it's essentially trying to establish the browser as a "trusted" (owned) platform, no?
You're thinking of Google's attempt to port Play Integrity/Safetynet to the Web [0]. Nothing to do with Manifest V3, IIUC.
[0]: https://en.wikipedia.org/wiki/Web_Environment_Integrity
Banks have never accepted browsers. They don't need to because they can require the web app be paired with a mobile app or SMS code to log in. Before they used mobile apps they issued smartcard readers (at least they did everywhere I lived). The smartcard readers were also used to digitally sign transactions.
In other words, there aren't many banks that let you take sensitive actions with just a browser and that's been true since the start of online banking.
These days they also apply differential risk analysis based on the device used to submit a transaction and do things to push people towards mobile. For instance in Switzerland there's now a whole standard for encoding invoices in QR codes. To pay those you must use the mobile apps.
Edit: people are getting hung up on the "never accepted browsers" part. It means they only use the browser for unimportant interactions. For important stuff like login or tx auth, they expect the use of separate hardware that's more controlled like a SIM card/mobile radio, smartcard or smartphone app. Yes some banks are more lax than others but in large parts of the world this was always true since the start of online banking.
Thats ... false. Every bank I have used in Denmark allows me to log in and do all operations without an app. They require authentication and authorization using the national digital identity (MitID) which comes as an app, but also as a TOTP token and a FIDO (or similar) chip. No apps needed.
I guess the smartcard reader is equivalent. But my point is that locking down the OS of the phone is sufficient to establish client trust but not necessary. You should always be allowed to run the app without strong Play Integrity verification but then just be required to scan your hardware token with NFC in every authentication and authorization flow.
22 replies →
I work in fintech, formerly as a contractor for some major banks, and absolutely nothing you say is true, generally.
This might be the case for a couple of banks - or maybe in one or two specific countries, but broadly, none of what you've said here applies to banks anywhere else in the world.
5 replies →
> In other words, there aren't many banks that let you take sensitive actions with just a browser and that's been true since the start of online banking.
when I started online banking I used a browser and a TAN list for years. No apps required
3 replies →
Is wells fargo not a bank? It doesnt even use 2FA and you can log via a browser in a ship money all over the planet!
> Banks have never accepted browsers.
What are you talking about? My bank accepts browsers and is a major one.
You are completely wrong
Because it allows them to outsource "security", for "free".