Comment by ulrikrasmussen
20 days ago
What's absurd though is that they have never demanded it for browsers. I think there is a much higher risk of someone being tricked into downloading a compromised browser with a backdoor than someone being tricked into downloading a modified version of their particular banking app. It gives the attacker the same level of control though.
Is this not more or less what Manifest is attempting to do? The headline grabber is that it disables ad-blocking but it's essentially trying to establish the browser as a "trusted" (owned) platform, no?
You're thinking of Google's attempt to port Play Integrity/Safetynet to the Web [0]. Nothing to do with Manifest V3, IIUC.
[0]: https://en.wikipedia.org/wiki/Web_Environment_Integrity
Banks have never accepted browsers. They don't need to because they can require the web app be paired with a mobile app or SMS code to log in. Before they used mobile apps they issued smartcard readers (at least they did everywhere I lived). The smartcard readers were also used to digitally sign transactions.
In other words, there aren't many banks that let you take sensitive actions with just a browser and that's been true since the start of online banking.
These days they also apply differential risk analysis based on the device used to submit a transaction and do things to push people towards mobile. For instance in Switzerland there's now a whole standard for encoding invoices in QR codes. To pay those you must use the mobile apps.
Edit: people are getting hung up on the "never accepted browsers" part. It means they only use the browser for unimportant interactions. For important stuff like login or tx auth, they expect the use of separate hardware that's more controlled like a SIM card/mobile radio, smartcard or smartphone app. Yes some banks are more lax than others but in large parts of the world this was always true since the start of online banking.
Thats ... false. Every bank I have used in Denmark allows me to log in and do all operations without an app. They require authentication and authorization using the national digital identity (MitID) which comes as an app, but also as a TOTP token and a FIDO (or similar) chip. No apps needed.
I guess the smartcard reader is equivalent. But my point is that locking down the OS of the phone is sufficient to establish client trust but not necessary. You should always be allowed to run the app without strong Play Integrity verification but then just be required to scan your hardware token with NFC in every authentication and authorization flow.
That's mostly prevalent in third-world countries like Brazil. I work for a fintech-turned-bank here and the biggest problem we have to deal with is fraudulent actions made by scammers who got access to users' accounts via social engineering. Outsiders don't know how prevalent scamming is in Brazil and how much is spent/lost trying to fight them and how that shapes the security vs convenience landscape. For example:
- I can't transfer a single cent if I didn't had my face and documents scanned after installing the bank app.
- I can't have the same bank account logged in two of my devices at the same time, all banks require you to use an account on a "verified" device (previous point).
- If I want to use a desktop to access my bank account, I have to either install a desktop client provided by the bank or be limited to just checking my balance. Some banks doesn't even allow you to log in if you don't have a "verified" device for doing 2FA.
I am very sure my higher ups are cheering with these news, even though it solves none of the problems.
In the US too. I have never ran into a situation where I had to use the app instead of the browser. I don't know what that guy is talking about.
6 replies →
That's exactly what I'm saying. They don't let you take actions using only a web browser. If you don't use a mobile app they issue you with trusted hardware that performs a similar function (although usually less secure and not as convenient).
My bank does still allow login and txns to be authorized with a smart card reader. You have to type in fragments of the account number to authorize a new recipient. After that you can send additional transactions to that account without hardware auth.
Pure NFC tokens don't work because you need trusted IO.
13 replies →
I work in fintech, formerly as a contractor for some major banks, and absolutely nothing you say is true, generally.
This might be the case for a couple of banks - or maybe in one or two specific countries, but broadly, none of what you've said here applies to banks anywhere else in the world.
Which banks outside the US allow you to submit payments using only an arbitrary desktop browser, without any other device getting involved? No mobile phones to receive codes, no smartcard readers, no secure elements, nothing except a browser and a password? I have never encountered such a bank.
4 replies →
> In other words, there aren't many banks that let you take sensitive actions with just a browser and that's been true since the start of online banking.
when I started online banking I used a browser and a TAN list for years. No apps required
"Browser and TAN list" is equivalent to "Browser and app". A browser can't be used in isolation, there is and was always some second factor required for online banking, but a banking app can be used in isolation.
2 replies →
Is wells fargo not a bank? It doesnt even use 2FA and you can log via a browser in a ship money all over the planet!
> Banks have never accepted browsers.
What are you talking about? My bank accepts browsers and is a major one.
You are completely wrong