Comment by ulrikrasmussen
3 months ago
Thats ... false. Every bank I have used in Denmark allows me to log in and do all operations without an app. They require authentication and authorization using the national digital identity (MitID) which comes as an app, but also as a TOTP token and a FIDO (or similar) chip. No apps needed.
I guess the smartcard reader is equivalent. But my point is that locking down the OS of the phone is sufficient to establish client trust but not necessary. You should always be allowed to run the app without strong Play Integrity verification but then just be required to scan your hardware token with NFC in every authentication and authorization flow.
That's mostly prevalent in third-world countries like Brazil. I work for a fintech-turned-bank here and the biggest problem we have to deal with is fraudulent actions made by scammers who got access to users' accounts via social engineering. Outsiders don't know how prevalent scamming is in Brazil and how much is spent/lost trying to fight them and how that shapes the security vs convenience landscape. For example:
- I can't transfer a single cent if I didn't had my face and documents scanned after installing the bank app.
- I can't have the same bank account logged in two of my devices at the same time, all banks require you to use an account on a "verified" device (previous point).
- If I want to use a desktop to access my bank account, I have to either install a desktop client provided by the bank or be limited to just checking my balance. Some banks doesn't even allow you to log in if you don't have a "verified" device for doing 2FA.
I am very sure my higher ups are cheering with these news, even though it solves none of the problems.
In the US too. I have never ran into a situation where I had to use the app instead of the browser. I don't know what that guy is talking about.
My US bank removed check deposits from the browser about a decade ago, and I haven't met anyone who can use Zelle without an app.
That is a far cry from the original comment "banks have never accepted browsers".
I have used zelle many times from the browser. It's been a while, so maybe that has changed, though. I never even tried to deposit a check from the browser or an app, so you may be right on that point.
I have 3 different banks (well 2 banks and a credit union.) I can use Zelle in my browser from all 3. I don't even have the app installed for 2 of them.
1 reply →
In my country almost all banks removed their web apps. They existed like 15 years ago, before smartphones became widespread, but nowadays very few banks offer web apps, only mobile apps.
That's exactly what I'm saying. They don't let you take actions using only a web browser. If you don't use a mobile app they issue you with trusted hardware that performs a similar function (although usually less secure and not as convenient).
My bank does still allow login and txns to be authorized with a smart card reader. You have to type in fragments of the account number to authorize a new recipient. After that you can send additional transactions to that account without hardware auth.
Pure NFC tokens don't work because you need trusted IO.
Not necessarily. In Poland you can do banking with a web browser + SMS code or one-time code card, no special hardware needed.
An SMS code can only be received by a phone (special hardware, not a browser). An OTC smart card is likewise special hardware, not a browser.
6 replies →
Alright, I think I misunderstood you. I know most banks allow alternatives other than the app.
But just the fact that there are options which have the side effect of making you choose between convenience and digital autonomy is wrong, and I don't think remote attestation should even exist in the toolbox. We should make dedicated hardware solutions work better instead.
Dedicated hardware solutions are remote attestation. The smartcard OTC readers are doing exactly that: you sign a challenge with a private key that never leaves the smartcard and is paired to the bank at the factory. This is what remote attestation is doing behind the scenes, the only difference is the smartcard user interaction is much more limited. It's of no use for protecting your financial privacy, for example, only for stopping a hacked display device authorizing transactions.
If you evolve the smartcard based systems with better I/O capabilities, then you end up with a modern smartphone. At which point you may as well let the user supply their own rather than charging them lots of money for a dedicated device that's not much different.
3 replies →