← Back to context

Comment by mike_hearn

21 days ago

That's exactly what I'm saying. They don't let you take actions using only a web browser. If you don't use a mobile app they issue you with trusted hardware that performs a similar function (although usually less secure and not as convenient).

My bank does still allow login and txns to be authorized with a smart card reader. You have to type in fragments of the account number to authorize a new recipient. After that you can send additional transactions to that account without hardware auth.

Pure NFC tokens don't work because you need trusted IO.

13 comments

mike_hearn

Reply
niutech  21 days ago

Not necessarily. In Poland you can do banking with a web browser + SMS code or one-time code card, no special hardware needed.

  • mike_hearn  21 days ago

    An SMS code can only be received by a phone (special hardware, not a browser). An OTC smart card is likewise special hardware, not a browser.

ulrikrasmussen  21 days ago

Alright, I think I misunderstood you. I know most banks allow alternatives other than the app.

But just the fact that there are options which have the side effect of making you choose between convenience and digital autonomy is wrong, and I don't think remote attestation should even exist in the toolbox. We should make dedicated hardware solutions work better instead.

  • mike_hearn  21 days ago

    Dedicated hardware solutions are remote attestation. The smartcard OTC readers are doing exactly that: you sign a challenge with a private key that never leaves the smartcard and is paired to the bank at the factory. This is what remote attestation is doing behind the scenes, the only difference is the smartcard user interaction is much more limited. It's of no use for protecting your financial privacy, for example, only for stopping a hacked display device authorizing transactions.

    If you evolve the smartcard based systems with better I/O capabilities, then you end up with a modern smartphone. At which point you may as well let the user supply their own rather than charging them lots of money for a dedicated device that's not much different.

    • ulrikrasmussen  21 days ago

      No, I reject the idea that general purpose computing devices should be locked down to satisfy a very narrow security use case. I really don't believe that you end up with a smartphone, and I don't think you give a very good argument for why.

      I am fine with locking down devices that have very limited security purposes. I am fine with my passport containing locked down hardware if it makes it harder to forge. But I am also not browsing the web on my passport, and therefore its security requirements cannot prevent me from removing ads.

      2 replies →