← Back to context

Comment by const_cast

20 days ago

1. I don't believe you. This is a measurement problem - you eliminated an avenue to measure abuse, because you are now just assuming abuse doesn't happen because you trust the client.

2. It does not eliminate any meaningful types of fraud. Phishing still works, social engineering still works, stealing TOTP codes still works.

Ultimately I don't need to install a fake app on your phone to steal your money. The vast, vast majority of digital bank fraud is not done this way. The vast majority of fraud happens within real bank apps and real bank websites, in which an unauthorized user has gained account access.

I just steal your password or social engineer your funds or account information.

This also doesn't stop check fraud, wire fraud, or credit card fraud. Again - I don't need a fake bank app to steal your CC. I just send an email to a bad website and you put in your CC - phishing.

9 comments

const_cast

Reply
mike_hearn  20 days ago

1. Well, going into denial about it is your prerogative. But then you shouldn't express bafflement about why this stuff is being used.

Nobody is making mistakes as dumb as "we fixed something we can measure so the problem is solved". Fraud and abuse have ground-truth signals in the form of customers getting upset at you because their account got hacked and something bad happened to them.

2. This stuff is also used to block phishing and it works well for that too. I'd explain how, but you wouldn't believe me.

You mention check fraud so maybe you're banking with some US bank that has terrible security. Anywhere outside the USA, using a minimally competent bank means:

• A password isn't enough to get into someone's bank account. Banks don't even use passwords at all. Users must auth by answering a smartcard challenge, or using a keypair stored in a secure element in a smartphone that's been paired with the account via a mailed setup code (usually either PIN or biometric protected).

• There is no such thing as check fraud.

• There is no such thing as credit card phishing either. All CC transactions are authorized in real time using push messaging to the paired mobile apps. To steal money from a credit card you have to confuse the user into authorizing the transaction on their phone, which is possible if they don't pay attention to the name of the merchant displayed on screen, but it's not phishing or credential theft.

  • const_cast  20 days ago

    > Nobody is making mistakes as dumb as "we fixed something we can measure so the problem is solved".

    There is an entire name for this: dark pattern.

    People make this mistake all the time. Its a very common measurement problem, because measuring is actually very hard.

    Are we measuring the right thing? Does it mean what we think it means? Companies spend hundreds of billions trying to answer those questions.

    2. Not it cannot block phishing because if I get your password, I can get in.

    To your points:

    - yes, banks in the US use one time codes too. Very smart of you, unfortunately not very creative. Trivial to circumvent in most cases. Email is the worst, SMS better, TOTP best.

    TOTP doesn't matter if the user just takes their code and inputs it into whatever field.

    - yes there is such a thing as check fraud, you not knowing what it is doesn't matter.

    - if I had to authorize each CC transaction on my phone, I'd put a bullet in my head. That's shit.

    • mike_hearn  19 days ago

      Yeah this thread boils down to US vs rest-of-world confusion. Or maybe a US vs Europe confusion.

      TOTP, which you say is best, is considered weak sauce outside the US. I don't know any banks that have used it for a very long time. It's not secure enough. Cheques were phased out decades ago. There are entire generations in Europe who have never even seen a cheque, let alone written one. I think the last time I had a chequebook issued it was in 2004.

      IIRC the differences arise because in the US consumer legislation makes merchants liable for refunding fraudulent transactions, so banks and consumers have no incentive to improve security and merchants can't do it except via convoluted and hardly working risk analysis. It's just so easy to do chargebacks there that nobody bothers fixing the infrastructure. This pushes everyone into the arms of Amazon and the like because they have the most data for ML.

      Outside the US and especially in Europe, merchants aren't liable for fraudulent transactions if they verified the credentials correctly. It's much harder to do chargebacks as a consequence. Even if a merchant delivered subpar stuff or there was some other commercial dispute, chargebacks are very hard (I tried once and the bank just refused). So liability shifts to banks, unless they can show that the transaction was authorized by the account holder and they had correct information. That means banks and merchants are incentivized to improve security, and they do.

      5 replies →

  • jofla_net  20 days ago

    Well it is still a phone after all, what with UMA and baseband processing. You don't need to spend much time at Blackhat/Defcon to realize any true attempts at sealing it up are akin to plugging leaks in a sieve with epoxy. Its far too porus.

    Meanwhile if attestation does reduce fraud, the ownability (by the user) of the device is now forfeit due to chasing a dragon's tail.