Comment by const_cast
21 days ago
> Nobody is making mistakes as dumb as "we fixed something we can measure so the problem is solved".
There is an entire name for this: dark pattern.
People make this mistake all the time. Its a very common measurement problem, because measuring is actually very hard.
Are we measuring the right thing? Does it mean what we think it means? Companies spend hundreds of billions trying to answer those questions.
2. Not it cannot block phishing because if I get your password, I can get in.
To your points:
- yes, banks in the US use one time codes too. Very smart of you, unfortunately not very creative. Trivial to circumvent in most cases. Email is the worst, SMS better, TOTP best.
TOTP doesn't matter if the user just takes their code and inputs it into whatever field.
- yes there is such a thing as check fraud, you not knowing what it is doesn't matter.
- if I had to authorize each CC transaction on my phone, I'd put a bullet in my head. That's shit.
Yeah this thread boils down to US vs rest-of-world confusion. Or maybe a US vs Europe confusion.
TOTP, which you say is best, is considered weak sauce outside the US. I don't know any banks that have used it for a very long time. It's not secure enough. Cheques were phased out decades ago. There are entire generations in Europe who have never even seen a cheque, let alone written one. I think the last time I had a chequebook issued it was in 2004.
IIRC the differences arise because in the US consumer legislation makes merchants liable for refunding fraudulent transactions, so banks and consumers have no incentive to improve security and merchants can't do it except via convoluted and hardly working risk analysis. It's just so easy to do chargebacks there that nobody bothers fixing the infrastructure. This pushes everyone into the arms of Amazon and the like because they have the most data for ML.
Outside the US and especially in Europe, merchants aren't liable for fraudulent transactions if they verified the credentials correctly. It's much harder to do chargebacks as a consequence. Even if a merchant delivered subpar stuff or there was some other commercial dispute, chargebacks are very hard (I tried once and the bank just refused). So liability shifts to banks, unless they can show that the transaction was authorized by the account holder and they had correct information. That means banks and merchants are incentivized to improve security, and they do.
This is just blatantly false. Literally every bank in Denmark which is not an e-bank lets you do everything with a browser and the national digital identity, MitID. MitID offers an app, but they also offer alternatives both in the form of TOTP generators and NFC/USB hardware chips.
If by TOTP you mean an app like Google Authenticator, those are expected to be phones, aren't they? And the other things, as we already discussed, are hardware systems they can remotely attest - not browsers on their own.
People seem to be getting really hung up on this point. Accepting a browser means letting you do everything with nothing but whatever program you want that speaks HTTP. No special apps or authenticators or extra tokens. You should be able to write a plain Python script that sends money whenever it wants, on its own.
European banks do not allow this in my experience, and nothing being posted to this thread indicates otherwise. Apparently there are some banks especially in the USA who just don't care about security at all because they can push fraud costs onto merchants, so they do accept browsers for everything, or they make some trivial effort and if users undermine it using Google Voice or whatever they don't care - that's fine, I overgeneralized by saying "banks" instead of geographically qualifying it. Mea culpa.
But in your case, you need the assistance of something that's not a browser.
3 replies →