Comment by rattyJ2
19 days ago
I could be one of the people running an ungoogled phone, but my bank refuses to have an app that runs on an ungoogled OS for "security"
19 days ago
I could be one of the people running an ungoogled phone, but my bank refuses to have an app that runs on an ungoogled OS for "security"
My bank used to block VPNs “for security reasons.”
Now they very kindly just display a warning.
Gas station app I use asks to turn VPN off every launch (even when it is disabled)
Why does a gas station need an app?
6 replies →
It’s likely incompetence than malice. Chances are they’ve had a lot of customer complaints because some popular free VPN interferes with their app, and adding a blanket warning about VPNs is easier than trying to figure out why it’s not working and fix it.
Write them. My bank's app had safetynet, but they disabled it and now it is usable over GrapheneOS.
Unfortunately no NFC Payments though, since they are only available for Google Wallet (which uses safetynet)
> Unfortunately no NFC Payments though, since they are only available for Google Wallet (which uses safetynet)
A workaround for NFC payments I've heard about for folks running OSes on their Androids that don't support that feature is a smartwatch with NFC.
Precisely. Google pixel, Garmin watches, even Samsung watches.
Or using a bank that supports NFC payments (not using Google Wallet).
GrapheneOS Foundation raised this practice with European Commission because it unfairly penalises secure and safe competition giving instead a lie to the developers and banks that ancient, unsafe, vulnerable platforms are more secure.
4 replies →
My bank blocks my mobile with Lineage OS, and it's not even possible to login to the web site without the mobile app. Absolutely pathetic.
Now I have to keep my 4 year old phone with 2 year outdated Android to access the bank application. Which deemed more safe then my mobile with latest security updates. Haha
It's even better than that. Banks (for example Revolut) consider several years old phones, running ancient OS (last I checked they allowed A10) without security updates for some 7 years, so riddled with zero-click/RCE vulnerabilities, but they do not allow GrapheneOS, which is currently the safest OS in mobiles (on par/beating iOS, depending whom you ask).
Yes, banks* claim phones riddled with maximum severity security issues are secure. Also phones that are rooted but using magisk modules to conceal this fact, and use spoofed signatures from ancient hardware, but the most safe platform is not secure enough for them.
Go figure.
*not all, there are notable exceptions explicitly supporting secure platforms through the modern Hardware Attestation model.
These are the same banks that very often have no app-based MFA login, and refuse to do anything other than send me an SMS TOTP.
The irony is that they'd rather suffer losses from fraud if the fraud is less than the cost of setting up App-based TOTP and a campaign to get customers to use the app. Yet they suddenly get all in a huff about PCI compliance as CYA so they don't have to pay an app developer to figure out how to check "is phone rooted? Yes. Which OS?"
last time I walked into the bank to do something, they tried to peddle their app. I giggled and said no, their developers don't understand security.
my phone is rooted and their app won't work.
Unfortunately, I can say with 100% confident, the customer service of my bank will not freaking understand what is a rooted phone, or LineageOS ...
And my bank's web app developer couldn't even fix their log in bug for several months. I realize, now, it's because they want to sunset their web portal.
Which is extremely annoying ... what if I don't have my mobile!!
Lazy, and greedy corporates, just trying to save their costing with shortcuts, never realizing security is never achieved by taking shortcuts.
1 reply →
> I giggled and said no, their developers don't understand security.
Their developers usually understand security well enough.
The problem, especially for banks, is that they're zero-risk driven, their ideal world is the one where risk doesn't exist. So instead of mitigating it they chase risk elimination (!= reduction) at any cost, while middle management needs to report that they improved something for the quarter. This results in all these kinds of stupid policies, where a 6 year old mobile, unmaintained for 4, is considered more secure than the weekly build of the community-based custom ROM running with locked bootloader signed with user-managed keys with strong protection (these days it's almost infeasible).
EDIT: to be clear, it's normally not the developers thinking up these policies, I have worked in a bank.
1 reply →
It's their security and not your security, don't mix up
2 replies →
If you're going so far as to install Lineage, couldn't you take the small step further and download alternate browsers to change the user agent? (Unless the default Lineage browser can do this already.)
I run a Google'd OS for now but I haven't used my bank's terrible app in years and years. I use their terrible website via desktop mode instead.
Well, to add insult to the injury, this bank does not allow website login without the mobile app. Which is absolutely infuriating. I did mention that on my comment :-)
You do have the option to change your bank when they consistently do dumb stuff you don't approve of. Shopping around will probably get you a better savings rate anyway.
Unfortunately, not an option right now. Setting up foreign currency payout is difficult in my country, a lot of paperworks needed, we don't even have PayPal. Also, the previous autocratic government, that was forcefully expelled after a bloody movement, left most of the banks in ruin. So not a lot of options left.
1 reply →
I have never heard of a bank that has a hard requirement of a mobile app. Certainly none of the major banks like Wells Fargo or Chase require one. I do not own a phone and managers at times have to come up with undocumented fallback methods, but there is always a way.
I cannot imagine a legal defense for forcing someone to accept the terms of service of Apple or Google to use their bank account.
> I have never heard of a bank that has a hard requirement of a mobile app.
It shouldn't be a thing, but it is. In the Netherlands the newer digital-only banks are allowed to do this. No smartphone, no service.
The more established banks (systeembanken) do have alternatives, but realistically not using their app for login auth and transaction approval is a huge pain in the ass.
(My bank, ABN AMRO, has an app which thankfully works fine on GrapheneOS.)
That sounds like it's a hard requirement for checking your bank balance/etc over the internet. Can't you just not do that and phone them up or go in person or read the monthly sent paper balances? Or just keep track yourself... A bank without a physical location is something I'd steer well clear of.
I barely use my bank's website and could easily not use it at all and still have all the functionality that a bank provides.
3 replies →
In Sweden we use BankID (there is a similar service with the same name in each Scandinavian country).
It's impossibly convenient to be perfectly fair with you, however I know that my bank has stopped issuing the "BankID Card" (which was a card and pin device that allowed you to generate challenge numbers)- and now forces you to use the BankID app -- which will not run on rooted phones of course.
It's even slightly worse as the App requires NFC; so I can't keep a backup on my iPad (which is what I was doing before).
It is quite possible that you still may be able to obtain it by annoying them - in some cases provisions related to supporting disabled peoples can prevent them from fully getting rid of it.
On the last change my bank made me call to their hotline (even though everything else is possible to be done online) to keep using a separate hardware device - which ended up being just "so, you don't want to do it on a phone?" - "yep" - "ok, should be with you in a week or so".
I nowadays consider my phones pretty much throwaway devices - I don't have full control, I can't fully trust them. Plus they could be stolen, break when I drop it into water outside, ... - so I think it's ridiculously stupid to tie anything important to a phone as main authenticator.
Overall the usefuleness of a phone has been declining steadily - the selling point of a smart phone originally was that I have an app, and because it's a reasonably trusted device it'll store credentials, and I can use the app without logging in every time. By now most of the apps are just repackaged websites, and because of that - and because they don't trust their backends - we now have quickly expiring tokens in use in the apps as well. Most of the apps I don't use every day - and over the last few months every single one wanted me to log in again next time I used it.
Adding to that the nonsense of "there's a new app available, download that first before using" which typically doesn't add anything of value to me, and we're now at a state that not only does the typical smart phone app not offer a benefit over just using a website - it now often is even worse than just using a website.
BankID works great on GrapheneOS fortunately.
4 replies →
If you install the app then you are complicit in normalizing the requirement of signing terms of service and data sharing agreements to US technology companies in order to do banking.
Feel free to say you are a member of the Church of Cryptography and that installing proprietary corporate controlled apps is against your religion.
Never been asked to install an app for banking, but a health care clinic dropped me as a patient for not buying a phone that can install their app. I was the first case where a patient refused to conform. Found a new clinic who was willing to earn my business with phone and email correspondence. The original clinic escalated the case to corporate HQ when I filed a public medical malpractice complaint, and they ultimately responded by adding a webapp.
DEMAND the right to live your life without corpotech in your pocket. I am now 5 years without a smartphone working as an engineer and founder with an active social life who frequently travels and it can absolutely be done.
In Europe there are, e.g. at least some subsidiaries of Societe Generale, which have closed their Web sites on which their online banking services were previously available, and which refuse to provide their mobile apps otherwise than through the Google Store.
I doubt very much that it is possible for this practice to be legal, i.e. to condition the services of an European bank of the existence of a contractual relationship with a third party, which is non-European.
Nevertheless, nobody has enough spare time and money to challenge legally such banks.
Now I do my operations mostly through other banks that still have browser-based online banking, but I have not closed yet my last account at such a Societe Generale subsidiary, because I have regressed to use an antique SMS-based substitute for online banking, which is good enough for that account, which I keep only for a credit card used mostly for shopping in supermarkets or the like.
> I have never heard of a bank that has a hard requirement of a mobile app
My bank's app recently started warning me that I should "Turn off developer mode" for """security""" on every sign-in. This warning doesn't stop me from using the app yet, but I'm sure it'll get there.
> I have never heard of a bank that has a hard requirement of a mobile app
My banks all require their own individual apps for authentication and authorization. I can use the website but to log in and authorize any transactions I need their app. Ironically this runs on my 8 year old Android 10 phone (used as a backup) so security can't be part of it.
Bunq comes to mind, I'm guess N26 and Revolut are similar, app first "fin-tech" banks.