← Back to context

Comment by exe34

20 days ago

last time I walked into the bank to do something, they tried to peddle their app. I giggled and said no, their developers don't understand security.

my phone is rooted and their app won't work.

7 comments

exe34

Reply
t_mahmood  20 days ago

Unfortunately, I can say with 100% confident, the customer service of my bank will not freaking understand what is a rooted phone, or LineageOS ...

And my bank's web app developer couldn't even fix their log in bug for several months. I realize, now, it's because they want to sunset their web portal.

Which is extremely annoying ... what if I don't have my mobile!!

Lazy, and greedy corporates, just trying to save their costing with shortcuts, never realizing security is never achieved by taking shortcuts.

plqbfbv  20 days ago

> I giggled and said no, their developers don't understand security.

Their developers usually understand security well enough.

The problem, especially for banks, is that they're zero-risk driven, their ideal world is the one where risk doesn't exist. So instead of mitigating it they chase risk elimination (!= reduction) at any cost, while middle management needs to report that they improved something for the quarter. This results in all these kinds of stupid policies, where a 6 year old mobile, unmaintained for 4, is considered more secure than the weekly build of the community-based custom ROM running with locked bootloader signed with user-managed keys with strong protection (these days it's almost infeasible).

EDIT: to be clear, it's normally not the developers thinking up these policies, I have worked in a bank.

  • Hizonner  20 days ago

    > So instead of mitigating it they chase risk elimination (!= reduction) at any cost,

    I don't actually believe that. They chase risk elimination at any cost to you. If there's a significant cost to them, they're going to be all about quantitative tradeoffs.