Comment by plqbfbv
20 days ago
> I giggled and said no, their developers don't understand security.
Their developers usually understand security well enough.
The problem, especially for banks, is that they're zero-risk driven, their ideal world is the one where risk doesn't exist. So instead of mitigating it they chase risk elimination (!= reduction) at any cost, while middle management needs to report that they improved something for the quarter. This results in all these kinds of stupid policies, where a 6 year old mobile, unmaintained for 4, is considered more secure than the weekly build of the community-based custom ROM running with locked bootloader signed with user-managed keys with strong protection (these days it's almost infeasible).
EDIT: to be clear, it's normally not the developers thinking up these policies, I have worked in a bank.
> So instead of mitigating it they chase risk elimination (!= reduction) at any cost,
I don't actually believe that. They chase risk elimination at any cost to you. If there's a significant cost to them, they're going to be all about quantitative tradeoffs.