Comment by matheusmoreira
21 hours ago
Smartphones have cryptographic hardware that can provide proof that a device has not been "tampered with". This is called attestation. The hardware attests to the fact trust has been preserved since boot.
Your device will not attest to this if you install your own operating system, if you root your phone, if you do anything that they don't like, anything at all.
You install your bank's app and try to use it. The bank's servers ask for the attestation. You will not have one. They decide you cannot be trusted and deny you service.
Even if you can program your own keys into your device, nobody is gonna trust those keys. Why would your bank trust your own keys? They'll trust Google's keys, Apple's keys, the government's keys. You? You don't get to participate.
The corporations and governments want to own your computer. They demand cryptographic proof that your device is owned by them and that they have complete control. If you don't provide it, you're banned and ostracized from everything.
The most absurd part is that you totally can access the home banking from your desktop PC with Linux, without any need of hardware attestation.
Suddenly it's mandatory because the device is a phone?
These days banking is one of the things for which a phone is required for. It is used as the primary banking device for most people, and for the rest it is required for two factor authentication when logging in on a PC or to verify online transactions.
Maybe some bank would allow you to use some third party two factor authentication device to log in sometimes, but most (if not all) would require you to use their "app".
In my country, banks force us to install "security modules" in order to do this. Once upon a time, back when I used Windows, I got bored and tried to pry one of these things open to see why they made the computer so unusably slow. I caught it intercepting every single network connection and doing god knows what with them. That told me all I needed to know.
It used to be that Linux users like me were exempt but at some point they added Linux support. Now there's a goddamn AUR package for this thing.
https://aur.archlinux.org/packages/warsaw
https://aur.archlinux.org/packages/warsaw-bin
> Banking security tool developed by GAS Tecnologia
Yeah. Banking security tool. Who the fuck even knows what it does? It sure as hell isn't me. That thing is not going anywhere near my system.
I really don't understand why they do this - what is so special about banking apps vs a banking site in a web browser.
What is the particular threat model of a rooted phone?
People in Europe no longer can, thanks to PSD2.
Of course we can, even HBCI still works, and you can even access your (German) bank account from within KMyMoney.
For the website, it's also easy, even with PSD2 you can just get a physical TAN generator.