Comment by microtonal
4 days ago
Needing to use a verified boot chain with keys that the bank trusts is essentially the same as using the authenticator device from said bank,
It's not, because even though the authenticator is secure, you are entering the auth codes in a browser in general purpose desktop OS with (if you use Windows or desktop Linux) little to no sandboxing outside the browser. You are one malware app (or NodeJS package for tech users who claim they'll never download malware) for your session getting hijacked.
The sad reality is that phones (and some tablets) are the only relatively secure computing environments that we have. Thanks to Windows with it decades of piled up legacy and Linux with large sandbox and secure boot-hating parts of its community, we cannot have nice things.
(The part about the Linux community, which I'm also part of is a generalization, but the hostility against Flatpak, secure boot, etc. is pretty big.)
That seems wrong. If malware can fake what the authenticator shows me, the authenticator is broken!
It doesn't matter what device relays the code I typed over or otherwise transmits the approval through untrusted networks to the server
> The sad reality is that phones (and some tablets) are the only relatively secure computing environments that we have
My bank('s authenticator hardware) begs to differ
That seems wrong. If malware can fake what the authenticator shows me, the authenticator is broken!
That's not what I am saying. The authenticator is irrelavant to this attack. If your machine is compromised by malware, the malware could take over the browser session, regardless of how you log in.
Phones are better protected against persistent malware because every application is sandboxed (harder to escalate) and much more of the boot chain/OS is validated (harder to persist).
The authenticator preserves account integrity with the compromised host attack you describe. The device I have shows something like "you are authorising a transaction of 1337€ to RU07BANK012345678, y/n?". What an attacker can do is read along while I log in, but not modify data
The server generates the challenge that's sent to the authenticator. The attacker can modify and replace it by being in your browser and show any text on your computer screen, but the authenticator will either show the truth, or the approval code it generates doesn't match the server's challenge
> That's not what I am saying. The authenticator is irrelavant to this attack.
If you need to change the security measures (take out the authenticator) in order to be able to mount an attack, maybe that means the security measure is working? xD
Trying to understand your point here. If you're merely saying that phones have better process isolation then I can only agree, but I wasn't saying that it doesn't. You can use online banking on your phone OS if you like, or use Android on your laptop. The comment you replied to upthread said that I'd like to have ownership of and freedom within my own hardware, in order to have privacy. When banks require that my phone is DRM'd with some keys from Google, Samsung, or Apple, then suddenly that has a lot of consequences for what I can and cannot do with, or inspect about, the device. Using an external authenticator, which they can attest to their heart's content, is the solution that I'm using and aligns with all parties' goals. Banks don't need to require that everyone's phone is locked down in order to use the banking software, just like it isn't in the browser, while still meeting their security goals