Comment by coldtea
7 hours ago
Banks shouldn't have custom apps that are not mobile websites, accessible via the mobile browser just as well.
7 hours ago
Banks shouldn't have custom apps that are not mobile websites, accessible via the mobile browser just as well.
Apparently there are special auth apps storing things in secure-enclave-ish parts of the OS. Not a great match for websites.
The OS/browser could give this capability to web apps via an API.
That would be a breeding ground for malware.
No, that's just BS.
The web has a secure storage standard and OAuth + MFA is just as secure as anything your bank could cook up in an app. In fact, I'd be shocked if banks did a better job of security in their apps vs what browsers and standard auth flows provide.
Banks just like selling the idea that "if it's encrypted, it's secure". But trust me when I say this, bank security across the board absolutely sucks. The company I work with does financial data ingest and... yeah... There's more than a few institutions where we had to pull teeth to get them to send stuff through an encrypted transport (SFTP, for example, they want to just use FTP).