Comment by notpushkin
3 days ago
This. Plus if I want to access my bank account on a device I trust, the bank shouldn’t say “hey we don’t trust it so buzz off”. It’s my money in that account.
I understand there’s some stupid compliance thing that makes banks do this, but it clearly isn’t a hard requirement, as there’s still plenty of banks that don’t participate in this security theatre.
To be fair to your bank, it has to cover you if your money gets stolen through a hack through their app, no matter what your operating system is.
I’d very much love to have an option to waive that cover though! Just give me a scary warning “hey, we’ve determined your device is unsafe; so if you get hacked through that device, you agree not to hold us liable for that. proceed? [y/N]”
For more specific mitigations, they could issue shorter-living tokens to such devices, in case it gets stolen and it didn’t store the token properly (say, the user did something stupid like “hey I’ll substitute secure enclave with a shim that writes secrets to an SD card”). And they could limit certain critical functions that do require attestation for some reason (e.g. Host Card Emulation, aka “tap your phone to pay”, which they usually delegate to Google Wallet/Pay/Wallet anyway).
Wise seems to do it correctly. It works on rooted phones, even, just gives a scary warning and blocks some app functions. They also have a fully functional webapp, so you mostly don’t need the app anyway. Revolut, on the other hand, has outright blocked me from my account – so I’m not using it anymore.
You may waive that cover, but when (not if) you get hacked and your money gets stolen, someone still has to pay it back or you will die. Neither of those options are okay with the government and only one is okay with your bank.