Comment by labcomputer
3 days ago
> Attestation purports to prove the code is running on an "approved" device. There are multiple reasons that has no real security value.
BART (San Francisco Bay Area Rapid Transit), as a real world example, recently installed "evasion-proof" fare gates, and observed a 90% drop in vandalism-related maintenance expense. An overwhelming majority of fare evaders are not vandals, but apparently nearly all vandals were fare evaders. Bayes' theorem in action.
I don't have any data to back this up, but my sense is that attestation is an analogous situation.
In other words, banks and governments and other such institutions have noticed (and they probably do have data to back this up) that very few of their customers use "unapproved" devices and a very large majority of fraud comes from "unapproved" devices. They view banning unapproved devices as a high-ROI means to reduce fraud.
So, any argument predicated on "attestation is not security" is doomed to fail, just like saying "most fare-evaders aren't vandals". Yes, most people running GrapheneOS aren't trying to commit bank fraud, but the banks don't care about that if nearly 100% of fraudsters are using unapproved devices.
> In other words, banks and governments and other such institutions have noticed (and they probably do have data to back this up) that very few of their customers use "unapproved" devices and a very large majority of fraud comes from "unapproved" devices.
What would cause you to think that to be the case?
There are two primary ways that bank fraud happens. The first is that the attacker steals the user's credentials, at which point they can sign into the user's account and transfer funds, and can use any device the bank requires because they already have the credentials. The second is that the attacker convinces the user to transfer the money and then once again the user is using an approved device if that is required, and requiring it in no way prevents the attack.
Moreover, even if there was a statistical correlation -- which there is no reason to expect in this case -- that doesn't help you when the attackers could just use their stolen credentials on an approved device anyway, regardless of what they were doing before.
Vandalism can be reduced by excluding fare evaders because that's a class of people rather than a class of devices. Requiring the attackers to use an approved device when the approved device still allows them to commit the fraud accomplishes nothing.
> Vandalism can be reduced by excluding fare evaders because that's a class of people rather than a class of devices.
Just observing: People who don't own an iPhone or modern android are also, generally, of a class -- and probably one banks would prefer to not do business with for profitability reasons.
People who don't have spyware/lockinware for principled reasons are currently rare enough to not matter in this analysis-- though sure, they're probably customers the bank wants.
> Just observing: People who don't own an iPhone or modern android are also, generally, of a class -- and probably one banks would prefer to not do business with for profitability reasons.
I don't know about that. There are plenty of retirees who want nothing to do with this "modern technology" while still having large amounts of retirement savings that the bank very much wants at their institution.
Small (and for that matter large) business owners also have a tendency to have complicated financial situations and correspondingly want to deal with them using a computer screen rather than a phone, and that's another class of customers banks are certainly not interested in driving away.
Meanwhile I take it you're implying that the people who don't have a smartphone to do banking on are undesirable poors, but those are the people who do use a phone for banking, because bargain bin Android phones are available for ~$15 and that's the extent of what they can afford for an internet device.
Whereas the people using the likes of GrapheneOS might well be a small percentage of the customer base but they're still generally the class of customers the banks like, i.e. tech people with upper middle class financial situations.