undefined | Better HN

0 pointsAspos4mo ago0 comments

Well, I've built a bunch of mobile banking apps and we did detect if the phone was rooted, was in dev mode, etc. and it is not because we were "stupid, consumer-hostile, and anti-competitive".

If someone steals the secrets from a rooted phone and steals customer's money the bank is on the hook, so banks do everything they can to minimize this risk.

There is no way to store customer's secrets in a PC browser securely, so all the "dangerous" transactions were outright prohibited in the web app or made available only via temporary QR login.

All this is just is a negative side effect of customer protection laws.

0 comments

elric4mo ago

These practices are strengthening the Google/Apple hegemony and are ultimately damaging user freedoms and consumer protections. I'm sure that's not your employer's intention, but it is a negative thing that they're contributing to. And because of how essential banking is, banks have a big thumb on this particular scale, and I wish they'd use it for good rathet than for enriching and entrenching evil.

Zak4mo ago

I understand (but vehemently oppose) the argument for root detection. What risks to banks see from having developer settings enabled?

realusername4mo ago

Great, so the no-name iPhone clone in China passes your test but EOS doesn't.

There's no way to assess the security of a rom from an app and it's about time that banks learn this reality.

Software on mobile is even more fragmented and less standardized than on desktop

izacus4mo ago

> If someone steals the secrets from a rooted phone and steals customer's money the bank is on the hook, so banks do everything they can to minimize this risk.

Now that's just not true now, is it? Sure the lawyers told you that (the ones that get paid to tell you that), but nowhere in EU was a bank actually fined for not root checking a device.

They were plenty fined by being utterly incompetent with security practices and doing them poorly - like trying to inject wierd .SOs to do the root detection you're defending.

mike_hearn4mo ago

Literally three days ago: https://www.complianceweek.com/regulatory-policy/eu-agrees-r...

"Payment service providers (PSPs) operating in the EU will have to cover customers’ losses from fraud if their fraud protection regimes are inadequate or poorly implemented under new EU rules."

Other places like the UK had such rules already.

izacus4mo ago

Note how this says nothing about root lockout.

The fact that no root lockout means "inadequate protection" is something you projected onto this statement and that's the part I'm addressing in my comment.

No one actually got fined for root protection specifically.

1 more reply

AsposOP4mo ago

No bank got fined for not root checking, correct. However banks are on the hook for unauthorized transactions. And "unauthorized" means different thing in different countries.

In some jurisdictions if bank can prove that transaction was made with customer's key then customer can not demand their money back. That's the best case, but there are only few of such jurisdictions and even there the burden of proof is on the bank and it costs a lot.

In other jurisdictions bank must reverse a transaction even if it was proven that the transaction was signed with a legitimate key, but the key _may_ have been stolen.

In some jurisdictions (i.e U.S.) banks are required to reverse a transaction at a customer’s request, even if the customer does not dispute having made the transaction.

In any case dealing with all this is too expensive and risky.

izacus4mo ago

> In any case dealing with all this is too expensive and risky.

[Citation needed]

How much does it cost? How risky?

1 more reply

abdullahkhalids4mo ago

Why don't banks just make desktop computer applications?

AsposOP4mo ago

Practically impossible to store secrets in a desktop app too. Besides, customers would not willing to install a desktop app. And those who would, will require support.

mike_hearn4mo ago

PC platforms don't have remote attestation infrastructure working.

elric4mo ago

And surprisingly I can pay securely using my PC, fully rooted, on FOSS software. Hardware tokens have been a thing for decades. There are more second (or third) factor authentication and signing solutions than I can enumerate.

Do peope get defrauded using online banking? Sure. But usually not in a way that would be stopped by secure attestation.

2 more replies

elric4mo ago

They used to, and some still kind of do, but no longer for consumers.

j / k navigate · click thread line to collapse

0 comments

elric4mo ago

Zak4mo ago

I understand (but vehemently oppose) the argument for root detection. What risks to banks see from having developer settings enabled?

realusername4mo ago

Great, so the no-name iPhone clone in China passes your test but EOS doesn't.

There's no way to assess the security of a rom from an app and it's about time that banks learn this reality.

Software on mobile is even more fragmented and less standardized than on desktop

izacus4mo ago

> If someone steals the secrets from a rooted phone and steals customer's money the bank is on the hook, so banks do everything they can to minimize this risk.

Now that's just not true now, is it? Sure the lawyers told you that (the ones that get paid to tell you that), but nowhere in EU was a bank actually fined for not root checking a device.

They were plenty fined by being utterly incompetent with security practices and doing them poorly - like trying to inject wierd .SOs to do the root detection you're defending.

mike_hearn4mo ago

Literally three days ago: https://www.complianceweek.com/regulatory-policy/eu-agrees-r...

"Payment service providers (PSPs) operating in the EU will have to cover customers’ losses from fraud if their fraud protection regimes are inadequate or poorly implemented under new EU rules."

Other places like the UK had such rules already.

izacus4mo ago

Note how this says nothing about root lockout.

The fact that no root lockout means "inadequate protection" is something you projected onto this statement and that's the part I'm addressing in my comment.

No one actually got fined for root protection specifically.

1 more reply

AsposOP4mo ago

No bank got fined for not root checking, correct. However banks are on the hook for unauthorized transactions. And "unauthorized" means different thing in different countries.

In other jurisdictions bank must reverse a transaction even if it was proven that the transaction was signed with a legitimate key, but the key _may_ have been stolen.

In some jurisdictions (i.e U.S.) banks are required to reverse a transaction at a customer’s request, even if the customer does not dispute having made the transaction.

In any case dealing with all this is too expensive and risky.

izacus4mo ago

> In any case dealing with all this is too expensive and risky.

[Citation needed]

How much does it cost? How risky?

1 more reply

abdullahkhalids4mo ago

Why don't banks just make desktop computer applications?

AsposOP4mo ago

Practically impossible to store secrets in a desktop app too. Besides, customers would not willing to install a desktop app. And those who would, will require support.

mike_hearn4mo ago

PC platforms don't have remote attestation infrastructure working.

elric4mo ago

Do peope get defrauded using online banking? Sure. But usually not in a way that would be stopped by secure attestation.

2 more replies

elric4mo ago

They used to, and some still kind of do, but no longer for consumers.

j / k navigate · click thread line to collapse