I'm pretty sure I'm against this. I could be convinced otherwise by documentation of significant fraud involving compromised devices (especially Android phones) that would have been stopped by a device attestation scheme.
I should note Google has such an attestation scheme, and there are reliable defeats for it in most situations given root access. Apps have been able to insist on hardware-backed attestation which has not been defeated for some time, but that isn't available for old devices. Almost none do so.
If this had a meaningful impact on fraud, more apps would insist on the hardware-backed option, but that's quite rare. Even Google doesn't; I used Google Pay contactless with LineageOS and root this week. I'm currently convinced it's primarily a corporate power grab; non-Google-approved Android won't be a consumer success if it doesn't run your banking app, and the copyright lobby loves anything that helps DRM.
Also, online banking has been a thing for so long on PCs which never had that kind of remote attestation. I also do not believe the security argument, but I believe that the banks believe it.
Online banking doesn't need remote attestation. Some additional locked down hardware with its own minimal display is enough. My banks force me to use devices like those made by Kobil or ReinerSCT.
I didn't know about these, but I think they look great. I am not against locking down hardware if that hardware has a very specific and tailor-made purpose for security, and this seems like a really good and fairly cheap solution. I wish my government offered them as an alternative.
You could also imagine having them integrated directly into the phone, but with a physically separated button or fingerprint reader to authenticate. The TAN generator could even have the ability to override the display to replicate the UX of authenticator apps.
I should note Google has such an attestation scheme, and there are reliable defeats for it in most situations given root access. Apps have been able to insist on hardware-backed attestation which has not been defeated for some time, but that isn't available for old devices. Almost none do so.
If this had a meaningful impact on fraud, more apps would insist on the hardware-backed option, but that's quite rare. Even Google doesn't; I used Google Pay contactless with LineageOS and root this week. I'm currently convinced it's primarily a corporate power grab; non-Google-approved Android won't be a consumer success if it doesn't run your banking app, and the copyright lobby loves anything that helps DRM.