There's a trend of online banks forcing the use of an app. I can't login to one of my banks' website since last year without using a QR code from their app.
Of course they slathered the app with tracking, 'security', and analytics SDKs, so rooted devices are rejected. I had no way to log into this bank account after they made that change, which is simply wonderful.
Anyways, they're not yet at the point where they've learned to do the checks server-side. For now it's a one line patch to skip the root screen. But the Play Integrity API is designed correctly, if they learn to use it, there will be no workaround without someone finding a hardware vulnerability somewhere.
Depends on what country you're in. In the UK, the banks are often held liable for various scams that involve the transfer of money, so they up the security over and over again. A bank will rightly argue why it's responsible for an old granny sending her life savings to her new lover in Namibia, so it seeks to block that transaction in the first place.
Some of that liability is fair but most of it is the government telling the banks to account for the loss when someone is scammed. They are obviously going to mitigate that as much as they can.
Yep, hardware attestation is becomming more common, even with websites.
This is why LineageOS is actually dead in the water, even though they're "in talks with hardware vendors". It doesn't matter when people can't use the apps and services they need.
Normiefication. Normies do everything on their phones; it’s the companies meeting the masses where they are. I’ve seen people fight for their lives to do a spreadsheet on their phones when there’s a laptop they own gathering dust less than 50 feet away.
Possibly, but companies seem strangely set on getting people to install apps, even when the feedback is negative.
Offering a monetary reward for installing apps seems fairly common. Chevron had someone at my gas station offering something like $5 of free gas, plus $1 a gallon off of the next three purchases. If it was something the customers wanted, they wouldn't need to pay people to do it.
This term needs to catch on, this is the first I've seen it, bit it explains why so many prodict decisions are made and those who know better/different are just too small a minority to get any say.
We're dragged into this kicking and screaming and yet normies think we're the crazy ones.
What app developers find most valuable is what other apps you use and what competitors apps you have so they can target you more effectively. If you have Peloton or Tonal, they want to know if you have the Strava app on your phone for example.
Only on older versions of Android. Apps are very locked down on what you can get. I would have loved to be able to fingerprint a device when i was at the challenger bank and application list is very good for fingerprinting.. We would fingerprint on the web to detect bots.
This is a very condescending toward Vietnamese tech people. According to Twitter/X, Vietnam’s GDP just surpassed Thailand and it’s on its way to joining the Great East Asian prosperity zone by becoming the last country to become fully industrialized and very rich. Many tech jobs in the US will move to Vietnam in the coming few years. You will be surprised where your future Tech conferences will be located.
This trend makes me want to find a small town credit union.
I chose my current bank because it was one of the few that had proper token based access for 3rd party integration. An overwhelming majority of banks were relying on a 3rd party holding your actual username/password and saying "trust me bro". I wasn't comfortable with that.
Eventually though I suspect that web access to banks will be rescinded too, much like HMRC in the UK no longer permits companies to submit their taxes through the websites.
Don't like that. I'm of the "if you're going to do something important, do it on your PC" generation. I do not want a future where I lose my phone and I can no longer access my bank.
They won't find a solution to your problem, when one is obvious: buy a phone.
They'll find a solution to their problem, which is you: apologize for losing you as a customer, and express a hope that you'll consider them again after you've bought a phone.
There can be laws like the right to have a bank account, that might say your bank can't require you to have anything they don't provide you with for free. In some places.
We need to act now, while there are still service providers that don't require a phone. If my bank said they wouldn't do business with me unless I used a phone and an app, I would immediately take my business and all my accounts to a different bank. Banks have no moat. You can pretty easily move accounts to a different one or to a credit union who won't abuse you.
With HMRC, the reasoning is that this forces the company to have an accounting package. They don't care which, they just define the API. Not unreasonable. There are more issues with MTD IT (making tax digital, income tax) due to some detailed requirement decisions such as the need to report different income streams separately.
That seems to be the way the wind is blowing. Most new 'challengers' I've tried in the US either have no web access at all, or limited access that lets you view balance but not do things like transfers.
In the US, in my experience, young people don't want to deal with cash at all. Older people do, but it's not always convenient to meet up.
Most banks charge a fee for sending a wire. Sending an ACH is free, but most restrict that to your own account. Revolut is the only one I've seen that lets you just spam ACH to anyone. In both cases, it isn't instant.
Zelle largely fixes those issues, but has its own issues, like a lot of banks not supporting it and/or arbitrarily low send limits.
I don't understand either. My contact surface with my bank is so small. I log in once a month to download transactions. What is everyone doing that they need constant immediate access on their phones? I'd probably debank before buying a special iPhone to access a bank account.
Let me give you a preview of a world coming to you, and present day reality in Ireland:
1. Your employer pays your salary by bank transfer, which requires you to have a conventional bank account.
2. You then want to spend that money, how do you do that?
Debit card? You need the phone app to retrieve the PIN when the bank first sends you the card.
Cash withdrawals in the branch? For amounts less than €10,000, the staff will direct you to the ATMs in the branch. These require an activated debit card to withdraw money, and activating that card requires the phone app.
Manual money transfers in the branch? Once again, for amounts less than €10,000, the staff won't do it - they'll instead direct you to the PCs in the branch. These are just loading the same website you can access on yours, which will ask you to the confirm with a 2FA push notification to log in.
Try another bank? The legacy banks all got the same auditor who advised them that app based 2FA is the easiest way to implement PSD2, and reduce the likelihood they get held liable when customers get scammed, so they all implemented that as the only option. The neobanks of course, are accessed solely by apps.
I long ago decided never again to use anything but a credit union, and this makes me glad that credit unions tend not to ride the forefront of tech trends.
Would make a lot of sense for banks just to shut off online/mobile access and switch to in person only. That seems to be the way things are moving with KYC/AML and ensuring there is a material presence of the person in the banking jurisdiction in which they operate. Knowing the password / keys and providing a video 'proof of life' is no longer sufficient to presume you're dealing with the person you think you are and not just sold 'darks'.
I've heard 3rd hand of some banks already doing this in i.e. Armenia where a foreigner can come in and open account easily but they block any online access to lock the control of funds in country to make it harder for the FATF psychopaths to find fodder to clamp down on them.
It's already reality in my country, where you cannot access online banking for any banks except via their mobile applications, which (of course) refuse to work on anything rooted or running non-stock firmware.
Let me clarify my statement: one government agency’s election to use an app for a single purpose isn’t an indicator of much.
It’s not like the UK sent out a mandate to private banks or any other private industry on this issue. It’s also only one small country of hundreds.
I’d have to question this idea that this is how things “already look.” I can think of very few businesses that I interact with that force me to use an app.
This type of election to use an app by a government agency sets the tone, and more importantly tends to redefine "best practices." Would you want to be the one private entity known to not be using best practices? Would your risk officers or lawyers be OK with that decision?
Thai banks are required by regulation to have facial recognition when transferring over 50k THB in one transaction or cumulative in a day. I believe most banks have shutdown their internet banking as it's not worth it for the low number of users to implement web-based secure facial recognition that don't allow you to feed spoofed video input. One of the bank that I use will send a push notification to their mobile app for you to confirm the transaction.
I believe that previously internet banking, even before mobile banking, will limit the number of transfer recipients you can add per day/month. With the rise of QR payment I could see this limit being regularly hit if you scrape the web-based banking.
Since the Bank of Thailand claims that they technically don't block many things (mobile banking technical requirements seems to also require blocking root, but they never banned internet banking), I wish there's a new bank that try to disrupt the existing players. But the latest "branchless" banking license were only acquired by existing banking groups, so API-first personal banking remain impossible.
Maybe a tiny difference though is that a phone is moved all day long, with a lot of people around to mess with or pick it. Your laptop is a bit larger and your desktop .. well is behind your door. But yeah ultimately a bank should not rely on phone OS to have security.
TD Canada is forcing me to use their app. Every time I make an online transaction which to them is too large or fishy in some way, they make me login into the app on my phone to approve the transaction. That's the only way.
In Hungary, where the central bank created the same rule about not allowing banking apps on "unoffical" devices, they do, but you need either the app or SMS for 2FA. Apparently they consider SMS secure...
Many people also use their bank's app for mobile NFC payments though (more of a thing in EU than US), which you can't easily do with a device that doesn't fit in your pocket.
In some countries, it's already impossible to make online payments without the bank's phone app. Only a matter of time until all banking is restricted to phones.
yes. and the websites require you to verify transactions with (unrooted?) phone.
on the other hand phone does not require you to verify with your pc, so there's no second factor unless there is some unacessible secure island within the phone itself.
funny enough, you can probably use that website directly on the phone that you use as 2F, which probably circumvents the 2F idea (at least as long as you use SMS 2F instead of app that checks for root)
I assume the bank apps have functionality that their websites lack. Like being able to tap to pay for things, etc. Where a rooted phone might make fraud easier. If not, then this really makes no sense.
That's what a malware can do on a rooted phone, _once it gets root access_, but that doesn't mean a rooted phone is easier for malware to attack.
There's not even that many people using rooted phones, and many are tech savvy people that are generally a bit more careful, so even if a rooted phone gets infected by some malware chances are the malware won't even be written in such a way to try to obtain root permissions through the standard procedure and exploit it.
True. All internet packets are REST API packets - there's no other type of packet. And all cell radio traffic is internet packets (which are REST API packets).
While they (mostly) have websites, a computer with root access is not sufficient by itself to access them. You also need to perform 2FA via push notification to a proprietary app on an Apple or Google approved device.
This isn't about the bank's security - it is about the users'.
Users are losing billions worldwide due to fraudulent apps. If a user has root and runs a malicious app, it can intercept what a legitimate banking app does. A scam app with root can draw over the screen and tell users to transfer money, or it can run a series of actions when the banking app is running, or do any of a hundred things to steal money.
Sure. But the people who are actually rooting their phones are advanced users and aren't going to install a malicious custom OS. Are naive users getting tricked into rooting their own phones? I'm dubious what the security benefit is of this decision.
These types of discussions on HN get confused because people aren't always clear what they mean by the word "rooting".
There are two ways to root a phone:
1. Unlock the bootloader, install a well designed and highly secure aftermarket OS, relock the bootloader. The device is still just as secure against malware as it was before. Remote attestation shows the vendor that you're running Graphene or Lineage or whatever.
2. Exploit a local vulnerability to drop a sudo binary somewhere. RA shows you're running an exploitable version of Pixel Android, etc.
(2) is absolutely exploitable by fraudsters. They convince the user to run an app or visit a website that exploits their browser or whatever, and the vulns are used to escalate to root and keep it. Now when the user logs into their banking app the HTTP requests are rewritten to command the bank to send money to the adversary. This is why devices that allow escalation to root are excluded via remote attestation.
(1) isn't but it requires more coordination than the industry has proven capable of so far. Binary images of a custom OS could in theory be whitelisted by banks if it was known to be as secure as other operating systems. But there's no forum in which that information can be exchanged. Like, RandOS turns up and the maintainer "xyzkid", identity: anime avatar, claims his OS is super secure. How does random overworked bank developer John Smith know if this is true or not? RandOS doesn't come with any audits, it doesn't have a well paid security team. The brand is a big question mark. And if John makes the wrong call, maybe the bank is now on the hook for millions in losses because someone installed RandOS to get the shiny icon theme or whatever, and then got hacked.
So it's a hard problem. It's not actually a technical problem. Remote attestation is very general. The hard part isn't the tech. It's a social problem. How do you create and rapidly communicate trust in a new binary OS image if you don't have the security resources of an Apple or a Google or a Samsung? Google runs a whole accreditation programme for Android where you can turn up as a phone OEM and get your custom OS builds considered to be secure by passing a huge test suite. So the only issue is OS hackers who fall below the threshold where they can do that.
There's an alternative of course: go full libertarian. Means, just use a "bank" that doesn't care if its users get hacked. This is what the Bitcoin community enabled. It's there if you want it.
I doubt banks or the government would ever white list something like Lineage that's not made by some megacorporation. Also IIRC most phones don't allow you to relock the bootloader after flashing a custom ROM.
>These types of discussions on HN get confused because people aren't always clear what they mean by the word "rooting".
Well it’s more the Dunning Krugerites who see the word “rooting” written by someone in a cyber context, lack that context entirely, and proceed to enter the discussion anyway based on their experience rooting their Android phone 3 years ago after clicking through a few UI buttons.
A rooted android device doesn't run apps as root either, not does it generally allow them to get root access without the user accepting a system prompt.
I agree with the CEO, while also feeling a bit nauseous at the MAGA Musk suck-up at the end - I suppose this is the game you have to play with this current administration.
Yeah, it's weird. I don't like the law in Italy, Cloudflare, or the current US administration, but I'm fairly anti-censorship, so I feel compelled to side with Cloudflare unless more info comes to light.
It really doesn’t matter what administration is in charge, at a certain level you have to curry favor with whatever administration is in power and hold your true motives close to your chest. People seem to think what people say in public is perfect knowledge of their true intentions. No. What they say is what they want someone to hear them say. There is nothing to gain by saying what you really feel, no one can prove it’s what you really feel anyway.
Plenty of activists on the other side of the spectrum note of "greenwashing" and "pinkwashing", nice words about the environment or LGBT+ rights without any noticeable action beyond adding a temporary pride badge to social media accounts in pride month or a picture of a wind turbine on their website.
Google and Verizon were under fire recently from the DOJ for not complying with the govt's anti-DEI stance quickly enough[0]. If these policies truly aren't in the companies best interests, they would've dropped the policies on Jan 20th. Instead, they chose to continue them. I don't see how this squares with your assertion that they don't want to continue following DEI in staffing.
Yes and yes. Individuals have their own political views. In tech, those are overwhelmingly liberal. It follows that they would implement liberal policies of their own accord. This isn't sucking up to some policy that happens to be favoured by trump, this is sucking up to trump himself.
“DEI bureaucracies” is a meaningless political term.
I am truly (not) sorry about whatever HR interaction has soured you.
Not everything every company does is related to US politics let alone that of the last 10 years. These “DEI bureaucracies” pre-date your “Biden administration”.
Believe it or not, there are many, many organisations that do not operate in or export to the US. Many of them have what I’m sure you would call “DEI bureaucracies”. What’s your explanation?
It would be nice. Our security team started complaining that we serve a 301 redirect on port 80 for our website (just like 99.9% of websites do... sigh) and wanted port 80 shut down.
To appease them, I switched the redirect off in dev/staging, and soon enough even devs are having trouble accessing the site because they type 'website.com' and that can't resolve, only 'https://website.com' can.
(And before you say it, yes we use HSTS, but I presume there were some scenarios where that wasn't already cached/hit).
In my home media setup (LG UQ81 TV, WiiM Amp via ARC, Xbox Series X, Chromecast with Google TV), the CEC setup _almost_ works perfectly.
* I can use the LG TV’s remote alone to control everything including the Chromecast and amp’s volume controls.
* The amp automatically switches on and off with the TV.
* Turning the Xbox on/off via its controller also turns on/off the TV and the amplifier together.
Mostly good, except sometimes when I have my Chromecast on and switch the Xbox on via the controller it gets stuck in an endless loop of flicking back and forth between HDMI 1 and HDMI 2, between Chromecast and Xbox. Nothing I can do will stop it except to power cycle the TV.
If anyone has experienced anything similar or has any tips on how to debug this that would be much appreciated!
You might be interested to read about the findings by Ruter, the publicly owned transport company for Oslo. They discovered their Chinese Yutong electric buses contained SIM cards, likely to allow the buses to receive OTA updates, but consequentially means they could be modified at any moment remotely. Thankfully they use physical SIMs, so some security hardening is possible.
Of course, with eSIMs becoming more widespread, it’s not inconceivable you could have a SoC containing a 5G modem with no real way to disable or remove it without destroying the device itself.
Out of curiosity, could this have been a vector for a supply chain attack?
I am currently running an fairly outdated version of datatables on a personal project, v1.11.3 from 2021. I'm not too worried about running this older version, because according to dependency scanning software there's no CVEs for it [1]. Also, upgrading this package is too tricky as there's been some pretty huge breaking changes, so I'm stuck at this older version.
I am _not_ using the datatables CDN but instead self-hosting the static files. However, I did not notice until recently that in v1.11.3 it comes with a CSS stylesheet [2] that loads a static resource from that CDN: `url("https://www.datatables.net/examples/resources/details_open.p...")`
It looks like newer versions of datatables don't import static files from the datatables CDN like this.
Presumably if this domain was hijacked as stated in this incident review, users on affect datatables version could have had their site compromised?
Would it make sense to issue a CVE for older datatables library versions that could be susceptible to this attack?
> Out of curiosity, could this have been a vector for a supply chain attack?
If you were using the CDN without SRIs, then yes, that would have been the most obvious channel. However, I don't believe the attacker ever set up for that and the URLs never resolved due to CloudFlare blocking it.
> there's been some pretty huge breaking changes
Unless you were using the legacy API, there shouldn't be any major impediment [1]. I intentionally tried to keep backwards compatibility as I hate doing library upgrades myself! Drop me an email - allan at the domain in question if you have any questions about doing an upgrade.
> It looks like newer versions of datatables don't import static files from the datatables CDN like this.
I rewrote aspects to use CSS styled elements in place of images, so there were less resources to load.
> Would it make sense to issue a CVE for older datatables library versions that could be susceptible to this attack?
Per the above, if you were using the CDN without SRI for the resources, then any version could have been susceptible. However, I've seen no evidence that the attack took that vector.
I thought I was not using the CDN as I had self-hosted the static sources, but some image sources seemed to be imported from the CDN in stylesheets in the version of data tables I linked.
I just updated my application from v1.11 to v1.13 without any trouble (aside from some minor aesthetic changes to padding), so at the very least I now benefit from your styled elements.
Thanks for your dedication on this package, I’ve used it for years and it works very well.
I seem to recall enjoying using datatables. You, or somebody else associated helped me on the forums. Not sure what I asked but I remember two things: positive dev interaction, and the pain of figuring out how to make the OOX/Excel export not lose proceeding zeros. (Had to write my own handler to change the xml)
reply