I’m lucky my banking app works (GrapheneOS), as it’s now requiring 2FA with the app anytime I login on the browser. Can’t use an actually secure form like TOTP. At least they now allow passwords over 8 characters (yes, serious).
(Meme in comments)
This post is against Rule 6, but I’ll leave it up this time since there are a decent amount of discussion here now.
lseif@sopuli.xyz, please remove the image when you can. You can post it in the comments.
I hate this so much!
My bank is like that and another horrible thing is that after you choose your password (which can be long and complex) you need to choose a 6 DIGIT restore code incase you forgot your password…
Why is is my BANK so bad at security??
And they all develop their own shitty app for 2FA (the lazy ones just rebrand SecureGo as their own - you still have to install all of them separately) instead of using the 15 year old TOTP standard. The latter is good enough for tiny companies like Google and Amazon but what do they know about itsec, right?
I moved to a bank that allows non google phones and let my previous bank know why I left.
Why are you licensing your comments
Because they think it matters. Same as people posting on Facebook some legalese saying “Facebook doesn’t have the rights to my stuff.”. They think that by slapping a copyright “claim” on their stuff that they supercede the agreements of the platform and somehow protect their comments from being scrapped by bots/advertisers, etc. All it really does is add a little “this guy is probably a sovereign citizen type” sign to every post they make.
TOTP is not secure
What’s wrong with TOTP?
Phishable. Use FIDO2 (webauthn) with user verification (pin, fingerprint)
Google and the banks can eat my whole asshole.
Thanks.
🚨 Improper use of meme format 🚨
🦴💥 Bone Hurting Juice detected 💥🦴
wait really? :/
I’m pretty sure panel 2 and panel 4 should have the same text
THIS MOTHERFUCKER MEMED WRONG
At least they now allow passwords over 8 characters (yes, serious).
Are you 100% certain they don’t just truncate your password to 8 characters?
What, do you think banks have the money for storing all those extra unnecessary characters? MS Access databases are only so powerful.
I’ve seen a website that silently truncated my password during a password reset, but then wouldn’t truncate it during login. It took me a while to figure out why my password never worked.
Name & shame please
This is actually something I have spent a lot of time thinking about. In Sweden, where my boyfriend lives, their BankID app is ubiquitous, and there is very little cash handling going on, additionally the fees for actually going to the bank or subsidiary to pay your bills are exorbitant.
Everybody pays their bills online using “BankID”, which is kinda nifty and works well enough if a single point of failure is your thingaling, but what if people simply choose not to get a phone, or don’t want a computer, just basic like that, what if?
It feels kind of creepy to me, I don’t know…
Don’t you have a code generator?
In Norway we gave 3 options. BankID by code generator, BankID by simcard, and BankID by app.
The code generator isn’t even connected to the internet, and is the oldest type of bankid
thats scary
Sweden has gone about 80% fascist, in case you didn’t know. By popular vote, even! We have literal Nazis in government right now, they’re the second largest party, and while “not all Swedes” agree that they are Nazis, their heritage and lineage stems directly from the neo-Nazi movement in Sweden in the 80’s and 90’s, supported financially by Putin. <- this is not a joke, btw
All SIM cards have to be registered with your personal identification number (more or less “social security number”, but with your 100% full identifiable personal information), by law, and by law it is illegal not to state where you live (like a census law, you must report to authorities at all times where you reside. If you don’t have a home, well, your last address is where you officially live).
The right wing extremists have pumped money into police, and they now have the right to effect stop-and-frisk zones, and wiretapping anyone they please without probable cause or even suspicion of criminal activity.
Magisk plus DenyList luckily works for my banks. Couldn’t imagine not having a rooted phone.
Non-rooted phones are just like iPhones. Ewww…
Beat the main purpose of GrapheneOS. Open the phone to a broad lot of security issues.
Graphene only works for Pixel phones, and I don’t want a Google device.
@viking @PoorPocketsMcNewHold @android
Then don’t bother, there’s no GrapheneOS for you!
Yeah, that was their point.
thats fair. device support is a major downside of GOS. but, remember: its not really the fault of the OS, as it requires a lockable/unlockable bootloader, which only pixel phones provide (at least in terms of mainstream phones). blame the OEMs like samsung
There are a ton of unlockable bootloaders. On my OnePlus that’s a matter of flipping a switch in the settings.
can it be re-locked? i may be wrong, btw. this is just what ive heard.
I don’t know, never tried that.
which only pixel phones provide (at least in terms of mainstream phones)
Mainstream phones? Pixel is a smaller market share than Motorola, and Motorola has unlockable bootloaders, and lineage supports a fair number of them.
I thought Google owned Motorola, but I missed the sale to Lenovo ten years ago.
Lenovo owns Motorola. Lenovo being chinese is somewhat a security risk.
What are the security issues? Rooted just means the potential to give trusted apps root access. Of course, if you give an app root access that you trust but is then abusing that trust and being malicious, yes it’s a security issue. But if you don’t do that, the simple fact of having a rooted phone should have no security change in any way. (Ok, except for potential bugs in Magisk/su or whatever)
If you have the UI layer able to grant root access, it has root access itself and is not sandboxed. If the UI layer can grant it, an attacker gaining slight control over it has root access. An accessibility service trivially has root access. A keyboard can probably get root access, and so on. Instead of a tiny little portion of the OS having root access, a massive portion of it does.
In the verified boot threat model, an attacker controls persistent state. If you have persistent root access as a possibility then verified boot doesn’t work since persistent state is entirely trusted.
A userdebug build of AOSP or GrapheneOS has a su binary and an adb root command providing root access via the Android Debug Bridge via physical access using USB. This does still significantly reduce security, particularly since ADB has a network mode that can be enabled. Most of the security model is still intact. This is not what people are referring to when they talk about rooting on Android, they are referring to granting root access to apps via the UI not using it via a shell.
I’m pretty sure whoever wrote that was talking out their ass. The fuck is “UI layer” on Android, or rather, what does it have to do with it xD
The actual Magisk prompt that ask you if you want to give root to such app. This UI layer.
Although, i suppose it could be countered by explicitly refusing all requests or enabling a biometric confirmation
But granting root is not done by “the UI layer”, “the UI layer” is not running with root. There is no such thing as “the UI layer” as a separate entity, an app can have a UI layer as part of its architecture, but the UI is not running on its own. Just because Magisk shows you a UI for you to grant/deny a root request, that doesn’t make it insecure. Nothing is able to interact with this prompt except the Android kernel/libraries itself and Magisk.
Only if you added an application as accessibility tool (or give it root) can it interact with anything within the UI. An app with a UI is generally not much different than an app on the command line.
GrapheneOS is made by diva developers who frankly should not be trusted. “We only allow Google phones to run our OS!” as if they don’t have a backroom deal with Google.
Proove us that you can get better security while remaining able to be fully modified with other phones and brands. https://www.privacyguides.org/en/android/#divestos
Privacy Guides has a bit of a sordid history of their own diva behaviour.
Just higher standards.
@TWeaK @PoorPocketsMcNewHold @android
Bullshit