I’m lucky my banking app works (GrapheneOS), as it’s now requiring 2FA with the app anytime I login on the browser. Can’t use an actually secure form like TOTP. At least they now allow passwords over 8 characters (yes, serious).

(Meme in comments)

  • Margot Robbie@lemmy.worldMEnglish
    0·
    6 months ago

    This post is against Rule 6, but I’ll leave it up this time since there are a decent amount of discussion here now.

    lseif@sopuli.xyz, please remove the image when you can. You can post it in the comments.

  • MTK@lemmy.worldEnglish
    0·
    6 months ago

    I hate this so much!

    My bank is like that and another horrible thing is that after you choose your password (which can be long and complex) you need to choose a 6 DIGIT restore code incase you forgot your password…

    Why is is my BANK so bad at security??

    • Dnn@lemmy.worldEnglish
      0·
      6 months ago

      And they all develop their own shitty app for 2FA (the lazy ones just rebrand SecureGo as their own - you still have to install all of them separately) instead of using the 15 year old TOTP standard. The latter is good enough for tiny companies like Google and Amazon but what do they know about itsec, right?

      • fishos@lemmy.worldEnglish
        0·
        6 months ago

        Because they think it matters. Same as people posting on Facebook some legalese saying “Facebook doesn’t have the rights to my stuff.”. They think that by slapping a copyright “claim” on their stuff that they supercede the agreements of the platform and somehow protect their comments from being scrapped by bots/advertisers, etc. All it really does is add a little “this guy is probably a sovereign citizen type” sign to every post they make.

  • Atemu@lemmy.mlEnglish
    0·
    6 months ago

    At least they now allow passwords over 8 characters (yes, serious).

    Are you 100% certain they don’t just truncate your password to 8 characters?

    • ikidd@lemmy.worldEnglish
      0·
      6 months ago

      What, do you think banks have the money for storing all those extra unnecessary characters? MS Access databases are only so powerful.

    • RebootRebootReboot@programming.devEnglish
      0·
      6 months ago

      I’ve seen a website that silently truncated my password during a password reset, but then wouldn’t truncate it during login. It took me a while to figure out why my password never worked.

  • Ann Archy@lemmy.worldEnglish
    0·
    6 months ago

    This is actually something I have spent a lot of time thinking about. In Sweden, where my boyfriend lives, their BankID app is ubiquitous, and there is very little cash handling going on, additionally the fees for actually going to the bank or subsidiary to pay your bills are exorbitant.

    Everybody pays their bills online using “BankID”, which is kinda nifty and works well enough if a single point of failure is your thingaling, but what if people simply choose not to get a phone, or don’t want a computer, just basic like that, what if?

    It feels kind of creepy to me, I don’t know…

    • BaardFigur@lemmy.worldEnglish
      0·
      6 months ago

      Don’t you have a code generator?

      In Norway we gave 3 options. BankID by code generator, BankID by simcard, and BankID by app.

      The code generator isn’t even connected to the internet, and is the oldest type of bankid

      • Ann Archy@lemmy.worldEnglish
        0·
        6 months ago

        Sweden has gone about 80% fascist, in case you didn’t know. By popular vote, even! We have literal Nazis in government right now, they’re the second largest party, and while “not all Swedes” agree that they are Nazis, their heritage and lineage stems directly from the neo-Nazi movement in Sweden in the 80’s and 90’s, supported financially by Putin. <- this is not a joke, btw

        All SIM cards have to be registered with your personal identification number (more or less “social security number”, but with your 100% full identifiable personal information), by law, and by law it is illegal not to state where you live (like a census law, you must report to authorities at all times where you reside. If you don’t have a home, well, your last address is where you officially live).

        The right wing extremists have pumped money into police, and they now have the right to effect stop-and-frisk zones, and wiretapping anyone they please without probable cause or even suspicion of criminal activity.

  • viking@infosec.pubEnglish
    0·
    6 months ago

    Magisk plus DenyList luckily works for my banks. Couldn’t imagine not having a rooted phone.

      • Azzu@lemm.eeEnglish
        0·
        6 months ago

        What are the security issues? Rooted just means the potential to give trusted apps root access. Of course, if you give an app root access that you trust but is then abusing that trust and being malicious, yes it’s a security issue. But if you don’t do that, the simple fact of having a rooted phone should have no security change in any way. (Ok, except for potential bugs in Magisk/su or whatever)

        • PoorPocketsMcNewHold@lemmy.mlEnglish
          0·
          6 months ago

          https://www.reddit.com/r/GrapheneOS/comments/13264di/comment/ji54e19/?utm_source=share&utm_medium=mweb3x&utm_name=mweb3xcss&utm_term=1&utm_content=share_button

          If you have the UI layer able to grant root access, it has root access itself and is not sandboxed. If the UI layer can grant it, an attacker gaining slight control over it has root access. An accessibility service trivially has root access. A keyboard can probably get root access, and so on. Instead of a tiny little portion of the OS having root access, a massive portion of it does.

          In the verified boot threat model, an attacker controls persistent state. If you have persistent root access as a possibility then verified boot doesn’t work since persistent state is entirely trusted.

          A userdebug build of AOSP or GrapheneOS has a su binary and an adb root command providing root access via the Android Debug Bridge via physical access using USB. This does still significantly reduce security, particularly since ADB has a network mode that can be enabled. Most of the security model is still intact. This is not what people are referring to when they talk about rooting on Android, they are referring to granting root access to apps via the UI not using it via a shell.

          • Azzu@lemm.eeEnglish
            0·
            6 months ago

            I’m pretty sure whoever wrote that was talking out their ass. The fuck is “UI layer” on Android, or rather, what does it have to do with it xD

            • PoorPocketsMcNewHold@lemmy.mlEnglish
              0·
              6 months ago

              The actual Magisk prompt that ask you if you want to give root to such app. This UI layer.

              Although, i suppose it could be countered by explicitly refusing all requests or enabling a biometric confirmation

              • Azzu@lemm.eeEnglish
                0·
                6 months ago

                But granting root is not done by “the UI layer”, “the UI layer” is not running with root. There is no such thing as “the UI layer” as a separate entity, an app can have a UI layer as part of its architecture, but the UI is not running on its own. Just because Magisk shows you a UI for you to grant/deny a root request, that doesn’t make it insecure. Nothing is able to interact with this prompt except the Android kernel/libraries itself and Magisk.

                Only if you added an application as accessibility tool (or give it root) can it interact with anything within the UI. An app with a UI is generally not much different than an app on the command line.

      • TWeaK@lemm.eeEnglish
        0·
        6 months ago

        GrapheneOS is made by diva developers who frankly should not be trusted. “We only allow Google phones to run our OS!” as if they don’t have a backroom deal with Google.