I’m lucky my banking app works (GrapheneOS), as it’s now requiring 2FA with the app anytime I login on the browser. Can’t use an actually secure form like TOTP. At least they now allow passwords over 8 characters (yes, serious).

(Meme in comments)

  • MTK@lemmy.world
    link
    fedilink
    English
    arrow-up
    36
    arrow-down
    1
    ·
    8 months ago

    I hate this so much!

    My bank is like that and another horrible thing is that after you choose your password (which can be long and complex) you need to choose a 6 DIGIT restore code incase you forgot your password…

    Why is is my BANK so bad at security??

    • Kairos@lemmy.today
      link
      fedilink
      English
      arrow-up
      15
      ·
      8 months ago

      Wait

      You have a second password that’s (opens calculator) 20 bits of entropy???

    • Dnn@lemmy.world
      link
      fedilink
      English
      arrow-up
      9
      ·
      8 months ago

      And they all develop their own shitty app for 2FA (the lazy ones just rebrand SecureGo as their own - you still have to install all of them separately) instead of using the 15 year old TOTP standard. The latter is good enough for tiny companies like Google and Amazon but what do they know about itsec, right?

  • Atemu@lemmy.ml
    link
    fedilink
    English
    arrow-up
    30
    ·
    8 months ago

    At least they now allow passwords over 8 characters (yes, serious).

    Are you 100% certain they don’t just truncate your password to 8 characters?

    • RebootRebootReboot@programming.dev
      link
      fedilink
      English
      arrow-up
      24
      ·
      8 months ago

      I’ve seen a website that silently truncated my password during a password reset, but then wouldn’t truncate it during login. It took me a while to figure out why my password never worked.

    • ikidd@lemmy.world
      link
      fedilink
      English
      arrow-up
      6
      ·
      8 months ago

      What, do you think banks have the money for storing all those extra unnecessary characters? MS Access databases are only so powerful.

      • ooterness@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        8 months ago

        Never ever ever store passwords in the database. Salted hash only. It’s fixed length even if the password is a gigabyte long.

    • BastingChemina@slrpnk.net
      link
      fedilink
      English
      arrow-up
      1
      ·
      8 months ago

      Your bank are allowing you to use characters ? Mine only allows numbers for the password, it has to be 8 number, no less, no more.

  • viking@infosec.pub
    link
    fedilink
    English
    arrow-up
    15
    ·
    8 months ago

    Magisk plus DenyList luckily works for my banks. Couldn’t imagine not having a rooted phone.

        • lseif@sopuli.xyzOP
          link
          fedilink
          English
          arrow-up
          4
          arrow-down
          1
          ·
          8 months ago

          thats fair. device support is a major downside of GOS. but, remember: its not really the fault of the OS, as it requires a lockable/unlockable bootloader, which only pixel phones provide (at least in terms of mainstream phones). blame the OEMs like samsung

          • viking@infosec.pub
            link
            fedilink
            English
            arrow-up
            4
            arrow-down
            1
            ·
            8 months ago

            There are a ton of unlockable bootloaders. On my OnePlus that’s a matter of flipping a switch in the settings.

            • lseif@sopuli.xyzOP
              link
              fedilink
              English
              arrow-up
              4
              ·
              8 months ago

              can it be re-locked? i may be wrong, btw. this is just what ive heard.

                • PoorPocketsMcNewHold@lemmy.ml
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  8 months ago

                  That’s the main issue really, as it open the possibility to manage your device for anyone getting hold of it. Probably some debug attack methods also with it.

          • deweydecibel@lemmy.world
            link
            fedilink
            English
            arrow-up
            3
            arrow-down
            1
            ·
            edit-2
            8 months ago

            which only pixel phones provide (at least in terms of mainstream phones)

            Mainstream phones? Pixel is a smaller market share than Motorola, and Motorola has unlockable bootloaders, and lineage supports a fair number of them.

          • PoorPocketsMcNewHold@lemmy.ml
            link
            fedilink
            English
            arrow-up
            1
            ·
            8 months ago

            Only big manufacturers can really pay to control entirely the hardware inside it, and allow you to modify it. Checkout Fairphone for example. They’ve been forced to stop hardware security updates due to their chip manufacturer, who refused to continue supporting it, despite them trying to support their devices for plenty more years. This explains the choice with Google.

      • Azzu@lemm.ee
        link
        fedilink
        English
        arrow-up
        6
        arrow-down
        1
        ·
        8 months ago

        What are the security issues? Rooted just means the potential to give trusted apps root access. Of course, if you give an app root access that you trust but is then abusing that trust and being malicious, yes it’s a security issue. But if you don’t do that, the simple fact of having a rooted phone should have no security change in any way. (Ok, except for potential bugs in Magisk/su or whatever)

        • deweydecibel@lemmy.world
          link
          fedilink
          English
          arrow-up
          9
          arrow-down
          1
          ·
          edit-2
          8 months ago

          The whole issue revolves around the fact Google is presuming a device is compromised or being used for illicit shit simply because root access is possible. If they put in effort to detect/prevent the actual problems they’re concerned about, this wouldn’t be as big a deal. This broad punishment for simply having root access is lazy and ridiculous.

          It’s like if Windows apps just stopped working if they detected a local admin account. It’s patently absurd to assume the ability to access anything means the device is inherently “unsafe”.

          • Azzu@lemm.ee
            link
            fedilink
            English
            arrow-up
            2
            ·
            8 months ago

            But the previous commenter talked about security issues, you’re only talking about usability issues.

        • PoorPocketsMcNewHold@lemmy.ml
          link
          fedilink
          English
          arrow-up
          2
          ·
          edit-2
          8 months ago

          https://www.reddit.com/r/GrapheneOS/comments/13264di/comment/ji54e19/?utm_source=share&utm_medium=mweb3x&utm_name=mweb3xcss&utm_term=1&utm_content=share_button

          If you have the UI layer able to grant root access, it has root access itself and is not sandboxed. If the UI layer can grant it, an attacker gaining slight control over it has root access. An accessibility service trivially has root access. A keyboard can probably get root access, and so on. Instead of a tiny little portion of the OS having root access, a massive portion of it does.

          In the verified boot threat model, an attacker controls persistent state. If you have persistent root access as a possibility then verified boot doesn’t work since persistent state is entirely trusted.

          A userdebug build of AOSP or GrapheneOS has a su binary and an adb root command providing root access via the Android Debug Bridge via physical access using USB. This does still significantly reduce security, particularly since ADB has a network mode that can be enabled. Most of the security model is still intact. This is not what people are referring to when they talk about rooting on Android, they are referring to granting root access to apps via the UI not using it via a shell.

          • Azzu@lemm.ee
            link
            fedilink
            English
            arrow-up
            1
            ·
            8 months ago

            I’m pretty sure whoever wrote that was talking out their ass. The fuck is “UI layer” on Android, or rather, what does it have to do with it xD

            • PoorPocketsMcNewHold@lemmy.ml
              link
              fedilink
              English
              arrow-up
              1
              ·
              edit-2
              8 months ago

              The actual Magisk prompt that ask you if you want to give root to such app. This UI layer.

              Although, i suppose it could be countered by explicitly refusing all requests or enabling a biometric confirmation

              • Azzu@lemm.ee
                link
                fedilink
                English
                arrow-up
                1
                ·
                8 months ago

                But granting root is not done by “the UI layer”, “the UI layer” is not running with root. There is no such thing as “the UI layer” as a separate entity, an app can have a UI layer as part of its architecture, but the UI is not running on its own. Just because Magisk shows you a UI for you to grant/deny a root request, that doesn’t make it insecure. Nothing is able to interact with this prompt except the Android kernel/libraries itself and Magisk.

                Only if you added an application as accessibility tool (or give it root) can it interact with anything within the UI. An app with a UI is generally not much different than an app on the command line.

                • PoorPocketsMcNewHold@lemmy.ml
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  8 months ago

                  It still create an attack vector, as it allows a potential extra method to get access to it, in addition of potential hardware exploits that i shared to gain root. Yes, you can minimize the risks correctly, but the user is the only real barrier against it, not the software anymore. The less potential way to exploit your phone, the better it is. You shouldn’t rely on thinking that such feature is fully attack-proof.

      • TWeaK@lemm.ee
        link
        fedilink
        English
        arrow-up
        0
        arrow-down
        4
        ·
        8 months ago

        GrapheneOS is made by diva developers who frankly should not be trusted. “We only allow Google phones to run our OS!” as if they don’t have a backroom deal with Google.

      • RaoulDook@lemmy.world
        link
        fedilink
        English
        arrow-up
        4
        arrow-down
        2
        ·
        8 months ago

        Can you compile your own OS from source for an iPhone and install it yourself? I don’t think so.

        I have done that with my non-rooted android, and I can do anything I want with my phones through the powers of open source software.

        Rooting is unnecessary now and that’s a good thing.

        • davidgro@lemmy.world
          link
          fedilink
          English
          arrow-up
          7
          arrow-down
          1
          ·
          8 months ago

          You can’t do that without unlocking the bootloader, and that alone will trip “root detection” (Play Integrity).

          Some apps take it further and won’t run if you enable Developer Options! (Or have any number of “hacking apps” installed, such as autotap apps that don’t even need root.)

          • RaoulDook@lemmy.world
            link
            fedilink
            English
            arrow-up
            0
            ·
            8 months ago

            Yes, I am aware of how it works. Unlocking the bootloader is not the same as rooting, and all my apps work just fine.

            • davidgro@lemmy.world
              link
              fedilink
              English
              arrow-up
              5
              ·
              8 months ago

              If they work with an unlocked bootloader then they would almost certainly also work fully rooted, with the advantages that brings (such as actual working app+data backups, limiting max battery charge, better automation possibilities with apps like Tasker, etc)

              I’d much rather switch banks than give up rooting my phone.

          • RaoulDook@lemmy.world
            link
            fedilink
            English
            arrow-up
            0
            arrow-down
            5
            ·
            8 months ago

            Well you can, and there is no punishment, so you should be happy.

            I imagine you probably think “punishment” is that some bank won’t let you use their app on a rooted phone. That is not a punishment, that’s the bank implementing the security that they deem necessary for access to their software, and is likely part of a license agreement that you agreed to by using it. You have no default entitlement to have free use of the software that anyone else produces unless the software developer’s license states that you do.

            Actual punishment would be if your phone gets bricked by the OEM for rooting it, or government authorities fine or arrest you for rooting.

        • kratoz29@lemm.ee
          link
          fedilink
          English
          arrow-up
          1
          ·
          8 months ago

          Rooting is unnecessary now and that’s a good thing.

          Rooting is always necessary, you can’t convince me otherwise, imagine not having root permissions in your Windows, Linux or macOS machine…

          Without “rooting” capabilities we wouldn’t have custom firmware for tech that is quite locked (like the PSP, Vita, 3DS and whatever OS they use), emulation would not be the same.

          Heck, even some iOS versions can be jailbroken yet, I cannot conceive a world where iOS is less locked than Android.

          You need to be the one who decides how your hardware is managed.

  • KoalaUnknown@lemmy.world
    link
    fedilink
    English
    arrow-up
    17
    arrow-down
    3
    ·
    8 months ago

    Banks do this because most people don’t know how to use technology and it’s a lot easier to get remote access and malware on your computer than your phone.

  • FrogMaster@lemmy.world
    link
    fedilink
    English
    arrow-up
    9
    ·
    8 months ago

    Doesn’t work because of Play Integrity API but there are ways to bypass it. At least for now. Look up PlayIntegrityFork.

    • Sprokes@jlai.lu
      link
      fedilink
      English
      arrow-up
      1
      ·
      8 months ago

      Some apps implement other checks. Mine checks whatever you replaced the stock webview (checking the package name). So sometimes it is challenging to find those checks to bypass them.

  • vodka@lemm.ee
    link
    fedilink
    English
    arrow-up
    9
    ·
    8 months ago

    The app for my bank DNB (Norway) doesn’t work on my LineageOS phone, but it works on my GrapheneOS phone. I wonder if they’ve added the graphene keys, because it just suddenly started working a while ago, though might be some GrapheneOS magic

    • Chewy@discuss.tchncs.de
      link
      fedilink
      English
      arrow-up
      15
      ·
      8 months ago

      The hardware attestation feature is part of the Android Open Source Project and is fully supported by GrapheneOS. SafetyNet attestation chooses to use it to enforce using Google certified operating systems. However, app developers can use it directly and permit other properly signed operating systems upholding the security model. […] Direct use of the hardware attestation API provides much higher assurance than using SafetyNet so these apps have nothing to lose by using a more meaningful API and supporting a more secure OS.

      https://grapheneos.org/usage#banking-apps

      My banking apps work on GrapheneOS, so I guess they are using hardware attestation instead of SafetyNet. LineageOS won’t pass hardware attestation because it doesn’t support locked bootloader.

    • cyberwolfie@lemmy.ml
      link
      fedilink
      English
      arrow-up
      1
      ·
      8 months ago

      In what way does it fail on Lineage? My local banking app fails on CalyxOS - seems to pass the security checks (judging from init messages when opening the app), but get a nondescriptive error when trying to log in.

        • cyberwolfie@lemmy.ml
          link
          fedilink
          English
          arrow-up
          2
          ·
          8 months ago

          Ah, then there could be a different issue with my banking app. Maybe there’s a hope I can solve it then. I just assumed it the custom ROM that was the issue. Then again, maybe they just don’t bother letting me know the reason… :)

          • vodka@lemm.ee
            link
            fedilink
            English
            arrow-up
            2
            ·
            8 months ago

            It used to be possible (probably still is) to use magisk to get around it for my bank, but I stopped caring after the EU did some laws forcing interoperability between banks so I can just use my other banks app to access the accounts for that bank.

            Might be worth looking into!

    • uzay@infosec.pub
      link
      fedilink
      English
      arrow-up
      2
      arrow-down
      2
      ·
      edit-2
      8 months ago

      LineageOS doesn’t spoof safetynet and play integrity, GrapheneOS does afaik. So that’s most likely the reason

      See below

      • vodka@lemm.ee
        link
        fedilink
        English
        arrow-up
        7
        ·
        8 months ago

        GrapheneOS doesn’t either. It does Android Hardware Attestation instead of SafetyNet. It has never, and will never spoof SafetyNet.

  • sgibson5150@slrpnk.net
    link
    fedilink
    English
    arrow-up
    9
    ·
    8 months ago

    My credit union’s web site looks like a MySpace page. They don’t even offer freaking 2FA. Been meaning to transition to cash management account but such a PITA.

    • bamboo@lemmy.blahaj.zone
      link
      fedilink
      English
      arrow-up
      6
      ·
      8 months ago

      I have an account with a larger credit union and their Android app implements onerous rules which some exec must feel makes it more secure, but is just a burden 99.999% of the time. Today I found that the fingerprint login expires after a week of not logging in, requiring the username/password to log in. Annoying but ok, I log in with a username and password. Then it says I need to do MFA and presents 3 options, email, SMS, and app push notification. The UI for app push notification even says “This device”. I selected that one, and the app shows the approve/deny button over the MFA requirement screen.

      So obviously the saved state in the app wasn’t actually expired, since it could still approve MFA requests. So what good is it expiring biometric auth if the app is still authorized to log me in effectively bypassing MFA?

      • DanVctr@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        1
        ·
        8 months ago

        So obviously the saved state in the app wasn’t actually expired, since it could still approve MFA requests. So what good is it expiring biometric auth if the app is still authorized to log me in effectively bypassing MFA?

        I love this and hate this so much

  • Margot Robbie@lemmy.worldM
    link
    fedilink
    English
    arrow-up
    13
    arrow-down
    5
    ·
    8 months ago

    This post is against Rule 6, but I’ll leave it up this time since there are a decent amount of discussion here now.

    [email protected], please remove the image when you can. You can post it in the comments.

  • Ann Archy@lemmy.world
    link
    fedilink
    English
    arrow-up
    7
    ·
    8 months ago

    This is actually something I have spent a lot of time thinking about. In Sweden, where my boyfriend lives, their BankID app is ubiquitous, and there is very little cash handling going on, additionally the fees for actually going to the bank or subsidiary to pay your bills are exorbitant.

    Everybody pays their bills online using “BankID”, which is kinda nifty and works well enough if a single point of failure is your thingaling, but what if people simply choose not to get a phone, or don’t want a computer, just basic like that, what if?

    It feels kind of creepy to me, I don’t know…

      • Ann Archy@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        8 months ago

        This is true, but almost nobody uses it- Mobile BankID is the ubiquitous app for that, and while there still is the possibility, not all sites accept it. Not to mention, this still requires a computer, and while you may be inclined to say that “well there are always libraries”, you cannot install third party software on their computers, and they do NOT carry BankID application (because of course not). This is true for social services as well.

        The real fear is the fact that once everything goes digital - and it will - everybody is at the mercy of finance and the ability to procure a telephone, and or a computer, and or an internet connection (all SIM cards have to be registered with national identification before the state, adding to the problem of how you would identify yourself in the first place in lieu of such capabilities or possibilities).

        Neither having a phone or a computer is considered a human right yet, as far as I know, and in either case the state is not obligated to provide you with one regardless.

        May seem like nitpicking, but that is what lawmaking and jurisprudence is all about.

      • Ann Archy@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        8 months ago

        Sweden has gone about 80% fascist, in case you didn’t know. By popular vote, even! We have literal Nazis in government right now, they’re the second largest party, and while “not all Swedes” agree that they are Nazis, their heritage and lineage stems directly from the neo-Nazi movement in Sweden in the 80’s and 90’s, supported financially by Putin. <- this is not a joke, btw

        All SIM cards have to be registered with your personal identification number (more or less “social security number”, but with your 100% full identifiable personal information), by law, and by law it is illegal not to state where you live (like a census law, you must report to authorities at all times where you reside. If you don’t have a home, well, your last address is where you officially live).

        The right wing extremists have pumped money into police, and they now have the right to effect stop-and-frisk zones, and wiretapping anyone they please without probable cause or even suspicion of criminal activity.