I’m lucky my banking app works (GrapheneOS), as it’s now requiring 2FA with the app anytime I login on the browser. Can’t use an actually secure form like TOTP. At least they now allow passwords over 8 characters (yes, serious).
(Meme in comments)
At least they now allow passwords over 8 characters (yes, serious).
Are you 100% certain they don’t just truncate your password to 8 characters?
What, do you think banks have the money for storing all those extra unnecessary characters? MS Access databases are only so powerful.
Since when does MS access run on IBM mainframes?
Never ever ever store passwords in the database. Salted hash only. It’s fixed length even if the password is a gigabyte long.
i would not be surprised. i will have to try
Your bank are allowing you to use characters ? Mine only allows numbers for the password, it has to be 8 number, no less, no more.
I hate this so much!
My bank is like that and another horrible thing is that after you choose your password (which can be long and complex) you need to choose a 6 DIGIT restore code incase you forgot your password…
Why is is my BANK so bad at security??
And they all develop their own shitty app for 2FA (the lazy ones just rebrand SecureGo as their own - you still have to install all of them separately) instead of using the 15 year old TOTP standard. The latter is good enough for tiny companies like Google and Amazon but what do they know about itsec, right?
genius
The app for my bank DNB (Norway) doesn’t work on my LineageOS phone, but it works on my GrapheneOS phone. I wonder if they’ve added the graphene keys, because it just suddenly started working a while ago, though might be some GrapheneOS magic
The hardware attestation feature is part of the Android Open Source Project and is fully supported by GrapheneOS. SafetyNet attestation chooses to use it to enforce using Google certified operating systems. However, app developers can use it directly and permit other properly signed operating systems upholding the security model. […] Direct use of the hardware attestation API provides much higher assurance than using SafetyNet so these apps have nothing to lose by using a more meaningful API and supporting a more secure OS.
https://grapheneos.org/usage#banking-apps
My banking apps work on GrapheneOS, so I guess they are using hardware attestation instead of SafetyNet. LineageOS won’t pass hardware attestation because it doesn’t support locked bootloader.
In what way does it fail on Lineage? My local banking app fails on CalyxOS - seems to pass the security checks (judging from init messages when opening the app), but get a nondescriptive error when trying to log in.
Just goes “app not supported on rooted devices”
Ah, then there could be a different issue with my banking app. Maybe there’s a hope I can solve it then. I just assumed it the custom ROM that was the issue. Then again, maybe they just don’t bother letting me know the reason… :)
It used to be possible (probably still is) to use magisk to get around it for my bank, but I stopped caring after the EU did some laws forcing interoperability between banks so I can just use my other banks app to access the accounts for that bank.
Might be worth looking into!
My bank luckily just slaps me with a huge warning screen every time I open the app.
Even worse still: many online banking services require you to connect to Google, basically through the back end captcha system. You never have to solve the puzzle or click on traffic lights, but they do still associate you and your web browser with having an account with that bank.
However also, you can often use root with banking apps, you just have to set it up right. Configure Magisk to operate in the Zygisk domain with a deny list, and add the apps to that.
Banks do this because most people don’t know how to use technology and it’s a lot easier to get remote access and malware on your computer than your phone.
Doesn’t work because of Play Integrity API but there are ways to bypass it. At least for now. Look up PlayIntegrityFork.
My dyslexic ass read that as “Baking apps” and i was genuenly confused.
My credit union’s web site looks like a MySpace page. They don’t even offer freaking 2FA. Been meaning to transition to cash management account but such a PITA.
Honestly, screw apps that do this. It’s pathetic.
This post is against Rule 6, but I’ll leave it up this time since there are a decent amount of discussion here now.
lseif@sopuli.xyz, please remove the image when you can. You can post it in the comments.
This is actually something I have spent a lot of time thinking about. In Sweden, where my boyfriend lives, their BankID app is ubiquitous, and there is very little cash handling going on, additionally the fees for actually going to the bank or subsidiary to pay your bills are exorbitant.
Everybody pays their bills online using “BankID”, which is kinda nifty and works well enough if a single point of failure is your thingaling, but what if people simply choose not to get a phone, or don’t want a computer, just basic like that, what if?
It feels kind of creepy to me, I don’t know…
deleted by creator
This is true, but almost nobody uses it- Mobile BankID is the ubiquitous app for that, and while there still is the possibility, not all sites accept it. Not to mention, this still requires a computer, and while you may be inclined to say that “well there are always libraries”, you cannot install third party software on their computers, and they do NOT carry BankID application (because of course not). This is true for social services as well.
The real fear is the fact that once everything goes digital - and it will - everybody is at the mercy of finance and the ability to procure a telephone, and or a computer, and or an internet connection (all SIM cards have to be registered with national identification before the state, adding to the problem of how you would identify yourself in the first place in lieu of such capabilities or possibilities).
Neither having a phone or a computer is considered a human right yet, as far as I know, and in either case the state is not obligated to provide you with one regardless.
May seem like nitpicking, but that is what lawmaking and jurisprudence is all about.
thats scary
Sweden has gone about 80% fascist, in case you didn’t know. By popular vote, even! We have literal Nazis in government right now, they’re the second largest party, and while “not all Swedes” agree that they are Nazis, their heritage and lineage stems directly from the neo-Nazi movement in Sweden in the 80’s and 90’s, supported financially by Putin. <- this is not a joke, btw
All SIM cards have to be registered with your personal identification number (more or less “social security number”, but with your 100% full identifiable personal information), by law, and by law it is illegal not to state where you live (like a census law, you must report to authorities at all times where you reside. If you don’t have a home, well, your last address is where you officially live).
The right wing extremists have pumped money into police, and they now have the right to effect stop-and-frisk zones, and wiretapping anyone they please without probable cause or even suspicion of criminal activity.
Ok fine no banks it is then.
Your banks still have offices? Cool!
They need to since PNC doesn’t have a functioning app or website
yeah but they are closing the ones near me :(
Get new bank
