Sure, one option means paying for each SMS (actually they had to abandon that one), another option is getting a paid banking card just to use a hardware device. From my experience they try to make sure that you will get a certified phone . I just got one because for some reason my Redmi Note 10 despite passing all play integrity checks after hacks like Tricky store+Key box triggered some checks in my banking apps. I needed to use an aftermarket ROM, because my device would not receive any updates from Xiaomi (also I don't know why a device packed with Chinese bloat ware is certified as secure in the first place). And guess what I bought: a Google Pixel. Smart Google, huh.
These "security checks" are a complete, total, absolute joke. Just a couple of weeks ago I had a friend ask me to downgrade firmware on a similar Xiaomi device from the latest LineageOS to stock to make two shitty banks work. Nothing I did on Lineage would make "security checks" pass, even though it was running the cleanest possible Android 15 with the latest security patches applied.
Now the phone is running stock firmware from 2020, with Android security patches from 2020, and with numerous publicly known vulnerabilities. The banks work fine, Google Pay works fine, every Play Integrity check passes, even the strongest one (device integrity).
The only reason I see for it being implemented this way is not to lock the bad guys out from your phone, but to prevent you from doing anything to the banking applications, even through it is still possible through said vulnerabilities.
One of said banks also refuses to run if it detects remote assistance clients on your phone (like TeamViewer), or even Discord, because apparently these were used in scams over the past few years, and we need to protect even the stupidest at the expense of everyone else. How did we come to this "future"? The worst days of desktop Windows weren't even remotely close to this nonsense.
The most stupid is the interplay with regulators: on one hand grapheneOS is far too secure if it comes to CSAM or organized crime on the other hand it is not secure enough for banking (most of the 2FA comes from the interpretation of the PSD regulations afaik).
It's not stupid. It's governments being extremely cheap. Banks (large banks are part of the government everywhere, at least when it comes to policy) and governments are totally dependent on certification (meaning someone to check security patches on devices), effectively a group of people that have some budget to check a lot of software version of a lot of devices. This doesn't have to be many people.
Nobody's willing to pay for it, so only Google, who have to do this for a bunch of other reasons, actually does it.
On the contrary, governments are imposing other restrictions on OS'es (like EU Chat directive), as well as making more and more critical government functions (like eID, and the various equivalents, and the banks) that can never work without OS certification, are utterly dependent on the App stores (it requires the ability to replace apps on user's devices without being detected), and thereby driving people deeper into Google and Apple's arms. Despite the fact that this makes the EU totally dependent on yet another US company, making this stupid. And, of course, it makes securing anyone in the EU against US spying an exercise in futility.
But it saves a little bit of money now, and gives the US, ie. Trump, yet another loaded gun aimed at the head of the EU economy. What could possibly go wrong?
That's not how it works. People like us don't ostracize anyone. We are a minority. We have no leverage at all against massive communities with thousands of members.
> Sure, one option means paying for each SMS (actually they had to abandon that one), another option is getting a paid banking card just to use a hardware device.
That sounds... fine? Like... there are actually alternatives. Sure, if their plan is to phase out those alternatives, then that's bad, but... the current situation seems fine?
Reality is very different. If you have the courage, you can experiment living one year without bank card or wire payments, then your life is going to get very very difficult.
Agree with this. Either you'll get SMS OTP (which is free for the user, at least in the UK?) or they will send some 'calculator' or multi-colour-code-scanner device that generates OTPs.
(Honestly this last one was the most impressive bank security system I'd seen yet; for every individual transaction, you'd have to scan the code and the scanner device would tell you what you were authorising, then you put the PIN in and get a OTP to put back in the bank)
that is just normal practice for business account transaction in my country????
business account can request such devices so if any malicious people cant withdraw funds without pressing a same combination in all devices (there are multiple devices)
so there is no rogue employee
Sure, one option means paying for each SMS (actually they had to abandon that one), another option is getting a paid banking card just to use a hardware device. From my experience they try to make sure that you will get a certified phone . I just got one because for some reason my Redmi Note 10 despite passing all play integrity checks after hacks like Tricky store+Key box triggered some checks in my banking apps. I needed to use an aftermarket ROM, because my device would not receive any updates from Xiaomi (also I don't know why a device packed with Chinese bloat ware is certified as secure in the first place). And guess what I bought: a Google Pixel. Smart Google, huh.
These "security checks" are a complete, total, absolute joke. Just a couple of weeks ago I had a friend ask me to downgrade firmware on a similar Xiaomi device from the latest LineageOS to stock to make two shitty banks work. Nothing I did on Lineage would make "security checks" pass, even though it was running the cleanest possible Android 15 with the latest security patches applied.
Now the phone is running stock firmware from 2020, with Android security patches from 2020, and with numerous publicly known vulnerabilities. The banks work fine, Google Pay works fine, every Play Integrity check passes, even the strongest one (device integrity).
The only reason I see for it being implemented this way is not to lock the bad guys out from your phone, but to prevent you from doing anything to the banking applications, even through it is still possible through said vulnerabilities.
One of said banks also refuses to run if it detects remote assistance clients on your phone (like TeamViewer), or even Discord, because apparently these were used in scams over the past few years, and we need to protect even the stupidest at the expense of everyone else. How did we come to this "future"? The worst days of desktop Windows weren't even remotely close to this nonsense.
The most stupid is the interplay with regulators: on one hand grapheneOS is far too secure if it comes to CSAM or organized crime on the other hand it is not secure enough for banking (most of the 2FA comes from the interpretation of the PSD regulations afaik).
It's not stupid. It's governments being extremely cheap. Banks (large banks are part of the government everywhere, at least when it comes to policy) and governments are totally dependent on certification (meaning someone to check security patches on devices), effectively a group of people that have some budget to check a lot of software version of a lot of devices. This doesn't have to be many people.
Nobody's willing to pay for it, so only Google, who have to do this for a bunch of other reasons, actually does it.
On the contrary, governments are imposing other restrictions on OS'es (like EU Chat directive), as well as making more and more critical government functions (like eID, and the various equivalents, and the banks) that can never work without OS certification, are utterly dependent on the App stores (it requires the ability to replace apps on user's devices without being detected), and thereby driving people deeper into Google and Apple's arms. Despite the fact that this makes the EU totally dependent on yet another US company, making this stupid. And, of course, it makes securing anyone in the EU against US spying an exercise in futility.
But it saves a little bit of money now, and gives the US, ie. Trump, yet another loaded gun aimed at the head of the EU economy. What could possibly go wrong?
Sell your airbus stock.
Google still didn't block leaked Nexus 4 keys, meaning anything rooted with magisk can spoof the integrity check.
Rooted. Usually with unlocked bootloader. Safe.
Also phones on Android 9 unpatched since 2009. Etc.
:)
Why would you care about this but still want to run Discord ??
Because that's where people are. The choice is to run Discord or be ostracized.
No, you can (and should) instead ostracise people that use Discord. As publicly as possible. That's how you change things.
That's not how it works. People like us don't ostracize anyone. We are a minority. We have no leverage at all against massive communities with thousands of members.
??? What's the correlation?
It's a platform, meaning you cannot run your own servers (as compared to "servers").
It's also Deep Web, not Open Web.
Furthermore, it's US-based, with an unknown amount of Tencent backing, going back to before even its creation.
> Sure, one option means paying for each SMS (actually they had to abandon that one), another option is getting a paid banking card just to use a hardware device.
That sounds... fine? Like... there are actually alternatives. Sure, if their plan is to phase out those alternatives, then that's bad, but... the current situation seems fine?
Reality is very different. If you have the courage, you can experiment living one year without bank card or wire payments, then your life is going to get very very difficult.
This comment isn't about living without a bank card or wire payments, though? It's about living with a hardware TOTP device
This problem is getting worse too, as more and more businesses become "cashless only".
Well, this is literally illegal in many jurisdictions.
And literally legal in many jurisdictions
If you're trying to imply Xiaomi is crap with updates so people buy pixel phones I don't think that makes much sense.
Agree with this. Either you'll get SMS OTP (which is free for the user, at least in the UK?) or they will send some 'calculator' or multi-colour-code-scanner device that generates OTPs. (Honestly this last one was the most impressive bank security system I'd seen yet; for every individual transaction, you'd have to scan the code and the scanner device would tell you what you were authorising, then you put the PIN in and get a OTP to put back in the bank)
that is just normal practice for business account transaction in my country????
business account can request such devices so if any malicious people cant withdraw funds without pressing a same combination in all devices (there are multiple devices) so there is no rogue employee
I switched banks when they required authentication with biometric and when i said i didn't want to do that the answer was
sorry, we can't do anything for you then