Yeah that's the first thing a pentest will complain about, had the same problem too. I pushed back enough so that it's trivial to bypass but the bank and pentesters also agreed with me that it's security theater or else I would never had the chance.
Yeah that's the first thing a pentest will complain about, had the same problem too. I pushed back enough so that it's trivial to bypass but the bank and pentesters also agreed with me that it's security theater or else I would never had the chance.
I always ask them if they have root/admin on their computer. Then follow up playing dumb with "shouldn't we lock out PCs too?". Watching them stammer is worth the 30 second aside.
> Then follow up playing dumb with "shouldn't we lock out PCs too?".
Unfortunately, some banks do, for various functionality; there are many things you can do via bank apps and not typically via their website.
Locking down PCs is easy: just set a random password.
Just blow the right hardware fuses and secure boot will be forced with a key that doesn't (or can't) exist.
[dead]