Comment by bri3d

Comment by bri3d 10 hours ago

4 replies

View on Hacker News

* Your bank (and Google) want to deal with as little fraud as possible.

* Market forces demand they provide both a website and an Android app.

* If both platforms are equally full of fraud, have the same features, and both have similar use, they cut out half the fraud even if they can only make one or the other fraud proof.

* But it isn't like that in reality: in reality, something more like 80% of their use and 90% of their fraud comes from mobile devices, and so cutting off that route immediately reduces their fraud-load by a lion's share.

Ergo, locking down the app is still in everyone's best interest, before we even get into the mobile app having features the desktop one does not (P2P payments, check deposit, etc.)

And this isn't just a weird theory / ivory tower problem: Device Takeover banking fraud on Android is _rampant_ (see Gigabud/GoldDigger).

Wowfunhappy 10 hours ago

Why does most fraud come from locked down mobile devices and not open Windows/Linux PCs?

If it's true that 90% of fraud comes from mobile despite all of the restrictions, what that tells me is that locking down devices doesn't actually prevent fraud.

---

> before we even get into the mobile app having features the desktop one does not (P2P payments, check deposit, etc.)

I think it would be reasonable to disable those specific features on mobile while leaving the rest of the app accessible.

Actually, back when jailbreaking iOS was still actually feasible, I recall the Chase app doing exactly that. The app worked fine, but it wouldn't let me deposit checks, I had to go to a branch for that. A bit annoying, but I can mostly understand that one.

Reply View 3 replies
  • bri3d 9 hours ago

    > If it's true that 90% of fraud comes from mobile despite all of the restrictions

    Statistics on mobile vs. desktop banking will really shock you; the mobile usage penetration is easily well upwards of 90% in many markets. There's also a skewed distribution for fraud-vulnerable users and scenarios.

    > I think it would be reasonable to disable those specific features on mobile while leaving the rest of the app accessible.

    I agree with you in an idealist sense; it would be awesome to be able to use GrapheneOS and have 80% app functionality instead of 0% app functionality. I also completely understand why nobody does it; supporting what's probably <0.001 (if not lower)% of legitimate users in exchange for development time and fraud risk isn't a particularly appealing tradeoff. If I were in a situation to advocate for such a trade-off, I probably would, but I don't think it's evidence of a sinister conspiracy that nobody does that.

    Reply View 2 replies
    • Wowfunhappy 8 hours ago

      > Statistics on mobile vs. desktop banking will really shock you; the mobile usage penetration is easily well upwards of 90% in many markets. There's also a skewed distribution for fraud-vulnerable users and scenarios.

      But if my goal was to commit fraud, wouldn't I go to wherever it was easiest to commit fraud? The actual market penetration of each platform shouldn't matter.

      Reply View 1 reply
      • dsymonds 8 hours ago

        It's usually done in bulk, so the overall payoff is the combination of value and number of targets, but the effort is typically sublinear with the targets. Something easier to attack but relatively low in number is not as juicy as something a bit harder (where the effort is mostly a one-off up-front rather than per target) but having many, many more targets.

        Reply View 0 replies