Comment by mariusor
Are you saying that attestation doesn't really provide any real security? Not even from the bank's point of view?
Are you saying that attestation doesn't really provide any real security? Not even from the bank's point of view?
It's not a matter of being hard. It's like trying to prevent theft by forcing everyone to wear a specific brand of shoes. The fact that the shoe company insists that it's useful is not evidence that it is.
It's not that you can't solve the problem, it's that you can't solve the problem using that mechanism. Attestation is useless for this.
The thing that would actually work for this is to have an open standard supported by PCs and phones to read the chip in payment/ATM cards, because then you could do "card-present" transactions remotely. You touch your card to the phone/PC and enter your PIN to authorize a new merchant. That actually solves the problem because then instead of the bank trusting every commercially available phone on the market, they only trust the specific card that they mailed to the cardholder, and you can only authorize a new merchant with physical possession of the card because it contains a private key. But that doesn't require attestation because then you don't need the keys to be in the phone since they're in the card, and it doesn't require a third party to sign anything because the bank puts the private key into the card before sending it to the cardholder without any need for Google or Apple to certify anything.
From what I can take from your reply I suspect you might not understand what attestation is for.
Yes you can use a chip that the bank trusts (that's your card), however the bank wants to trust that the hardware you use to read that chip is not compromised and does not try to do things on the behalf of the user that the user didn't authorize. A non trusted device can operate in a different way than the user demands of it, and the user might never know.
That's the use case that hardware attestation can prevent. Or so the theory says...
If the user's device isn't compromised then everything is fine regardless of whether or not it can pass attestation. If the user's device is compromised, the device doesn't need to pass attestation to run a fake bank app and steal the user's credentials. Once the attacker has the user's credentials they can use them to transfer money regardless of whether or not they have to use a different device that can pass attestation.
It doesn't really provide any security.
On top of that, there are tons of devices that can pass attestation that have known vulnerabilities, so the attacker could just use one of those (or extract the keys from it) if they had any reason to. But in the mobile banking threat model they don't actually need to.