Comment by garaetjjte

Comment by garaetjjte 5 days ago

6 replies

View on Hacker News

>Attestation is major reason why.

It's not. Mobile applications just don't have unrestricted access to everything in your user directory, attestation have nothing to do with it.

AnthonyMouse 5 days ago

It's not even that. The main reason is probably that attackers are going to be writing code to automate their attacks, and desktops are easier to develop on than phones, so that's what they use with no reason to do otherwise.

Even if you stopped supporting desktops, then they would just reverse engineer the mobile app instead of the web app and extract the attestation keys from any unpatched model of phone and still run their code on a server, and then it would show up as "mobile fraud" because they're pretending to be a phone instead of a desktop, when in reality it was always a server rather than a phone or a desktop.

And even if attestation actually worked (which it doesn't), that still wouldn't prevent fraud, because it only tries to prove that the person requesting the transfer is using a commercial device. If the user's device is compromised then it doesn't matter if it can pass attestation because the attacker is only running the fake, credential stealing "bank app" on the user's device, not the real bank app. Then they can run the official bank app on an official device and use the stolen credentials to transfer the money. The attestation buys you nothing.

Reply View 5 replies
  • jofla_net 4 days ago

    All this theatre is turning out to be nothing more than giving up the agency we have today (nice things), for a risk averse kneejerk runaround with glaring ulterior motives...just like the scan your face+id push for services.

    Reply View 4 replies
    • UltraSane 4 days ago

      Would YOU be willing to use a bank that refused to use TLS? I didn't think so. How is you refusing to accept remote attestation and the bank refusing to connect to you any different?

      Reply View 3 replies
      • jofla_net 3 days ago

        Because Banking has existed and operated fine for countless decades without it(attestation).

        Also, as there is ample discussion elsewhere, having attestation does NOT eliminate the ability for your account to become compromised.

        As restated.

        "If the user's device isn't compromised then everything is fine regardless of whether or not it can pass attestation. If the user's device is compromised, the device doesn't need to pass attestation to run a fake bank app and steal the user's credentials. Once the attacker has the user's credentials they can use them to transfer money regardless of whether or not they have to use a different device that can pass attestation.

        It doesn't really provide any security."

        IT DOES however completely rewrite the paradigm of general purpose computing in very asymmetrical ways.

        Reply View 2 replies