Comment by AnthonyMouse

Comment by AnthonyMouse 5 days ago

5 replies

View on Hacker News

It's not even that. The main reason is probably that attackers are going to be writing code to automate their attacks, and desktops are easier to develop on than phones, so that's what they use with no reason to do otherwise.

Even if you stopped supporting desktops, then they would just reverse engineer the mobile app instead of the web app and extract the attestation keys from any unpatched model of phone and still run their code on a server, and then it would show up as "mobile fraud" because they're pretending to be a phone instead of a desktop, when in reality it was always a server rather than a phone or a desktop.

And even if attestation actually worked (which it doesn't), that still wouldn't prevent fraud, because it only tries to prove that the person requesting the transfer is using a commercial device. If the user's device is compromised then it doesn't matter if it can pass attestation because the attacker is only running the fake, credential stealing "bank app" on the user's device, not the real bank app. Then they can run the official bank app on an official device and use the stolen credentials to transfer the money. The attestation buys you nothing.

jofla_net 5 days ago

All this theatre is turning out to be nothing more than giving up the agency we have today (nice things), for a risk averse kneejerk runaround with glaring ulterior motives...just like the scan your face+id push for services.

Reply View 4 replies
  • UltraSane 4 days ago

    Would YOU be willing to use a bank that refused to use TLS? I didn't think so. How is you refusing to accept remote attestation and the bank refusing to connect to you any different?

    Reply View 3 replies
    • jofla_net 3 days ago

      Because Banking has existed and operated fine for countless decades without it(attestation).

      Also, as there is ample discussion elsewhere, having attestation does NOT eliminate the ability for your account to become compromised.

      As restated.

      "If the user's device isn't compromised then everything is fine regardless of whether or not it can pass attestation. If the user's device is compromised, the device doesn't need to pass attestation to run a fake bank app and steal the user's credentials. Once the attacker has the user's credentials they can use them to transfer money regardless of whether or not they have to use a different device that can pass attestation.

      It doesn't really provide any security."

      IT DOES however completely rewrite the paradigm of general purpose computing in very asymmetrical ways.

      Reply View 2 replies
      • UltraSane 2 days ago

        Stop ignoring my question. If it is OK for YOU to refuse to use a bank that doesn't use TLS then why isn't it OK for a bank to refuse you as a customer if you refuse to agree to remote attestation? Both parties have the right to specify reasonable security postures and either mutually agree or not.

        Reply View 1 reply
        • rkomorn 2 days ago

          Not OP, and also not sure where I actually stand on this debate because I think your point has a lot of validity to it, but...

          I think there's also an argument in favor of a person having the right to access their money (and I'd argue that accessing your bank's website/app is accessing your money) however they want, and that access to their money is more of an important right than the bank's right to control how that access happens.

          I think we can all agree to some "within reason" clauses on both sides (eg not allowing HTTP only access seems reasonable), and I guess a lot of this debate is "is requiring attestation within reason?"

          To me, any asymmetry between the rights of the consumer and the rights of the bank should be in the favor of the consumer.

          Reply View 0 replies