Well, I've built a bunch of mobile banking apps and we did detect if the phone was rooted, was in dev mode, etc. and it is not because we were "stupid, consumer-hostile, and anti-competitive".
If someone steals the secrets from a rooted phone and steals customer's money the bank is on the hook, so banks do everything they can to minimize this risk.
There is no way to store customer's secrets in a PC browser securely, so all the "dangerous" transactions were outright prohibited in the web app or made available only via temporary QR login.
All this is just is a negative side effect of customer protection laws.
These practices are strengthening the Google/Apple hegemony and are ultimately damaging user freedoms and consumer protections. I'm sure that's not your employer's intention, but it is a negative thing that they're contributing to. And because of how essential banking is, banks have a big thumb on this particular scale, and I wish they'd use it for good rathet than for enriching and entrenching evil.
> If someone steals the secrets from a rooted phone and steals customer's money the bank is on the hook, so banks do everything they can to minimize this risk.
Now that's just not true now, is it? Sure the lawyers told you that (the ones that get paid to tell you that), but nowhere in EU was a bank actually fined for not root checking a device.
They were plenty fined by being utterly incompetent with security practices and doing them poorly - like trying to inject wierd .SOs to do the root detection you're defending.
"Payment service providers (PSPs) operating in the EU will have to cover customers’ losses from fraud if their fraud protection regimes are inadequate or poorly implemented under new EU rules."
The fact that no root lockout means "inadequate protection" is something you projected onto this statement and that's the part I'm addressing in my comment.
No one actually got fined for root protection specifically.
Regulators love vague standards like "inadequate protection" because it means they can implement a ratchet effect without needing to understand anything or constantly rewrite the laws. If someone gets hurt they just look around at whatever the competition is doing, pick the most extreme thing, and declare that any other standard is inadequate.
So sure, if you want to not use security tactics your competitors are using and then try to lawyer out of it by arguing, "it didn't specifically say we had to do that" in front of the EU Commission, go ahead. But don't blame the banks that are more realistic about how this works.
Yeah, so you admit there's no real legal basis for those kind of restrictions.
Which anyone of us who worked with banks, mobile, banking security and their legal already knew. They're a source of greatest security hits like "let's use SMS for only auth for web banking" after all.
But what's really hiding behind all your fluff is something else:
Abusing users with root lockouts is EASY for the programmers at banks. The auditors have a checkbox "root lockout" and they tick the box. Legal ticks the box. CISO ticks the box. All happy, who cares about user. That's what this is all about. The insulting thing is trying to sell it like some kind of security feature.
The regulations are the "real" legal basis. The fact you don't like them or how they're written doesn't make them any less real. And you're not arguing with me or my "fluff", you're arguing with the entire banking industry.
If you really think this is all just fluff, by all means, go get yourself employed inside a bank's security team and convince them to turn all this stuff off. Let us know how it goes.
No bank got fined for not root checking, correct. However banks are on the hook for unauthorized transactions. And "unauthorized" means different thing in different countries.
In some jurisdictions if bank can prove that transaction was made with customer's key then customer can not demand their money back. That's the best case, but there are only few of such jurisdictions and even there the burden of proof is on the bank and it costs a lot.
In other jurisdictions bank must reverse a transaction even if it was proven that the transaction was signed with a legitimate key, but the key _may_ have been stolen.
In some jurisdictions (i.e U.S.) banks are required to reverse a transaction at a customer’s request, even if the customer does not dispute having made the transaction.
In any case dealing with all this is too expensive and risky.
Let's say you are a bank and you make $10 on each $100K transfer. If customer disputes a transaction and you must return the money, you lose the whole amount and twice as much on lawyers, internal audit, compliance people working on the case.
With this math you can't afford the risk if it is more than 1 in 30000.
For many European banks the math is even more brutal.
Practically impossible to store secrets in a desktop app too.
Besides, customers would not willing to install a desktop app. And those who would, will require support.
And surprisingly I can pay securely using my PC, fully rooted, on FOSS software. Hardware tokens have been a thing for decades. There are more second (or third) factor authentication and signing solutions than I can enumerate.
Do peope get defrauded using online banking? Sure. But usually not in a way that would be stopped by secure attestation.
Is this yet more evidence of how utterly broken US banks are? Assuming you are referring to US banks.
For the past 20 or so years, every bank I've been with in Belgium has provided me with one of three types of hardware token:
1. An OTP token that's just a screen that displays a new 6 digit token every couple of seconds (haven't seen one of these in a few years now). This was used to supplement username/password on login and to verify every bank transfer.
2. A token with a screen and a display, which generates OTPs based on input. E.g. for a payment the bank would tell me to enter the amount + the last N digits of the bank account, the token then generates an OTP, which I can use to confirm the payment. That's what 2 of my 3 banks currently use. They have separate modes for logging in, for signing bank transfers, for signing 3D Secure online payments, etc.
3. A card reader where where I just slot in my card. I can then log in or sign payments using the card's chip & pin. This is what my third bank uses. There are a couple of variants on this, such as models which connect with USB and models which can read QR codes from your screen so you don't have to tap in anything except for your PIN.
I could use a 3D powerpoint. Even the most basic, boring arrows and boxes will look better in 3D. Some of the slides in a preso I use almost daily would convey the message better if they were in 3D.
I would argue that accurate sizing is not that important as labor constitutes the bulk of the cost. My total bill was about $20K and going for 30% less capacity would net about $19K so its easier just to go for the maximum. Calling in an IR imaging drone would certainly cost more than the potential savings from accurate sizing.
Unlike gas furnaces which basically can only do ON or OFF, heat pumps can regulate the heat with much higher granularity.
What certainly calls for innovation is managing the labor costs. In my case installation involved way too many people and way too many visits.
For commercial applications, modular/off-site builds are a way to reduce labor costs. Yet, homes design are so fragmented that it's hard to build something plug-n-play.
Does it exist? I could not find a wikipedia article about it. This Gobi Wall can not be a part of what is known as the Great Wall of China as it was built 5 centuries later, no? Can someone explain?
The Great Wall is just part of a larger series of fortifications in eastern Central Asia. One of the others is the less studied Medieval Wall System (MWS). The gobi wall here is a few hundred kilometers of one of the individual walls within the MWS, which as the name suggests is within the gobi desert in the modern country of Mongolia.
And just to preclude the usual follow-up, these walls probably weren't major defensive fortifications intended to keep out armies of nomadic raiders. Their primary function was closer to airport customs, visible outposts that reinforce the boundaries and laws of the state.
> The Medieval (10th to 13th century CE) Wall System (MWS) stretches approximately 4000 km across extensive regions in northern China and Mongolia, as well as shorter sections in Russia (Figure 1). It represents one of the most extensive yet enigmatic architectural features in East Asia. In recent years The Wall Project, funded by the European Research Council, as well as other projects, has extensively studied and published on different sections of this wall line. Such research demonstrated that this extensive system of earthen walls was built by different empires from c. the 10th to the 13th centuries CE [1,2,3,4,5,6]. Among the different sections of the MWS, the wall section located in the southern Mongolia’s Gobi Desert is the least explored and still poorly understood. This study focuses on a 321 km-long segment of this wall line, located in Ömnögovi province of Mongolia, that we refer to as the Gobi Wall (Figure 2).
I don't know, looks like hunting walls to me. When chased, animals naturally follow such walls, however insignificant they are (sometimes they follow even a line drawn on the grass), and get onto predictable trajectory leading them into ambush.
I'm curious how you came to that conclusion. Nothing about these walls resembles desert kites that I can see, except that they both use natural materials in an arid climate.
As a child growing up in Central Asia, I saw people piling up stones, sticks, and other debris along the ancient lines people used to control herds and wild animals.
The ones built for hunting often had a narrow, funnel-like end, while those meant for managing herds could take on almost any shape.
One of the photos in that article looks exactly like the walls I remember from my childhood.
It is also a good warning that the people who typically create and edit Wikipedia articles in your local language do not find the subject interesting or are prevented from effectively documenting it due to the language barrier. I was doing research on the history of a certain illness and one physician I was investigating did not have an English Wikipedia article. Of course this does not mean he did not exist, I found him later on the Russian Wikipedia: https://ru.wikipedia.org/wiki/%D0%90%D1%81%D1%82%D0%B2%D0%B0....
reply