I’m lucky my banking app works (GrapheneOS), as it’s now requiring 2FA with the app anytime I login on the browser. Can’t use an actually secure form like TOTP. At least they now allow passwords over 8 characters (yes, serious).
This is actually something I have spent a lot of time thinking about. In Sweden, where my boyfriend lives, their BankID app is ubiquitous, and there is very little cash handling going on, additionally the fees for actually going to the bank or subsidiary to pay your bills are exorbitant.
Everybody pays their bills online using “BankID”, which is kinda nifty and works well enough if a single point of failure is your thingaling, but what if people simply choose not to get a phone, or don’t want a computer, just basic like that, what if?
Sweden has gone about 80% fascist, in case you didn’t know. By popular vote, even! We have literal Nazis in government right now, they’re the second largest party, and while “not all Swedes” agree that they are Nazis, their heritage and lineage stems directly from the neo-Nazi movement in Sweden in the 80’s and 90’s, supported financially by Putin. <- this is not a joke, btw
All SIM cards have to be registered with your personal identification number (more or less “social security number”, but with your 100% full identifiable personal information), by law, and by law it is illegal not to state where you live (like a census law, you must report to authorities at all times where you reside. If you don’t have a home, well, your last address is where you officially live).
The right wing extremists have pumped money into police, and they now have the right to effect stop-and-frisk zones, and wiretapping anyone they please without probable cause or even suspicion of criminal activity.
This is true, but almost nobody uses it- Mobile BankID is the ubiquitous app for that, and while there still is the possibility, not all sites accept it. Not to mention, this still requires a computer, and while you may be inclined to say that “well there are always libraries”, you cannot install third party software on their computers, and they do NOT carry BankID application (because of course not). This is true for social services as well.
The real fear is the fact that once everything goes digital - and it will - everybody is at the mercy of finance and the ability to procure a telephone, and or a computer, and or an internet connection (all SIM cards have to be registered with national identification before the state, adding to the problem of how you would identify yourself in the first place in lieu of such capabilities or possibilities).
Neither having a phone or a computer is considered a human right yet, as far as I know, and in either case the state is not obligated to provide you with one regardless.
May seem like nitpicking, but that is what lawmaking and jurisprudence is all about.
Banks do this because most people don’t know how to use technology and it’s a lot easier to get remote access and malware on your computer than your phone.
My bank is like that and another horrible thing is that after you choose your password (which can be long and complex) you need to choose a 6 DIGIT restore code incase you forgot your password…
And they all develop their own shitty app for 2FA (the lazy ones just rebrand SecureGo as their own - you still have to install all of them separately) instead of using the 15 year old TOTP standard. The latter is good enough for tiny companies like Google and Amazon but what do they know about itsec, right?
Some apps implement other checks. Mine checks whatever you replaced the stock webview (checking the package name). So sometimes it is challenging to find those checks to bypass them.
My credit union’s web site looks like a MySpace page. They don’t even offer freaking 2FA. Been meaning to transition to cash management account but such a PITA.
I have an account with a larger credit union and their Android app implements onerous rules which some exec must feel makes it more secure, but is just a burden 99.999% of the time. Today I found that the fingerprint login expires after a week of not logging in, requiring the username/password to log in. Annoying but ok, I log in with a username and password. Then it says I need to do MFA and presents 3 options, email, SMS, and app push notification. The UI for app push notification even says “This device”. I selected that one, and the app shows the approve/deny button over the MFA requirement screen.
So obviously the saved state in the app wasn’t actually expired, since it could still approve MFA requests. So what good is it expiring biometric auth if the app is still authorized to log me in effectively bypassing MFA?
So obviously the saved state in the app wasn’t actually expired, since it could still approve MFA requests. So what good is it expiring biometric auth if the app is still authorized to log me in effectively bypassing MFA?
Add comment