643
submitted 8 months ago* (last edited 8 months ago) by lseif@sopuli.xyz to c/android@lemmy.world

I'm lucky my banking app works (GrapheneOS), as it's now requiring 2FA with the app anytime I login on the browser. Can't use an actually secure form like TOTP. At least they now allow passwords over 8 characters (yes, serious).

(Meme in comments)

top 50 comments
sorted by: hot top controversial new old
[-] Atemu@lemmy.ml 79 points 8 months ago

At least they now allow passwords over 8 characters (yes, serious).

Are you 100% certain they don't just truncate your password to 8 characters?

[-] RebootRebootReboot@programming.dev 46 points 8 months ago

I've seen a website that silently truncated my password during a password reset, but then wouldn't truncate it during login. It took me a while to figure out why my password never worked.

[-] davidgro@lemmy.world 37 points 8 months ago

Name & shame please

[-] ikidd@lemmy.world 15 points 8 months ago

What, do you think banks have the money for storing all those extra unnecessary characters? MS Access databases are only so powerful.

[-] Atemu@lemmy.ml 6 points 8 months ago

Since when does MS access run on IBM mainframes?

load more comments (1 replies)
[-] lseif@sopuli.xyz 8 points 8 months ago

i would not be surprised. i will have to try

load more comments (1 replies)
[-] viking@infosec.pub 51 points 8 months ago

Magisk plus DenyList luckily works for my banks. Couldn't imagine not having a rooted phone.

[-] PoorPocketsMcNewHold@lemmy.ml 7 points 8 months ago

Beat the main purpose of GrapheneOS. Open the phone to a broad lot of security issues.

[-] viking@infosec.pub 27 points 8 months ago

Graphene only works for Pixel phones, and I don't want a Google device.

load more comments (12 replies)
[-] Azzu@lemm.ee 15 points 8 months ago

What are the security issues? Rooted just means the potential to give trusted apps root access. Of course, if you give an app root access that you trust but is then abusing that trust and being malicious, yes it's a security issue. But if you don't do that, the simple fact of having a rooted phone should have no security change in any way. (Ok, except for potential bugs in Magisk/su or whatever)

[-] deweydecibel@lemmy.world 17 points 8 months ago* (last edited 8 months ago)

The whole issue revolves around the fact Google is presuming a device is compromised or being used for illicit shit simply because root access is possible. If they put in effort to detect/prevent the actual problems they're concerned about, this wouldn't be as big a deal. This broad punishment for simply having root access is lazy and ridiculous.

It's like if Windows apps just stopped working if they detected a local admin account. It's patently absurd to assume the ability to access anything means the device is inherently "unsafe".

load more comments (1 replies)
load more comments (5 replies)
[-] RVGamer06@sh.itjust.works 7 points 8 months ago

don't give root to any app duh

load more comments (10 replies)
load more comments (15 replies)
[-] MTK@lemmy.world 35 points 8 months ago

I hate this so much!

My bank is like that and another horrible thing is that after you choose your password (which can be long and complex) you need to choose a 6 DIGIT restore code incase you forgot your password...

Why is is my BANK so bad at security??

[-] LodeMike@lemmy.today 15 points 8 months ago

Wait

You have a second password that's (opens calculator) 20 bits of entropy???

[-] Dnn@lemmy.world 9 points 8 months ago

And they all develop their own shitty app for 2FA (the lazy ones just rebrand SecureGo as their own - you still have to install all of them separately) instead of using the 15 year old TOTP standard. The latter is good enough for tiny companies like Google and Amazon but what do they know about itsec, right?

load more comments (1 replies)
[-] BurningnnTree@lemmy.one 29 points 8 months ago

🚨 Improper use of meme format 🚨

[-] lseif@sopuli.xyz 9 points 8 months ago
[-] BurningnnTree@lemmy.one 23 points 8 months ago

I'm pretty sure panel 2 and panel 4 should have the same text

[-] EdibleFriend@lemmy.world 13 points 8 months ago

THIS MOTHERFUCKER MEMED WRONG

load more comments (1 replies)
load more comments (1 replies)
[-] vodka@lemm.ee 25 points 8 months ago

The app for my bank DNB (Norway) doesn't work on my LineageOS phone, but it works on my GrapheneOS phone. I wonder if they've added the graphene keys, because it just suddenly started working a while ago, though might be some GrapheneOS magic

[-] Chewy7324@discuss.tchncs.de 37 points 8 months ago

The hardware attestation feature is part of the Android Open Source Project and is fully supported by GrapheneOS. SafetyNet attestation chooses to use it to enforce using Google certified operating systems. However, app developers can use it directly and permit other properly signed operating systems upholding the security model. [...] Direct use of the hardware attestation API provides much higher assurance than using SafetyNet so these apps have nothing to lose by using a more meaningful API and supporting a more secure OS.

https://grapheneos.org/usage#banking-apps

My banking apps work on GrapheneOS, so I guess they are using hardware attestation instead of SafetyNet. LineageOS won't pass hardware attestation because it doesn't support locked bootloader.

load more comments (6 replies)
[-] nieceandtows@programming.dev 18 points 8 months ago

With the PNC bank I use, about 12 years ago, passwords used to be case insensitive, and they would allow ridiculously insecure passwords without complaining, like one123. I had a ridiculous password like that for a while because it was funny, then realized I'd be the one to pay for it.

[-] user224@lemmy.sdf.org 17 points 8 months ago

I didn't try a rooted phone, but thankfully my banking app did work on my phone with custom ROM without SafetyNet.

But they do block some VPNs. I know it temporarily didn't work with ProtonVPN, though now it does again. They only told me that they allow VPNs which they consider secure, but for security purposes they won't reveal how those considerations are done.
How would that make it insecure, if they aren't just using pre-made IP blocklists?
Anyway, that was a painful experience.
Getting it to work after being to connected to VPN required de-activation and re-activation of the app. That's a fairly painful process since it uses OTP tokens generated by a card reader:

It does have a digital version, but that's less secure.

[-] KoalaUnknown@lemmy.world 14 points 8 months ago

Banks do this because most people don’t know how to use technology and it’s a lot easier to get remote access and malware on your computer than your phone.

[-] ElectroLisa@lemmy.blahaj.zone 14 points 8 months ago

Magisk Hide + app rename works most of the time, for those with rooted phones

load more comments (3 replies)
[-] zakobjoa@lemmy.world 14 points 8 months ago

My bank luckily just slaps me with a huge warning screen every time I open the app.

load more comments (1 replies)
[-] TWeaK@lemm.ee 12 points 8 months ago

Even worse still: many online banking services require you to connect to Google, basically through the back end captcha system. You never have to solve the puzzle or click on traffic lights, but they do still associate you and your web browser with having an account with that bank.

However also, you can often use root with banking apps, you just have to set it up right. Configure Magisk to operate in the Zygisk domain with a deny list, and add the apps to that.

[-] SpaceTurtle224@lemmy.world 11 points 8 months ago

My dyslexic ass read that as "Baking apps" and i was genuenly confused.

[-] sgibson5150@slrpnk.net 11 points 8 months ago

My credit union's web site looks like a MySpace page. They don't even offer freaking 2FA. Been meaning to transition to cash management account but such a PITA.

[-] bamboo@lemmy.blahaj.zone 6 points 8 months ago

I have an account with a larger credit union and their Android app implements onerous rules which some exec must feel makes it more secure, but is just a burden 99.999% of the time. Today I found that the fingerprint login expires after a week of not logging in, requiring the username/password to log in. Annoying but ok, I log in with a username and password. Then it says I need to do MFA and presents 3 options, email, SMS, and app push notification. The UI for app push notification even says "This device". I selected that one, and the app shows the approve/deny button over the MFA requirement screen.

So obviously the saved state in the app wasn't actually expired, since it could still approve MFA requests. So what good is it expiring biometric auth if the app is still authorized to log me in effectively bypassing MFA?

load more comments (1 replies)
[-] Dempf@lemmy.zip 10 points 8 months ago

Google and the banks can eat my whole asshole.

[-] FrogMaster@lemmy.world 9 points 8 months ago

Doesn't work because of Play Integrity API but there are ways to bypass it. At least for now. Look up PlayIntegrityFork.

load more comments (1 replies)
[-] MargotRobbie@lemmy.world 8 points 8 months ago

This post is against Rule 6, but I'll leave it up this time since there are a decent amount of discussion here now.

lseif@sopuli.xyz, please remove the image when you can. You can post it in the comments.

[-] anarchy79@lemmy.world 7 points 8 months ago

This is actually something I have spent a lot of time thinking about. In Sweden, where my boyfriend lives, their BankID app is ubiquitous, and there is very little cash handling going on, additionally the fees for actually going to the bank or subsidiary to pay your bills are exorbitant.

Everybody pays their bills online using "BankID", which is kinda nifty and works well enough if a single point of failure is your thingaling, but what if people simply choose not to get a phone, or don't want a computer, just basic like that, what if?

It feels kind of creepy to me, I don't know...

load more comments (4 replies)
[-] CCF_100@sh.itjust.works 7 points 8 months ago

Honestly, screw apps that do this. It's pathetic.

[-] aeharding@lemmy.world 7 points 8 months ago

Get new bank

[-] electricprism@lemmy.ml 6 points 8 months ago

Ok fine no banks it is then.

[-] cro_magnon_gilf@sopuli.xyz 6 points 8 months ago

Your banks still have offices? Cool!

load more comments (2 replies)
[-] onlinepersona@programming.dev 5 points 8 months ago

I moved to a bank that allows non google phones and let my previous bank know why I left.

CC BY-NC-SA 4.0

[-] x4740N@lemmy.world 20 points 8 months ago

Why are you licensing your comments

[-] fishos@lemmy.world 27 points 8 months ago

Because they think it matters. Same as people posting on Facebook some legalese saying "Facebook doesn't have the rights to my stuff.". They think that by slapping a copyright "claim" on their stuff that they supercede the agreements of the platform and somehow protect their comments from being scrapped by bots/advertisers, etc. All it really does is add a little "this guy is probably a sovereign citizen type" sign to every post they make.

load more comments (1 replies)
load more comments (1 replies)
load more comments
view more: next ›
this post was submitted on 07 Mar 2024
643 points (96.0% liked)

Android

27940 readers
29 users here now

DROID DOES

Welcome to the droidymcdroidface-iest, Lemmyest (Lemmiest), test, bestest, phoniest, pluckiest, snarkiest, and spiciest Android community on Lemmy (Do not respond)! Here you can participate in amazing discussions and events relating to all things Android.

The rules for posting and commenting, besides the rules defined here for lemmy.world, are as follows:

Rules


1. All posts must be relevant to Android devices/operating system.


2. Posts cannot be illegal or NSFW material.


3. No spam, self promotion, or upvote farming. Sources engaging in these behavior will be added to the Blacklist.


4. Non-whitelisted bots will be banned.


5. Engage respectfully: Harassment, flamebaiting, bad faith engagement, or agenda posting will result in your posts being removed. Excessive violations will result in temporary or permanent ban, depending on severity.


6. Memes are not allowed to be posts, but are allowed in the comments.


7. Posts from clickbait sources are heavily discouraged. Please de-clickbait titles if it needs to be submitted.


8. Submission statements of any length composed of your own thoughts inside the post text field are mandatory for any microblog posts, and are optional but recommended for article/image/video posts.


Community Resources:


We are Android girls*,

In our Lemmy.world.

The back is plastic,

It's fantastic.

*Well, not just girls: people of all gender identities are welcomed here.


Our Partner Communities:

!android@lemmy.ml


founded 1 year ago
MODERATORS