What if we collectively decide to use the web alternatives for banking?
We lose some convinience since they are generally desktop oriented, but they don't check who signed my kernel
My bank recently made it that app-based MFA must be used for every single web login. Unless I and many others are willing to swap banks in the vain hope that the new bank won't do the same thing (I am not), then we're cooked.
Sure, one option means paying for each SMS (actually they had to abandon that one), another option is getting a paid banking card just to use a hardware device. From my experience they try to make sure that you will get a certified phone . I just got one because for some reason my Redmi Note 10 despite passing all play integrity checks after hacks like Tricky store+Key box triggered some checks in my banking apps. I needed to use an aftermarket ROM, because my device would not receive any updates from Xiaomi (also I don't know why a device packed with Chinese bloat ware is certified as secure in the first place). And guess what I bought: a Google Pixel. Smart Google, huh.
These "security checks" are a complete, total, absolute joke. Just a couple of weeks ago I had a friend ask me to downgrade firmware on a similar Xiaomi device from the latest LineageOS to stock to make two shitty banks work. Nothing I did on Lineage would make "security checks" pass, even though it was running the cleanest possible Android 15 with the latest security patches applied.
Now the phone is running stock firmware from 2020, with Android security patches from 2020, and with numerous publicly known vulnerabilities. The banks work fine, Google Pay works fine, every Play Integrity check passes, even the strongest one (device integrity).
The only reason I see for it being implemented this way is not to lock the bad guys out from your phone, but to prevent you from doing anything to the banking applications, even through it is still possible through said vulnerabilities.
One of said banks also refuses to run if it detects remote assistance clients on your phone (like TeamViewer), or even Discord, because apparently these were used in scams over the past few years, and we need to protect even the stupidest at the expense of everyone else. How did we come to this "future"? The worst days of desktop Windows weren't even remotely close to this nonsense.
The most stupid is the interplay with regulators: on one hand grapheneOS is far too secure if it comes to CSAM or organized crime on the other hand it is not secure enough for banking (most of the 2FA comes from the interpretation of the PSD regulations afaik).
It's not stupid. It's governments being extremely cheap. Banks (large banks are part of the government everywhere, at least when it comes to policy) and governments are totally dependent on certification (meaning someone to check security patches on devices), effectively a group of people that have some budget to check a lot of software version of a lot of devices. This doesn't have to be many people.
Nobody's willing to pay for it, so only Google, who have to do this for a bunch of other reasons, actually does it.
On the contrary, governments are imposing other restrictions on OS'es (like EU Chat directive), as well as making more and more critical government functions (like eID, and the various equivalents, and the banks) that can never work without OS certification, are utterly dependent on the App stores (it requires the ability to replace apps on user's devices without being detected), and thereby driving people deeper into Google and Apple's arms. Despite the fact that this makes the EU totally dependent on yet another US company, making this stupid. And, of course, it makes securing anyone in the EU against US spying an exercise in futility.
But it saves a little bit of money now, and gives the US, ie. Trump, yet another loaded gun aimed at the head of the EU economy. What could possibly go wrong?
That's not how it works. People like us don't ostracize anyone. We are a minority. We have no leverage at all against massive communities with thousands of members.
> Sure, one option means paying for each SMS (actually they had to abandon that one), another option is getting a paid banking card just to use a hardware device.
That sounds... fine? Like... there are actually alternatives. Sure, if their plan is to phase out those alternatives, then that's bad, but... the current situation seems fine?
Reality is very different. If you have the courage, you can experiment living one year without bank card or wire payments, then your life is going to get very very difficult.
Agree with this. Either you'll get SMS OTP (which is free for the user, at least in the UK?) or they will send some 'calculator' or multi-colour-code-scanner device that generates OTPs.
(Honestly this last one was the most impressive bank security system I'd seen yet; for every individual transaction, you'd have to scan the code and the scanner device would tell you what you were authorising, then you put the PIN in and get a OTP to put back in the bank)
that is just normal practice for business account transaction in my country????
business account can request such devices so if any malicious people cant withdraw funds without pressing a same combination in all devices (there are multiple devices)
so there is no rogue employee
I stayed away from cryptocurrency when DeFi and Web3 and NFTs were everywhere, but I've started paying with BTC where I can, so I don't have to deal with banking apps, and to stick it to puritanical payment processors, after the Steam/Itch debacle.
Know Your Customer is acceptable. Nanny Your Customer is not.
Monero is the cryptocurrency everyone uses for this. The userbase and community is completely separate from the Web3 NFT dog-coin crowd (unlike Bitcoin).
There's also systems like PaySafeCard, which is accepted by Steam.
I'm really interested in Monero. I feel kinda nervous about using it, though, since even though everything I'm buying is legal, it feels like I'd be calling a lot of attention, and I want to make sure I'm buying and exchanging it in legal (if private) ways.
Using Monero is not much different from using Bitcoin. It's actually safer than Bitcoin in this regard, as you can't accidentally receive coins that are "tainted" by what previous owners did with them.
Know Your Customer is not acceptable at all. It is the financial arm of warrantless global mass surveillance. The government got the private sector to do all the surveilance for them.
I uninstalled banking related apps from my phone years ago. I used it so infrequently that every time I did use it, it was as if it had been newly installed and didn't remember anything about me. Now I use a desktop web browser for anything finance (and it's Firefox on Linux, so thankfully that works for now).
It's getting repetitive to come with the same message over and over and over again, but in many countries you can no longer interact with your bank through the web browser. The banks' applications are either required for 2FA, or are the only way to use remote banking at all.
The last one applies in my country. You can of course go to the bank branch for every little financial operation, which is bad enough by itself for us living in cities, but is practically impossible for my relatives in the rural area, who would have to drive 100 km to the nearest bank branch, and then back just to move some money between two accounts.
Even if you don't care for anyone else but your country, it will come to you also, I promise.
You should at least complain to your bank and government, support NGOs fighting for your freedom like https://edri.org, https:/eff.org, or equivalent in your country.
Forcing you to use foreign megacorps for essential services should be illegal if not already.
Sure, I complain basically every week, but it's like moving a mountain. It was the government's idea, and they're very gung-ho on continuing with it. The official reason is fighting tax evasion, but the more probable one is that the ruling elite has major stakes in all major banks, so they're very interested in making everyone dependent on those banks.
The only realistic thing left for me is moaning about it on the ole 'net and hoping (probably in vain) that this disease doesn't spread further to other countries. Western democracies are already in the process of copying several bad ideas we implemented 10+ years ago (and China more than 20 years ago), I don't see a reason why this also wouldn't be ported over.
And the digital sovereignty argument doesn't really work, one of the banks uses its own payment system — mostly copied from Chinese AliPay — and it's the most popular one here. Zero dependence on "the West" other than the phones themselves, where they think they have an alternative in Huawei and friends, and you're gonna have to depend on someone in any case, even just for internet infrastructure, or even cash printing machines.
Huawei phones have their own alternatives to Play Services; none of the banks work on pure ungoogled and un-everything Android. You have to use a locked device which you have zero control over in any case.
> Forcing you to use foreign megacorps for essential services should be illegal if not already.
The only two major mobile operating systems are developed by American companies. The two most popular global payment processors are maintained by American companies. The hardware is jointly developed by a bunch of countries, basically all of them in North America and Western Europe.
If one brings up digital sovereignty, should I think not of "the West", but of Tokelau, South Africa, or Brazil?
The phone will be used as MFA, and that will have requirements especially on Android versions. So it is going to be harder to escape it, it is darn comfortable using Android as a MFA. Many banks still use a custom device for MFA here but is is slowly going away.
BankID in Sweden and similar in other European countries.
In Australia they aren't phasing out web, but anything high risk like a transaction to a new contact and you have to approve it on the app. The app is considered a significantly safer environment.
Even though I very much dislike WhatsApp, it does not require having full control over "your" device, and does not make itself an arbiter of what you can or cannot install on "your" hardware.
I can't see them changing this in the foreseeable future, major parts of their userbase run the cheapest phones one can buy, and they're much more interested in as much data as possible, so near 100% device coverage has to be important for them.
Last time I tried to use WhatsApp (in 2024), it was also basically unusable, because after I gave it the barest amount of information during installation (using its own dialog screens !), (in particular not willing to share my contacts), it regularly locked me out (IIRC as not a 'real' user).
Brazil is screwed beyond belief but WhatsApp being popular is the least of our problems. It's got enough end-to-end encryption to defeat judges. It's much better than some parallel universe where people are using SMS or Facebook Messenger or whatever. I'll count my blessings.
In my country banks have required users to install "security modules" to log into their accounts for decades now. Once upon a time I tried to crack one of these things open. I discovered they were literal device drivers running in kernel mode and I caught them intercepting every single network connection. Told me all I needed to know.
Who even knows what this malware does? I sure as hell don't want to find out.
For the bank, things like "fraud prevention" override literally everything. There is no limit they wouldn't cross and there is no freedom they wouldn't trample in the pursuit of their goals.
People get so mad about kernel-level anti cheat in video games, but when your bank does it, I've never heard of it before. I sure am glad my bank doesn't do this for now.
The video games industry and the copyright monopolists were just the first bosses. Now we're dealing with banks. One day we'll have to deal with governments.
They think everything they do is justified and necessary. They've got a "legitimate" reason to do it so it's alright. Because total nonsense like fraud prevention is totally worth giving up our freedom for.
Not in the US... have you seen the first or second Shrek movie where a monster busts in on a Starbucks and all the scared customers run across the street to another Starbucks? Like a virus they're everywhere. Same thing for atm machines. Cash is doing just fine.
I don't understand the sentiment - how does relinquishing control of the hardware help us? I see a possible future where the banks/governments give the people devices to use for these things, and I don't like this future, as these would surely become spy instruments.
Not OP, but sharing the sentiment (never had banking or similar software on a phone, yet using ATMs, banks' web interfaces, offices). Avoiding interaction with a bank completely is rarely viable these days, and they will run their software on their hardware to operate either way (whether it is an ATM, a bank office, or a website). I do not see it as relinquishing control of the hardware, since you are not expected to control a bank's hardware in the first place. While setting it on your phone comes with the usual risks of running proprietary software on your machines, such as sneaky data collection. If banks/governments will give mobile devices to people for that, those may act even a little more like electronic ankle bracelets, but they would also be isolated from your other data and software; in places with near-mandatory government software, some choose to create such an isolation by having multiple devices for different purposes.
Most banks here (nl) give you a dumb coincell battery powered code-calculator, either with or without smartcard access to your banking-card. Basically some form of TOTP or challenge-response system.
Those devices have no network, no connectity, no gps, and no interface besides a tiny 7-segment lcd display and some 0-9 buttons for pincode entry.
> In what way, if supplied by the bank and used only for contacting the bank to do banking, could a device become a spy instrument?
Here's my attempt at future history: Firstly they'll require you to prove your current location, to ensure that the request isn't made by a remote hacker; they'll do this by integrating their own cellular modem, as well as scanning local wi-fi networks. Then, at a second phase, they'll integrate a camera and microphone to perform a face identification, asking you to speak out a particular phrase while performing a particular motion. At the start they'll only require you to turn the mic and camera on during active usage, but eventually they'll say that these have to stay on continuously so that they can ensure that the device wasn't tempered with. And if we aren't careful, we'll accept every single small added requirement, until we're boiled alive.
If it was normal and expected that you carry the device around, to make purchases with, then all that would be very bad, and it becomes like a phone but worse in some ways (less ownership over it) and better in others (does not contain other personal data).
However, if it sits at home in a drawer, it can keep its camera on all it likes, transmitting images of darkness, and tell the bank repeatedly where your home address is, and sometimes (when in use) confirm what your face looks like. Not a privacy issue I think?
Probably it would become expected that you carry the thing around and it replaces cash and cards, but that seems to me to be the crucial step if it's going to have meaningful potential for spying.
Can anyone confirm that the situation regarding authentication in EU will change with the PSD3 directive ? As far as I read the directive will require authentication methods to individuals without smartphones. Anyone alrady working on this ?
