undefined | Better HN

0 pointsdalke2y ago0 comments

What I said was that centralization is the problem.

Different tasks require different levels of identification. Cash (a traditional means of payment) requires no identification. I only carry up to about $200 in cash on me, which an amount I'm willing to bear if my wallet is stolen.

When I use chip&pin ("what you have and what you know") for small payments, I rarely need any authentication, and when I do it's the PIN. My wife can and has used my card, with my permission. I have my email password written down for her so she can access it, eg, if I die and my computer dies.

The banking system probably factors in my usual payment locations to make the choice of when to ask for a PIN, combined with the trust experience with the vendor.

My card, even with a PIN, has a spending limit. Years ago I had to authorize raising the limit because my client was willing to reimburse me for a business class flight across the Atlantic. Of COURSE I want more friction in the system when doing something riskier. If the way to authorize a $60 dinner and a $60,000 car are too similar, then it's easier to fool you.

For a higher amount, I can go to the bank and carry out a transaction in person, or I can authorize it through their online banking system.

"But wait, how?" you might ask. The bank figured this out years ago, when people started going online, using unpatched Windows PCs without virus scanners.

The system - whose security I trust much more than a phone's - uses a small device with a camera. The login screen shows me a pattern with colored dots. The camera reads those dots, decodes the message (and probably also validates it cryptographically) and displays a message asking me to verify I want to log in.

I enter the PIN, and it generates a response code, which I enter.

If I make a payment, or add a new recipient, or a few other things, I am required to use the device again.

This device stays at home, because I don't expect to make $10,000 payments while out.

I can use it on any web-enabled device, because the security is in "what I have" and "what I know", in a device which cannot be hacked, does not require any physical connection, and does not require network accessed.

I like this system more than a Yubikey because it does not require a hardware attachment, which isn't always possible.

Yes, Yubikeys feel like a step backwards compare to my bank's security practice. I don't understand why there is no provision for cable-free/wifi-free/mobile-system-free validation in this supposed privacy-oriented switch to passkeys, when I know such a system exists.

Furthermore, the bank has the legal obligation to ensure the system works. If the encryption system is somehow broken, they are required to update the hardware. Apple is not. Yubi is not. The cost is all on you. My bank has even shut down mobile phone banking for older hardware/OSes, claiming the security isn't high enough. But they have not needed to update my security device.

If you expect your phone to be able to do anything, and authorize anything, then I see it as a giant risk. You can be at the bar, drank to much, and be convinced to make a payment or authorization that you shouldn't of. There's no real, physical way to change your risk level depending on the circumstances if you always have your phone with you.

Centralization of identify, payment, and apps is fundamentally flawed.

0 comments

acdha2y ago

> The system - whose security I trust much more than a phone's - uses a small device with a camera. The login screen shows me a pattern with colored dots. The camera reads those dots, decodes the message (and probably also validates it cryptographically) and displays a message asking me to verify I want to log in.

> I enter the PIN, and it generates a response code, which I enter.

How do they protect against phishing? That sounds like the weak MFA where attacks spoof the login page but make their own connection to your bank and pass through the challenge and response, which means that a user who doesn’t fastidiously check the hostname can be convinced to enter a TOTP, SMS, etc. code.

Phone-based WebAuthn systems are immune to that because they incorporate the hostname into the signing process so even if they convince you that they’re hugeb<cyrillic a>nk.com there’s no way for you to override that and give it a response which works for hugebank.com.

dalkeOP2y ago

> How do they protect against phishing?

The same way they minimize the vulnerability when running on an exploited Windows machine?

Even if I log in, via a MITM attack, all they can do is read my account history.

Actually making changes requires further authorization. When I make a payment the screen asks me to confirm the amount I'm about to pay. The same applies to other security sensitive changes.

Still, you make a very valid point, and I thank you for pointing out the flaw in my understanding.

I still have a very deep distrust about centralizing identification, payment, and apps on a single device, and strongly dislike the inability to have physically very distinct trust levels.

acdha2y ago

> Actually making changes requires further authorization. When I make a payment the screen asks me to confirm the amount I'm about to pay. The same applies to other security sensitive changes.

That’s a good answer, too, especially of that custom message can be large enough to display the name & amount. Anything to jar people out of the “I thought I was sending $100 to the cable TV company, not $6,000 to someone in India” autopilot state.

I generally agree with your larger point and wish that banks would make it easier to do things like setup a Yubikey and require it be used on any transaction over a certain amount. I’ve never in my life needed to make a large transaction where I wouldn’t have been able to grab a token from my safe to approve it, and at some point delay becomes a security feature since it give the bank staff time to do things like call you and make sure you really intended to do something.

dalkeOP2y ago

Thank you for your supportive words.

Certainly seeing articles like this about possible flaws in a centralized system, and the last of economic responsibility for fixing issues in affected customers, ... about people losing their Google id, the monopoly abuses of Google and Apple, and the e-waste issues of depending on apps which don't support old-but-working phones (sometimes in the name of security, but more often because it's expensive to maintain old phones) ... really gives me a bad feeling about this brave new world.

dalkeOP2y ago

> Phone-based WebAuthn systems are immune to that

Do they assume the OS is locked down and secure?

I mean, clearly if someone has a remote desktop view for my machine, then they can act as me, including any check for available hardware. The same should apply for a phone, yes?

If so, that sounds like my bank will never formally support running on a PinePhone or other user-inspectable/modifiable system - they will simply say they require a full chain of trust for the OS.

I'm glad the (relatively) open arenas of macOS and Windows existing, and that people have 10+-year-old machines, forcing my bank to support alternate login methods for less-trustworthy systems.

threeseed2y ago

The majority of ecommerce purchases made today are done on mobile.

And majority of these would be secured via on device biometrics.

The fact that this is all happening with approval of credit card companies, banks, regulators etc means that the idea that centralisation is fundamentally flawed is simply wrong.

dalkeOP2y ago

My bank's terms of services say they are not responsible for flaws in the mobile phone or privacy issues in the store.

If there is a vulnerability, who pays for fixing it? Who pays for the new phones?

Of course the credit card companies and banks don't want to be responsible. They currently aren't, and they don't want to take it on.

Why should the regulators care yet? Using a mobile phone is still under the fiction that it's an optional functionality, where the user has agreed to take on the risk themselves, in exchange for better convenience and non-essential services.

j / k navigate · click thread line to collapse

0 comments

acdha2y ago

> I enter the PIN, and it generates a response code, which I enter.

dalkeOP2y ago

> How do they protect against phishing?

The same way they minimize the vulnerability when running on an exploited Windows machine?

Even if I log in, via a MITM attack, all they can do is read my account history.

Actually making changes requires further authorization. When I make a payment the screen asks me to confirm the amount I'm about to pay. The same applies to other security sensitive changes.

Still, you make a very valid point, and I thank you for pointing out the flaw in my understanding.

I still have a very deep distrust about centralizing identification, payment, and apps on a single device, and strongly dislike the inability to have physically very distinct trust levels.

acdha2y ago

> Actually making changes requires further authorization. When I make a payment the screen asks me to confirm the amount I'm about to pay. The same applies to other security sensitive changes.

dalkeOP2y ago

Thank you for your supportive words.

dalkeOP2y ago

> Phone-based WebAuthn systems are immune to that

Do they assume the OS is locked down and secure?

I mean, clearly if someone has a remote desktop view for my machine, then they can act as me, including any check for available hardware. The same should apply for a phone, yes?

If so, that sounds like my bank will never formally support running on a PinePhone or other user-inspectable/modifiable system - they will simply say they require a full chain of trust for the OS.

I'm glad the (relatively) open arenas of macOS and Windows existing, and that people have 10+-year-old machines, forcing my bank to support alternate login methods for less-trustworthy systems.

threeseed2y ago

The majority of ecommerce purchases made today are done on mobile.

And majority of these would be secured via on device biometrics.

The fact that this is all happening with approval of credit card companies, banks, regulators etc means that the idea that centralisation is fundamentally flawed is simply wrong.

dalkeOP2y ago

My bank's terms of services say they are not responsible for flaws in the mobile phone or privacy issues in the store.

If there is a vulnerability, who pays for fixing it? Who pays for the new phones?

Of course the credit card companies and banks don't want to be responsible. They currently aren't, and they don't want to take it on.

j / k navigate · click thread line to collapse