undefined | Better HN

0 pointsFindecanor7mo ago0 comments

Swish uses the proprietary "BankID" system, and the company behind it has let frauds go on for years and blaming the victims. Therefore I have chosen not to support them.

It didn't have proper two-factor authentication when you just had to tap a button on the smartphone to approve a log-in or a bank transfer (and users didn't always tell which was which). Now it requires reading a QR code — which it should have done all the time.

AFAIK it still does not use any secure key storage on the smartphone, so if your phone gets rooted by an attacker, the attacker could gain access to your bank accounts. So far, frauds have been much easier to pull off, so criminals have not bothered to hack it. (that we know of)

0 comments

lbschenkel7mo ago

I'm not an huge fan of BankID either, but a few corrections/clarifications:

1. BankID always allowed to have different settings for login and for signature. I have done that since forever. For example, I configured login to allow biometrics but not signature. If it's forcing me to enter the security code I know it is a signature, which forces me to pause. I cannot sign anything by mistake (like a transfer) because I'm forced to enter my long security code to complete it. And for the much more frequent scenario of pure logins, I can just use my finger.

2. I believe it does use the hardware-backed keychain if the device has one. I cannot prove it as the source code is not available, but I remember being curious and checking this on a rooted device.

j / k navigate · click thread line to collapse

0 comments

lbschenkel7mo ago

I'm not an huge fan of BankID either, but a few corrections/clarifications:

2. I believe it does use the hardware-backed keychain if the device has one. I cannot prove it as the source code is not available, but I remember being curious and checking this on a rooted device.

j / k navigate · click thread line to collapse