I’m lucky my banking app works (GrapheneOS), as it’s now requiring 2FA with the app anytime I login on the browser. Can’t use an actually secure form like TOTP. At least they now allow passwords over 8 characters (yes, serious).

(Meme in comments)

  • Atemu@lemmy.ml
    link
    fedilink
    English
    arrow-up
    79
    ·
    9 months ago

    At least they now allow passwords over 8 characters (yes, serious).

    Are you 100% certain they don’t just truncate your password to 8 characters?

    • RebootRebootReboot@programming.dev
      link
      fedilink
      English
      arrow-up
      45
      ·
      9 months ago

      I’ve seen a website that silently truncated my password during a password reset, but then wouldn’t truncate it during login. It took me a while to figure out why my password never worked.

    • ikidd@lemmy.world
      link
      fedilink
      English
      arrow-up
      15
      ·
      9 months ago

      What, do you think banks have the money for storing all those extra unnecessary characters? MS Access databases are only so powerful.

      • ooterness@lemmy.world
        link
        fedilink
        English
        arrow-up
        4
        ·
        9 months ago

        Never ever ever store passwords in the database. Salted hash only. It’s fixed length even if the password is a gigabyte long.

    • BastingChemina@slrpnk.net
      link
      fedilink
      English
      arrow-up
      1
      ·
      9 months ago

      Your bank are allowing you to use characters ? Mine only allows numbers for the password, it has to be 8 number, no less, no more.

  • MTK@lemmy.world
    link
    fedilink
    English
    arrow-up
    36
    ·
    9 months ago

    I hate this so much!

    My bank is like that and another horrible thing is that after you choose your password (which can be long and complex) you need to choose a 6 DIGIT restore code incase you forgot your password…

    Why is is my BANK so bad at security??

    • Kairos@lemmy.today
      link
      fedilink
      English
      arrow-up
      15
      ·
      9 months ago

      Wait

      You have a second password that’s (opens calculator) 20 bits of entropy???

    • Dnn@lemmy.world
      link
      fedilink
      English
      arrow-up
      9
      ·
      9 months ago

      And they all develop their own shitty app for 2FA (the lazy ones just rebrand SecureGo as their own - you still have to install all of them separately) instead of using the 15 year old TOTP standard. The latter is good enough for tiny companies like Google and Amazon but what do they know about itsec, right?

  • vodka@lemm.ee
    link
    fedilink
    English
    arrow-up
    26
    ·
    9 months ago

    The app for my bank DNB (Norway) doesn’t work on my LineageOS phone, but it works on my GrapheneOS phone. I wonder if they’ve added the graphene keys, because it just suddenly started working a while ago, though might be some GrapheneOS magic

    • Chewy@discuss.tchncs.de
      link
      fedilink
      English
      arrow-up
      37
      ·
      9 months ago

      The hardware attestation feature is part of the Android Open Source Project and is fully supported by GrapheneOS. SafetyNet attestation chooses to use it to enforce using Google certified operating systems. However, app developers can use it directly and permit other properly signed operating systems upholding the security model. […] Direct use of the hardware attestation API provides much higher assurance than using SafetyNet so these apps have nothing to lose by using a more meaningful API and supporting a more secure OS.

      https://grapheneos.org/usage#banking-apps

      My banking apps work on GrapheneOS, so I guess they are using hardware attestation instead of SafetyNet. LineageOS won’t pass hardware attestation because it doesn’t support locked bootloader.

    • cyberwolfie@lemmy.ml
      link
      fedilink
      English
      arrow-up
      4
      ·
      9 months ago

      In what way does it fail on Lineage? My local banking app fails on CalyxOS - seems to pass the security checks (judging from init messages when opening the app), but get a nondescriptive error when trying to log in.

        • cyberwolfie@lemmy.ml
          link
          fedilink
          English
          arrow-up
          2
          ·
          9 months ago

          Ah, then there could be a different issue with my banking app. Maybe there’s a hope I can solve it then. I just assumed it the custom ROM that was the issue. Then again, maybe they just don’t bother letting me know the reason… :)

          • vodka@lemm.ee
            link
            fedilink
            English
            arrow-up
            2
            ·
            9 months ago

            It used to be possible (probably still is) to use magisk to get around it for my bank, but I stopped caring after the EU did some laws forcing interoperability between banks so I can just use my other banks app to access the accounts for that bank.

            Might be worth looking into!

    • uzay@infosec.pub
      link
      fedilink
      English
      arrow-up
      3
      ·
      edit-2
      9 months ago

      LineageOS doesn’t spoof safetynet and play integrity, GrapheneOS does afaik. So that’s most likely the reason

      See below

      • vodka@lemm.ee
        link
        fedilink
        English
        arrow-up
        7
        ·
        9 months ago

        GrapheneOS doesn’t either. It does Android Hardware Attestation instead of SafetyNet. It has never, and will never spoof SafetyNet.

  • nieceandtows@programming.dev
    link
    fedilink
    English
    arrow-up
    17
    ·
    9 months ago

    With the PNC bank I use, about 12 years ago, passwords used to be case insensitive, and they would allow ridiculously insecure passwords without complaining, like one123. I had a ridiculous password like that for a while because it was funny, then realized I’d be the one to pay for it.

  • u/lukmly013 💾 (lemmy.sdf.org)@lemmy.sdf.org
    link
    fedilink
    English
    arrow-up
    16
    ·
    9 months ago

    I didn’t try a rooted phone, but thankfully my banking app did work on my phone with custom ROM without SafetyNet.

    But they do block some VPNs. I know it temporarily didn’t work with ProtonVPN, though now it does again. They only told me that they allow VPNs which they consider secure, but for security purposes they won’t reveal how those considerations are done.
    How would that make it insecure, if they aren’t just using pre-made IP blocklists?
    Anyway, that was a painful experience.
    Getting it to work after being to connected to VPN required de-activation and re-activation of the app. That’s a fairly painful process since it uses OTP tokens generated by a card reader:

    It does have a digital version, but that’s less secure.

  • KoalaUnknown@lemmy.world
    link
    fedilink
    English
    arrow-up
    16
    ·
    9 months ago

    Banks do this because most people don’t know how to use technology and it’s a lot easier to get remote access and malware on your computer than your phone.

  • ElectroLisa
    link
    fedilink
    English
    arrow-up
    14
    ·
    9 months ago

    Magisk Hide + app rename works most of the time, for those with rooted phones

    • Kusimulkku@lemm.ee
      link
      fedilink
      English
      arrow-up
      5
      ·
      9 months ago

      Funnily enough I had issues with Wallet working on my phone since I have unlocked bootloader but no root. Banking and everything else afaik worked. So I installed all that stuff, Magisk, Magisk Hide, I don’t even remember all the things I tried and what it resulted in was now since I was actually rooted all the banking apps and other stuff stopped working.

      • deweydecibel@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        edit-2
        9 months ago

        When you root, you’re creating more flags for apps to detect, so you have to put in more effort to hide them all. That means a greater likelihood of something being detected if you missed it. It’s a trade off. You do have to learn a bit about what you’re doing and do some trial and error.

        But the greater point is, if banking apps and wallet are important to you on that specific phone, you can either root and put in the effort to make it work, root and just do all that stuff from a browser, or not root at all.

        Yeah, it’s annoying, but it isn’t the fault of Magisk or the rooting community, it’s Google and your banks fault for actively punishing you for using your own device the way you like.

        Personally, I have two phones now. My main one is rooted, and if I need an app that breaks on root, I pull out the “clean” one (my old phone after factory reset). Use a hotspot if mobile.

        • Kusimulkku@lemm.ee
          link
          fedilink
          English
          arrow-up
          1
          ·
          9 months ago

          For me it’s important that my banking works (so far they haven’t complained about unlocked bootloader, only about root) but Wallet is just nice to have. And that doesn’t work with unlocked bootloader but did work with root. I guess it’s no root for me since I haven’t managed to juggle them both.

          Sucks that Google is doing this. I don’t even have root and they are complaining. Makes having a custom rom annoying sometimes.

  • Margot Robbie@lemmy.worldM
    link
    fedilink
    English
    arrow-up
    12
    ·
    9 months ago

    This post is against Rule 6, but I’ll leave it up this time since there are a decent amount of discussion here now.

    lseif@sopuli.xyz, please remove the image when you can. You can post it in the comments.

      • fishos@lemmy.world
        link
        fedilink
        English
        arrow-up
        27
        ·
        9 months ago

        Because they think it matters. Same as people posting on Facebook some legalese saying “Facebook doesn’t have the rights to my stuff.”. They think that by slapping a copyright “claim” on their stuff that they supercede the agreements of the platform and somehow protect their comments from being scrapped by bots/advertisers, etc. All it really does is add a little “this guy is probably a sovereign citizen type” sign to every post they make.

        • ferret@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          2
          ·
          9 months ago

          There is no such platform agreement on lemmy, so they might have at least a little bit of a chance

  • sgibson5150@slrpnk.net
    link
    fedilink
    English
    arrow-up
    11
    ·
    9 months ago

    My credit union’s web site looks like a MySpace page. They don’t even offer freaking 2FA. Been meaning to transition to cash management account but such a PITA.

    • bamboo
      link
      fedilink
      English
      arrow-up
      6
      ·
      9 months ago

      I have an account with a larger credit union and their Android app implements onerous rules which some exec must feel makes it more secure, but is just a burden 99.999% of the time. Today I found that the fingerprint login expires after a week of not logging in, requiring the username/password to log in. Annoying but ok, I log in with a username and password. Then it says I need to do MFA and presents 3 options, email, SMS, and app push notification. The UI for app push notification even says “This device”. I selected that one, and the app shows the approve/deny button over the MFA requirement screen.

      So obviously the saved state in the app wasn’t actually expired, since it could still approve MFA requests. So what good is it expiring biometric auth if the app is still authorized to log me in effectively bypassing MFA?

      • DanVctr@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        1
        ·
        9 months ago

        So obviously the saved state in the app wasn’t actually expired, since it could still approve MFA requests. So what good is it expiring biometric auth if the app is still authorized to log me in effectively bypassing MFA?

        I love this and hate this so much

  • FrogMaster@lemmy.world
    link
    fedilink
    English
    arrow-up
    9
    ·
    9 months ago

    Doesn’t work because of Play Integrity API but there are ways to bypass it. At least for now. Look up PlayIntegrityFork.

    • Sprokes@jlai.lu
      link
      fedilink
      English
      arrow-up
      1
      ·
      9 months ago

      Some apps implement other checks. Mine checks whatever you replaced the stock webview (checking the package name). So sometimes it is challenging to find those checks to bypass them.