I've worked on such systems. Love it or hate it, remote attestation slaughters abuse. It is just much harder to scale up fraud schemes to profitable levels if you can't easily automate anything. That's why it exists and why banks use it.
Wouldn't device-bound keys for a set of trusted issuing secure elements (e.g. Yubikeys) work just as well but without locking down the whole goddamn software stack?
RA schemes don't lock down the whole software stack, just the parts that are needed to allow the server to reason about the behavior of the client. You can still install whatever apps you want, and those apps can do a lot of customization e.g. replace the homescreen, as indeed Android allows today.
You need to attest at least the kernel, firmware, graphics/input drivers, window management system etc because otherwise actions you think are being taken by the user might be issued by malware. You have to know that the app's onPayClicked() event handler is running because the human owner genuinely clicked it (or an app they authorized to automate for them like an a11y app). To get that assurance requires the OS to enforce app communication and isolation via secure boundaries.
That's waay too much locking down, and while it gives me some control, it does not give me real control. I cannot remove or modify software in the software stack whose behavior I disagree with (e.g. all of Play Services). I can't replace the OS with a more privacy and security focused OS like GrapheneOS.
Imagine if this was done for desktop computers before we had smartphones. That's just crazy.
Relying on hardware-bound keys is fine, but then the scope of the hardware and software stack that needs to be locked down should be severely limited to dedicated, external hardware tokens. Having to lock down the whole OS and service stack is just bad design, plain and simple, since it prioritizes control over freedom.
1. I don't believe you. This is a measurement problem - you eliminated an avenue to measure abuse, because you are now just assuming abuse doesn't happen because you trust the client.
2. It does not eliminate any meaningful types of fraud. Phishing still works, social engineering still works, stealing TOTP codes still works.
Ultimately I don't need to install a fake app on your phone to steal your money. The vast, vast majority of digital bank fraud is not done this way. The vast majority of fraud happens within real bank apps and real bank websites, in which an unauthorized user has gained account access.
I just steal your password or social engineer your funds or account information.
This also doesn't stop check fraud, wire fraud, or credit card fraud. Again - I don't need a fake bank app to steal your CC. I just send an email to a bad website and you put in your CC - phishing.
1. Well, going into denial about it is your prerogative. But then you shouldn't express bafflement about why this stuff is being used.
Nobody is making mistakes as dumb as "we fixed something we can measure so the problem is solved". Fraud and abuse have ground-truth signals in the form of customers getting upset at you because their account got hacked and something bad happened to them.
2. This stuff is also used to block phishing and it works well for that too. I'd explain how, but you wouldn't believe me.
You mention check fraud so maybe you're banking with some US bank that has terrible security. Anywhere outside the USA, using a minimally competent bank means:
• A password isn't enough to get into someone's bank account. Banks don't even use passwords at all. Users must auth by answering a smartcard challenge, or using a keypair stored in a secure element in a smartphone that's been paired with the account via a mailed setup code (usually either PIN or biometric protected).
• There is no such thing as check fraud.
• There is no such thing as credit card phishing either. All CC transactions are authorized in real time using push messaging to the paired mobile apps. To steal money from a credit card you have to confuse the user into authorizing the transaction on their phone, which is possible if they don't pay attention to the name of the merchant displayed on screen, but it's not phishing or credential theft.
> Nobody is making mistakes as dumb as "we fixed something we can measure so the problem is solved".
There is an entire name for this: dark pattern.
People make this mistake all the time. Its a very common measurement problem, because measuring is actually very hard.
Are we measuring the right thing? Does it mean what we think it means? Companies spend hundreds of billions trying to answer those questions.
2. Not it cannot block phishing because if I get your password, I can get in.
To your points:
- yes, banks in the US use one time codes too. Very smart of you, unfortunately not very creative. Trivial to circumvent in most cases. Email is the worst, SMS better, TOTP best.
TOTP doesn't matter if the user just takes their code and inputs it into whatever field.
- yes there is such a thing as check fraud, you not knowing what it is doesn't matter.
- if I had to authorize each CC transaction on my phone, I'd put a bullet in my head. That's shit.
Yeah this thread boils down to US vs rest-of-world confusion. Or maybe a US vs Europe confusion.
TOTP, which you say is best, is considered weak sauce outside the US. I don't know any banks that have used it for a very long time. It's not secure enough. Cheques were phased out decades ago. There are entire generations in Europe who have never even seen a cheque, let alone written one. I think the last time I had a chequebook issued it was in 2004.
IIRC the differences arise because in the US consumer legislation makes merchants liable for refunding fraudulent transactions, so banks and consumers have no incentive to improve security and merchants can't do it except via convoluted and hardly working risk analysis. It's just so easy to do chargebacks there that nobody bothers fixing the infrastructure. This pushes everyone into the arms of Amazon and the like because they have the most data for ML.
Outside the US and especially in Europe, merchants aren't liable for fraudulent transactions if they verified the credentials correctly. It's much harder to do chargebacks as a consequence. Even if a merchant delivered subpar stuff or there was some other commercial dispute, chargebacks are very hard (I tried once and the bank just refused). So liability shifts to banks, unless they can show that the transaction was authorized by the account holder and they had correct information. That means banks and merchants are incentivized to improve security, and they do.
This is just blatantly false. Literally every bank in Denmark which is not an e-bank lets you do everything with a browser and the national digital identity, MitID. MitID offers an app, but they also offer alternatives both in the form of TOTP generators and NFC/USB hardware chips.
If by TOTP you mean an app like Google Authenticator, those are expected to be phones, aren't they? And the other things, as we already discussed, are hardware systems they can remotely attest - not browsers on their own.
People seem to be getting really hung up on this point. Accepting a browser means letting you do everything with nothing but whatever program you want that speaks HTTP. No special apps or authenticators or extra tokens. You should be able to write a plain Python script that sends money whenever it wants, on its own.
European banks do not allow this in my experience, and nothing being posted to this thread indicates otherwise. Apparently there are some banks especially in the USA who just don't care about security at all because they can push fraud costs onto merchants, so they do accept browsers for everything, or they make some trivial effort and if users undermine it using Google Voice or whatever they don't care - that's fine, I overgeneralized by saying "banks" instead of geographically qualifying it. Mea culpa.
But in your case, you need the assistance of something that's not a browser.
I thought that was what you meant too? If you mean TOTP via a QR code exposing the secret, then of course I agree, no banks allow that. But your comment read as a claim that all TOTP solutions were inherently deemed insecure and wouldn't work, and that smartphone based solutions were the only viable alternative outside the US. The code display is of course vulnerable to man-in-the-middle attacks where you trick users into authorizing transactions via fake web pages, but it is not a threat that is deemed serious enough to prevent our whole country from basing our digital infrastructure on code displays.
I think people get hung up on your point about banks not accepting browsers because you don't formulate your point very clearly, and it reads like you claim that they don't accept browsers at all when what you mean is just a browser and nothing else. Most European banks do in fact allow you to do business using a browser - you just have to prove your identity via other means as well. And there are no good security arguments why those means must be in the form of a smartphone app whose security requirements have the side effect of locking you into a business relationship with one of two American tech giants. As you can see, a whole country of almost six million people authenticates everything from bank transactions to naming their kids and buying houses using a system which allows you to use just a code display.
I think the strategy of remote attestation of the whole OS stack up to and including the window manager is a clunky and inelegant approach from an engineering perspective, and from a freedom perspective I think it is immoral and should be illegal. What I could accept would be an on-phone security module with locked down firmware which can simply take control of the whole screen regardless of what the OS is doing, with a clear indicator of when it is active. This allows you to authorize transactions and inspect their contents, and only needs remote attestation of the security module, not the whole OS.
From digging in a bit, it sounds like originally MitID was meant to be app only and it was only after pressure from a lobbying group that they relented and allowed a TOTP token.
So my guess is that this is not because they think TOTP is secure enough but rather due to the political aspects of it being centrally run by the government.
The security argument is pretty straightforward and I guess you know it already, because as you say, TOTP is vulnerable to phishing (unless you use some of the anti-bot tech I mentioned elsewhere but it's heuristic and not really robust over the long term). Whereas if you do stuff via an app, not only can malware not authorize transactions, but it can't view your financial details either - privacy being a major plank of financial security that can't be reliably offered via desktop browsers at all, but can via phones.
The alternative you propose is basically a secure hypervisor. Such schemes have been implemented in the past, but it's not ideal technically. For fast payment authorization via NFC, this is actually how it works, which is why when you touch a phone to a terminal to pay for something you don't see any details of the transaction on the display itself, just an animation. The OS doesn't get involved in the transaction at all, it's all handled by the embedded credit card smartcard which is hard-wired to the NFC radio. The OS gets notified and can send configuration messages, but that's about it.
For anything more complex the parallel world still needs to be a full OS that boots up, have display drivers, have touchscreen drivers, text rendering, a network stack, a way to update that software, etc. You end up with a second copy of Android and dual booting, which makes memory pressure intolerable and the devices more expensive. But it's hard to justify that when the base phone OS has become secure enough! It's already multi-tasking and isolating worlds from each other. There are no users outside of HN/Slashdot who would find this arrangement preferable. And as your concern is not fully technical, it's not clear why moving the hardware enforcement around a bit from kernel supervisor to hypervisor would make any difference. This isn't something that can be analyzed technically as it all seems to boil down to fear over the loss of ad blocking.
That's not actually what the article says, the article said that the rollout of MitID first included the app, and that the alternatives were made available later. The alternatives were always part of the plan. The lobby group mentioned were complaining because MitID was replacing an existing solution, NemID, which offered the alternatives. For a while during the rollout you could use both methods of identification, and the lobby group wanted to wait with retiring NemID until the alternatives for MitID were available. The old solution was not replaced due to security issues but because the vendor lost the project when the contract ran out.
There are two discussions here, the technical and the one concerned with freedom. I am concerned with both, and I think we need a compromise which doesn't throw out the latter in order to obtain a perfectly secure model.
My concern is not only with ad removal, that was just an example. My concern is digital autonomy in general, and the issue of giving an American company the power to decide what software users around the world are allowed to execute. They can censor software they don't like, and rogue governments can pressure them to censor software that THEY don't like. E.g. the EU who might want to prevent people from installing E2EE apps soon when Chat Control is rolled out.
There are good technical security arguments for phone based solutions over the alternatives, but it doesn't mean that the alternatives are worthless, just that the users have to be a bit more vigilant. I think that is a better compromise in the interest of protecting freedom and democracy.
We are some of the few people who can understand the long-term implications of the different technical solutions and the potential tools it will give private companies and governments to suppress people. If we are not advocating for freedom over convenience, then who will?
Well it is still a phone after all, what with UMA and baseband processing. You don't need to spend much time at Blackhat/Defcon to realize any true attempts at sealing it up are akin to plugging leaks in a sieve with epoxy. Its far too porus.
Meanwhile if attestation does reduce fraud, the ownability (by the user) of the device is now forfeit due to chasing a dragon's tail.
