• pinball_wizard@lemmy.zip
    link
    fedilink
    English
    arrow-up
    45
    arrow-down
    15
    ·
    4 days ago

    Counterpoint: I use the McDonald’s app where it belongs - on a giant greasy ordering kiosk.

    But seriously, banks have websites. Everyone and everything has a website.

    I don’t need Android apps at the cost of my privacy or at the cost of control of my devices.

    I use GrapheneOS as my only phone, and I have done so for years.

    Whatever the topic, I don’t need an app for that.

    • hessenjunge@discuss.tchncs.de
      link
      fedilink
      English
      arrow-up
      61
      arrow-down
      2
      ·
      3 days ago

      I don’t know about the US but on this side of the pond banks have their own 2nd factor apps. So to log in to a bank’s website you need an app - quite probably with play integrity.

      • Lka1988@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        2
        ·
        2 days ago

        That sounds extremely inconvenient. Individual apps for 2FA? No thanks. I’m good with KeePass and Aegis, both open source, encrypted, and don’t require any extra hardware.

      • AmbiguousProps@lemmy.today
        link
        fedilink
        English
        arrow-up
        17
        arrow-down
        1
        ·
        edit-2
        3 days ago

        That’s insane, I have never heard of such a thing, but I’m in the US where most banks don’t even have non-sms second factor.

        • LainTrain@lemmy.dbzer0.com
          link
          fedilink
          English
          arrow-up
          10
          ·
          edit-2
          3 days ago

          That’s crazy. Yeah in the rest of the world you can’t do shit on a bank website, it’s mostly just view only, and the rest is via the app. If it lets you do anything at all, it’ll require 2FA via the app.

          You can transfer money from a savings account with one bank to another account with another bank just via tapping said bank account icon in the app, like you don’t even need the BIC/IBAN/AccNo/Name or any details, it knows where to go just because you have the app of the other bank, all you do is tap the icon.

          I’m not even sure you can withdraw the money from the savings account without having the app of the target bank installed on the phone, signed into the target account.

          Same way you can add a card to Google Pay by just tapping a button in the bank app, no details or anything required.

          Frankly I don’t even know where any one of my bank cards are, I remember for a good while I had a credit card that I didn’t actually have physically because when you open the credit card account (which requires extra checks compared to what is default - debit cards) they don’t bother to ship the physical thing to you unless you explicitly ask for it (via an option in the app), since most people just use it only via Google Pay because everywhere is cashless and uses only NFC.

          I didn’t realize at first but it meant that my “card” didn’t even have a PIN, because there was no way to physically have it, any large transactions are authorized in the app, everything else, including IRL is implicitly authorized by me unlocking my phone with my fingerprint, which is required to make NFC payments on Android. I think with Apple phones it’s required to open the app but for me since 2018 it’s been muscle memory to tap the fingerprint reader and slap the phone on the NFC reader on anything from the tube to the dodgy corner shop.

          To get the actual card details it’s a relatively hidden submenu in the app, to add to Google pay is a giant button on the card icon in the app.

          Convenient as hell but the sheer amount of privacy violations involved and info that must be gathered about the phone to do this in a compliant fashion makes me shudder.

            • LainTrain@lemmy.dbzer0.com
              link
              fedilink
              English
              arrow-up
              3
              ·
              1 day ago

              Yeah, happened to me. I tried to go to one of the bank locations but they not so subtly told me to fuck off and call their customer service instead if for some reason I couldn’t use the ‘in-app help menu’. The entire concept of me losing access to it seemed alien to them, as it I was born into the app or some shit, idk how much they pay those ghouls to stand there and gaslight folks like that but I sure hope it’s a lot.

              To restore it I had to call them and turned out I needed to know some kind of extra hidden secret “telephone banking” password after fighting past 10 people who could barely speak English. I didn’t know it ofc and like an hour later I was able to prove who I was.

      • pinball_wizard@lemmy.zip
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        1
        ·
        2 days ago

        Dang. Y’all need to pick better credit unions. MFA rolling token is an open standard. Any single app can support all of my (correctly implemented) tokens. I prefer Aegis, but they (correctly implemented MFA apps) all work.

        I don’t want to trust my money to someone who can’t implement standards compliant MFA.

        That would scare the daylights out of me.

        • hessenjunge@discuss.tchncs.de
          link
          fedilink
          English
          arrow-up
          3
          ·
          11 hours ago

          Well, they have a kind of 2FA since at least 30 years, long before rolling tokens were all over the place. Their latest implementations are as simple to use as Steam 2FA. If a bank isn’t able to implement a proper 2FA login there’s a ton of other security issues to worry about. Lastly, I think by using their own implementation/app they prevent their customers from using compromised apps.

          • pinball_wizard@lemmy.zip
            link
            fedilink
            English
            arrow-up
            1
            ·
            edit-2
            4 hours ago

            If a bank isn’t able to implement a proper 2FA login there’s a ton of other security issues to worry about.

            Exactly. Any organization whose MFA doesn’t work on Aegis, I take action to protect myself from their incompetence.

            Lastly, I think by using their own implementation/app they prevent their customers from using compromised apps.

            I’m sure they claim that. But I still recognize it as simple incompetence. They aren’t able or willing to hire someone with the Cybersecurity expertise to implement a relatively simple open specification.

            Y’all are welcome to risk your money there. It’s probably insured anyway, right?

            For me, that’s too much risk. Even if insurance makes me whole, getting robbed is a huge pain.

            • hessenjunge@discuss.tchncs.de
              link
              fedilink
              English
              arrow-up
              1
              ·
              edit-2
              3 hours ago

              Exactly. Any organization whose MFA doesn’t work on Aegis, I take action to protect myself from their incompetence.

              That’ll surely end their business. /s

              I’m sure they claim that. But I still recognize it as simple incompetence. They aren’t able or willing to hire someone with the Cybersecurity expertise to implement a relatively simple open specification.

              Just out of curiosity: What percentage of the population is capable of running Graphene/Aegis? What percentage, regardless of capability, is willing to do so?

              Creators of popular OSS regularly warn about downloading their stuff elsewhere or pay for it. How do you think that would apply to any 2FA application?

              Now think of how stupid the average person is, and realize half of them are stupider than that. (love some George Carlin). Given that even (very) stupid people have and need bank accounts: How would you implement an authentication that can’t easily be compromised to ripp off stupid people?*

              * Let’s just assume that you, the lead developer, are not at all “incompetent”, quite the opposite. Also take into consideration that you need to keep cost down (hint: That means you want no one to call support because of 3rd party applications!).

      • miss phant@lemmy.blahaj.zone
        link
        fedilink
        English
        arrow-up
        7
        ·
        3 days ago

        I’ve been using a dedicated TAN generator for banking since I first made my account but I don’t doubt that’s going away at some point, since debit cards from the same bank already require an app for 3-D secure.

        • LainTrain@lemmy.dbzer0.com
          link
          fedilink
          English
          arrow-up
          1
          ·
          6 hours ago

          That’s not it, the TAN and 3-D Secure are different components to the 2FA required to access the bank account.

      • eleitl@lemmy.zip
        link
        fedilink
        English
        arrow-up
        6
        arrow-down
        2
        ·
        3 days ago

        No, hardware TAN generator work fine. If the bank wants to force me to use proprietary snake oil it’s time for a new bank. Or using a dedicated old smartphone just for the app.

          • eleitl@lemmy.zip
            link
            fedilink
            English
            arrow-up
            1
            ·
            6 hours ago

            Consors bank so far is an alternative. NFC cards, hardware TAN generators, app not forcing use of proprietary OSses. LineageOS is fine, need to check GOS.

    • Wispy2891@lemmy.world
      link
      fedilink
      English
      arrow-up
      18
      arrow-down
      2
      ·
      3 days ago

      Counter-counterpoint:

      Banks use their app to generate the otp and they reinvented the wheel so if you want to login you need to install it, can’t use a generic authenticator. I am not aware of any single bank in the EU that allows the use of generic authenticators.

      For McDonald’s, using the app gives at least 50% off. A menu in the app costs 5 euro while on the store kiosk costs 12 euro. I do not personally care because I find their food to be just barely edible, but I understand why there’s a need to install the app

      • thedarkfly@feddit.nl
        link
        fedilink
        English
        arrow-up
        3
        arrow-down
        1
        ·
        3 days ago

        Some people have no smartphone at all. How can they be customers at your bank?

        • redjard@lemmy.dbzer0.com
          link
          fedilink
          English
          arrow-up
          3
          ·
          edit-2
          3 days ago

          My bank had a device that was basically a simple android phone running the 2fa app. The phone app got updated through new versions and eventually got the drm treatment, but the old app keeps working because it is still running on those dedicated 2fa “devices”.
          Naturally the bank is now trying their best to make people deregister the old “devices” and switch to only the “app”.

          The old app has no internet permissions. It reads qr from the camera and shows verification as a 6 digit code.
          The new app has internet permissions and is integrated with other apps so you can conveniently accept the request of your banking app in the 2fa app (on the same phone) with a single tap via an overlay. 2fa.

          • thedarkfly@feddit.nl
            link
            fedilink
            English
            arrow-up
            3
            arrow-down
            1
            ·
            3 days ago

            Damn… The two extremes of the cyberpunk dystopia: no tech at all vs tech slavery.

        • Wispy2891@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          ·
          3 days ago

          Pay a fee of 0.30€ to receive the otp via SMS every time they want to login without the proprietary otp app and 0.30€ for each payment to authorize

          • thedarkfly@feddit.nl
            link
            fedilink
            English
            arrow-up
            2
            ·
            3 days ago

            Fucking hell, y’all make me realize how lucky I am with my bank that runs without gapps.