Let’s be real here. Folks running Linux as thier desktop have a high chance of knowing what they are actually doing. Folks with rooted android phones have a high chance of having watched a 12 year old tell them how to root thier phone on TicTok. Which of these groups is participating in the more risky activity?
I for one, would NOT trust some rando 30 second clickbait video telling me how to root my phone, but you can sure as shit bet that a ton of school aged children are doing that to play some cracked APK they got from a sketchy website because their parents wouldn’t buy them a 99c game.
Those same kids have bank and google pay apps setup on their phone so they can make purchases when they are out and about. I see kids using their phone for vending machine purchases ALL THE TIME.
Edit: Since this is a meme community, little bit of rage bait for ya: All the TikTokers coming out with the downvotes :)
No offense but you sound SO old lol. Tiktok isn’t just full of 12 year old’s and hasn’t been since, well, probably since covid started. With what a shit show standard search engines are these days I don’t blame them for searching what they know. There’s plenty of good info on tiktok that’s being presented by people that know their craft. The short format is nice too because it keeps them from telling their whole life story before they show me what I need to know.
The fact that you’re just basing your whole opinion here on an article kinda says it all really. I would have hoped my generation would outgrow this boomer bullshit but here we are.
Y’all are so worried about using things like Google pay but it’s going to become a standard whether you like it or not. It’s just another way to pay for shit and banks reimburse scammy bullshit just like they do if your card info gets stolen.
Nah, the article was something I went searching for after the fact. I guess “old” is in the eye of the beholder. My 8 year old thinks I’m old.
Just your bog standard Millennial here though. Started out with no tech growing up, and basically grew up along side and with the modern era of technology.
As for search engines, I agree, that’s why I use a selfhosted SearXNG instance. It’s not shoved down your throat google ads (much more akin to what google was 5 years ago or older), but TikTok surely isn’t the answer for “specialists in their field”, just like I wouldn’t have used Vine to source specialist knowledge before that. The problem with the format is there is to much “jumping to the end” without understanding why. You literally cannot get into the “why” in short video format, it’s a bit like “and now your draw the rest of the owl”.
I actually feel like some of the youngest generations while “perceived” to be technical because they grew up with tech actually lack much of the deeper understanding of how that same technology works. This is gonna sound very much “in my day we had to walk uphill both ways” kinda thing, but we did actually have to struggle with technology growing up. If you wanted it to work, you had to frequently do it yourself, and figure out why something wasn’t working with out reddit or online forums sourcing thousands of technical people. I use those skills to this day and it’s a skill I try and mentor into new hires at work.
I recall once early in my career, I caught a co-worker attempting to perform a change on a server for a Fortune 500 financial company using instructions on a webpage that looked like it was from a 1990’s Geocities website (this was probably 2012, so not sure where he even found it!). I slammed his workstation closed so fast and walked him into a conference room. Being “old” doesn’t mean out of touch, but it does often mean wiser.
Edit: Also, not sure where you got that I’m against google pay, venmo, paypal, square, amazon pay or any of those apps, I have them all installed on my phone. What I AM saying is that those apps are at risk to people who root their phones and install applications from sketchy sources. My point about kids using their phones at vending machines was to prove they are probably MORE at risk because they don’t understand the hows or whys to what they did when they rooted their phone and installed Minecraft (or any game!) from a sketchy crack page.
If any of the younger gens have a lack of understanding in tech then it’s on us. It’s on the older gens. We failed to guide them and push for the kind of education that they needed. Millennials, older millennials especially, were kind of privileged in this regard because we grew with the tech. We HAD to figure it out or just not interact with it. It’s not like we’re just built different or anything we just had different opportunities to learn. I don’t see how “watching a 30 second video by a 12 year old on tiktok” is realistically different from watching the video by a 12 year old typing in a notepad on YouTube that I used the first time I rooted a phone.
I swear every single generation makes things easier for the next and then immediately complains about “kids these days” and their lack of struggles
Alright this wasn’t supposed to be a TED talk but turns out I’m passionate about this and the Adderall kicked in…
I don’t think it’s on older gens on a user level for the most part. I try to teach the kids in my life computer stuff all the time. I know lots of “my dad’s in IT” kids that grew up understanding how computers work even on a basic level.
We who care, do so fervently, and are often drowned out by the noise.
Let’s point the finger more accurately: It’s 99% on how tech companies forced the evolution of computing to their benefit. They decided what “the future” would be, and sold us out to it.
Instead of fully functioning computers, “Kids these days” have grown up with flat little content-consumption devices that make sure you literally can’t understand how they work. Everything is framed as some esoteric black box service brought to you by a cabal of qualified wizards. (Look at Windows’ whole “We’re doing things for you behind this pulsing blue screen” schtick. Funny how opaque an OS called “Windows” has become.)
The entire design motif of modern devices seems to scream:
“Don’t ask questions. You’re too stupid for that. Know your place. Just put a payment method on file and tap whatever you could want for just 99¢ more!”
They’re black-box appliances that were aggressively marketed to families at home, and these companies shelled out tablets and chromebooks as “grants” to schools, to secure a mind-share of future customers who were “raised on it” and know nothing else.
The Silicon Valley titans have normalized addiction algorithms, invisible data mining, zero privacy, planned obsolescence of entire devices with non-replacable parts, browser-based-everything, subscription-tiers for everything, no ownership over purchases, and consumption-first design.
Computing knowledge has become a “magic box” to the point that colleges need to spend valuable time explaining file types and folders. Before college?
Hah! We’re back to the 80’s again: Only real nerds have a desktop in the house.
Elementary schools have replaced their computer labs with cheap e-waste-quality chromebooks where students do everything through a browser. Computing education went the way of arts, history, and music. Gone, unless it’s a fancy private school.
They’re stretched thin as it is, and the curriculum is increasingly based on standardized testing on “STEM” over everything else. Why?
Because employers want a large pool of punctual test-passers to choose from, and corporations want generationally vendor-locked customers to secure future earnings.
This is why, despite how the world runs on computers, to the majority, emails are space magic. Nobody knows nor cares about their privacy being sold off, and nobody bothers to learn about computers in the first place.
A “technical user” is super intimidating to “normies” because they know things like “There are multiple browsers” and “You can copy and paste”. I’m not even kidding.
It’s depressing as hell. Maybe some of it is on our generation, for not fighting harder for user rights.
This is why Linux has such a cult following: it flies in the face of this hypercapitalist customer-farm nonsense, and people find that refreshing. I’m happy to hear of more kids using it, and messing with things like Pis.
Can’t tell if this is serious question or not, but for the end user. Lemmy is a bit of a technical microcosm, so while we might not want protection from ourselves, the MAJORITY of people out there are not technically savvy. So while not everyone has a linux workstation (lets assume 2-3% based on some reporting) Android has an approximate 70% worldwide market share. So that means the VAST majority of people running Android probably can’t be trusted to plug in a toaster correctly. This is the same reason there are guiderails on roads with steep embankments.
I think you probably fall into that 3% I talked about in my other comment. I bet you know how to block apps from detecting root too, so probably not a good faith argument.
Far too many people with rooted phones having no business with a rooted phone, installing whatever from wherever with no regard to the security implications.
At least people with root on a Linux system, by default, are going to be more knowledgeable in that regard.
The last time I rooted my phone, I used a sketchy app I downloaded from megaupload (man, I’m getting old) that may or may not have given that phone superherpes. You are not wrong.
maybe it’s just me, but isn’t it quite hard (at least for people not confident doing technical stuff) to root a phone?
like a decade ago the bootloader may have been unlocked by default and for many phones there were exploits so that they could be rooted with an app, but nowadays you would have to:
unlock the bootloader by installing ADB and fastboot drivers, booting into download mode and run terminal commands that would reset your phone in the process; and for some phones, you would also need to shorten a test point and for quite a few of them nowadays, unlocking the bootloader is impossible
boot into download mode and flash a custom recovery with fastboot or potentially with Odin or some other proprietary software (or sometimes you can root from download mode)
for some newer (including Samsung) phones, you also need to disable dm-verity otherwise your phone wouldn’t be able to boot into Android
boot into recovery mode and finally flash (probably Magisk) an image to root the system
I guess there are usually detailed instructions for this, but I doubt that most people rooting their phones now would be non-techie people who are just watching generic online tutorials. they would most likely stumble upon XDA or other forums that would have proper instructions. and even then, they are not very beginners friendly as they aren’t usually supposed to be followed by people with little to no experience with using the command-line, drivers, how Android phones work internally, etc.
Making my point for me. Those short form videos have very little chance of being right or accurate. They may have you going to some sketchy link and download and app that is supposed to do it for you etc etc.
My point is the people at risk don’t know they are participating in a risky activity. (not if they successfully rooted their phone or not).
ah, okay, that’s fair. in terms of short-form social media that tries to engage you, I’d expect little warning and for children especially to take more risks when encountering this type of content.
Folks with rooted android phones have a high chance of having watched a 12 year old tell them how to root their phone on TicTok.
I was more focused on this, though, because this sentence implied that you could successfully root your phone with short-form, likely phone-generic tutorials when the process nowadays is much more difficult and technical
I was once working for a project in a bank, a developer answered me to why they go app only, because “you don’t know what people do with their browser”.
It’s only about the feeling of control (and some paranoia), not about security.
What I find interesting is that my bank has kind of the opposite stance. It allows you to do a lot more things if you login via their website and I think they overall trust your actions more if you do it over the browser, but you are required to pass a lot more security checks, while on the app a PIN is enough, but it also doesn’t allow you to do as much.
It’s the banking equivalent of turning your device off for aircraft take off and landing.
If you keep doing stupid shit for long enough you can turn it into a religion. Huge profits will follow. It’s also why the unexamined life is no life at all.
I can’t believe I’m saying this, but thank God my country developers are incompetent.
I was greeted with this message:“This app can’t be used on a rooted device” And I was prepared to go through hoops to get it to work. you know, fucking safetynet and all. But it turns out that the solution was just enabling zygist on Magisk.
Same, hiding root from my bank app was easy, no safetynet needed.
But their NFC phone payment was something else. I had to use safetynet and google play integrity fix with fingerprint that need to be renewed and other bullshit. I sent my phone in a boot loop too because the latest version had a bug for my specific phone …
My bank app had this and i had to go through quite a lot of hoops. Then i didn’t have root for a while (new phone) and when i got root again i also only needed to enable zygist for it to work. So i guess they changed it?
Btw, have you guys heard of Taler? It’s pretty interesting and I think you will be able to use it with a libre app
NGI TALER is a pilot funded by the European Commission and the Swiss State with the very concrete objective to roll out a new, best-in-class electronic payment system that benefits everyone: people, merchants, banks, financial authorities, auditors and anti-corruption researchers. The project doesn’t have to start from scratch either, but builds on the strong foundations of GNU Taler — the privacy-preserving digital payment system developed by the GNU community and Taler Systems SA with support from the NGI initiative. This offers privacy for those that make payments, while enforcing transparency on those that sell. By providing micro payments at very low overhead, GNU Taler permits internet business models to shift away from advertising revenue or subscription models, especially for online publishers. No-risk transactions can lower transaction fees and open online payments for the underbanked population and citizens marginalized from digitalisation.
I tried reading the website, but Im not really sure I get it. What it’s supoosed to be? A way how to make FIAT payments thats open-sourced and private (so you dont have to pay stupid fees to banks), and it integrates into the current banking system, or is it some kind of digital currency that’s not blockchain based?
If it’s the former - isnt any kind of payment without KYC almost impossible, since its heavily regulated? So, you can’t really have private payments in environment where there’s stupid amount of laws about how much you can actually pay without it being identifiable, for example the super small monthly limit on anonymous prepaid debit cards?
I played around with GNU Taler a while back. The payer is anonymous but verifiable (so I can’t pay with the same €3 ten times to ten people) but the recipient is known and the payment connected with the recipient, to satisfy avoiding tax evasion and fraud.
It still anticipates merchants taking some fee, but that fee should be able to be much less, as it doesn’t depend on Blockchain (requiring so much work) but is a suitable cryptographic algorithm so 3rd party merchants can compete.
It’s not a currency - just a new payment system, but I don’t know how it works exactly. In order to make payments with it, your bank has to support it. Some banks are working on integrating it now. It’s supposed to be anonymous and the transaction history is supposed to be private. Currently only cryptocurrency has such features, but it looks like Taler will change that.
Can I send money to my friends with Taler? Taler supports push and pull payments between wallets (also known as peer-to-peer payments). While the payment appears to be directly between wallets, technically the operation is intermediated by the payment service provider which will typically be legally required to identify the recipient of the funds before allowing the transaction to complete.
Your bank already knows who you are, but with Taler you will be able to make payments using libre software and the bank won’t be able to track them. I guess if you send money to a friend, their bank will know they received the transaction, but won’t know who it was from. At least that’s my understanding.
I said i have no Smartphone and the gave me the same app for Windows or mac, after asking twice vor more times. It runs in Virtualbox for years now. (I know i know. KMV would work better but i don’t change it aslong as it works.
I just use a web browser on my laptop, never use mobile banking apps at all. I have accounts with more than 3 financial institutions and this works fine for all.
Why do I need to use a mobile website? I guess the comment I replied to was meaning they require their app for mobile banking vs browser which I should have realized
The comment is deleted now but it said something like “I’ll tell the bank I don’t have a smart phone so I can’t use the app” implying this would force the bank to allow them to use a mobile website.
What I misunderstood was what the bank required an app for, in my very sick and sleep deprived mind I thought they were saying banks required you to install their app to get service from that bank in any form which I thought was absurd, but that doesn’t seem to be the case.
In the EU you have to verify your identity every time you log into your bank. You either need a physical token or you can use a mobile app to verify it’s really you
No, you don’t. That’s your bank or maybe an Italy thing, but I can login without providing anything beyond my username and password. I do need to use an app to authorise transactions, but not for logging in and viewing my account balance or transaction history, pending transfers, etc.
Most of the mobile sites I visited seemed to have only one goal, to get you to use the app and the mobile interface is often so bad that you’d better use the app
Because as per usual they don’t understand security. I have started choosing my bank based on software they have. If software looks competent, that’s my most significant influence.
They think rooted device = insecure device, but at the same time PC is even less secure and yet all the business users use them and more to the point have passwords written on a sticky note glued to the screen. My old bank at one point “upgraded” their software system and then started asking me for weird characters in password and then asked for maximum length which was the final sin I allowed them to commit. Left them that week.
You’re better off with random different passwords for each service written on a sticky note than using the same password/email combofor multiple accounts.
I mean, you’re comparing very different scenarios.
If one account gets broken into and their password hashing was crap, the attacker can try the email/password combo with other services and can stumble onto another one you use.
If someone has access to your sticky note they have all your accounts.
I don’t think I’d call either of them better.
Of course, all this assumes no second auth factor.
If someone has access to your sticky note they’re already in your house, and that’s a bigger issue IMO… even from an itsec perspective, once the attacker has physical access to guarantee safety is difficult.
My house is not a prison… yes, other people come over. There’s the occasional party, handymen doing work, neighbors, parents of kids from school, kids sleeping over, and so on. It doesn’t have to be the ninjas breaking in.
If you don’t casually keep wads of cash in the open around the house you probably shouldn’t have logins on a post-it either. But to be fair the kind of person that does the latter does the former too.
If I know they are there then I either supervise visitors or trust them to not rummage/take my stuff. If that is your issue then keep your postit in a drawer; most people don’t keep their yubikeys in a securely bolted safe either.
Air Canada’s online account system required a 6 character password, which was secretly converted via T9 to 6 numbers on the back end, meaning “aaaaaa” and “bbbbbb” were effectively the same password, and this was only fixed in 2018
My personal theory is that it’s a remnant of an old system that was only accessible by phone (hence the 6 digit pin), and they simply grafted an online component on top of it
Any service that limits maximum length of the password means they are not hashing them. Which is a scary proposition, especially for such a huge service.
It’s possible that limit is either gone or vestige from a bygone age and they are hashing passwords properly now. Either way they do seem like they take security seriously.
Because they want to “protect” you from “yourself”. Imagine, you could scrape your own data that you can already see.
I’d be really worried if the security of server operation for my bank depended on the client-side. But playing devils advocate, some people will most likely point out that a root exploit on a phone may be unintentional and used to spy on people, to which I answer:
show me a big scary box where I can “accept the risk” and move on
keep in mind that if I am root on my phone, I can hide the fact that I am root on my phone and you’ll be none the wiser
You deftly evaded the leading attack vector: social engineering. Root access means any app installed could potentially access sensitive banking. People really are sheep and need to be protected from themselves, in information security just like in anywhere else.
You don’t get a “accept the risk” button because people don’t actually take responsibility, or will click on those things without understanding the risk. Dunning Kruger at play.
Why is this prevalent on Android but not desktop Linux? Most likely a combination of 1) Google made it trivially easy to turn on, and 2) the market share of Android is significantly large enough to make it a problem warranting a solution.
The fact that you know how to circumvent it is inconsequential to the math above. Spoiler: you never were nor ever will be the demographic for these products, in their design, testing, and feature prioritisation.
Root access means any app installed could potentially access sensitive banking
That’s not how it work. Having a rooted phone does not turn it into a digital farwest were every application can do anything. It becomes a permission like everything else; if you only grant it to safe stuff (like, for example, not granting root to a single app but using it to customize your phone through ADB), there’s not much to see here.
In fact, it can be better: having root means you can arrange additional ‘firewalls’ between apps and your data , or omit/falsify sensor data the the banking app should not need, that the Google is unwilling to implement.
The word “potentially” was critical in the parent’s comment. A banking app cannot be assured that other apps are prevented from accessing its data when the phone is rooted.
So? If I, the customer, want to access my banking info, on my phone, with whatever means I want, I should be able to. As I said, it’s not like every app gets root access, if I, as the owner of the device, explicitly gave root access to something, it’s for a reason.
And the main point that a rooted phone can basically hide itself from any app remains; these “detections” are trivially bypassed in the exact situation they’re supposed to detect.
And if you don’t want to wear a mask on your face during a pandemic, you should be able to? Not everything is about you.
Banks practice defense in depth as other security practitioners do. Not every defense will stop every attack, so a layered, overlapping approach is used.
You really are missing the point that if the device is rooted there is nothing an app can do to protect itself. Defense in depth is layering (sometimes overlapping) solutions that do something. Detecting root and saying “nuh-uh” is not doing anything.
The issue with option one is that scammers get old (or not technical) people to do stuff when they don’t know what they’re doing and click the box not knowing what they just did. So yes very frequently they need to protect people from themselves because they’re dumb, but I still expect banks to do business with those dumb people, sooo… Option 2 it is.
It’d be the tech literate person in the family. The nephew that’s working as a programmer or something like that. Now, if that nephew has some interest in stealing their uncles money, they now have access to their bank account through a freely rooted phone.
This gives them a lot of options, which I don’t have to explain.
Given that a lot of scams actually happen between presumed family and friends…
As long as we’ll have control over the software, it’ll be there. If we reach the point were you’re not allowed to own computers, we’ll have bigger problem.
Is there a list of banks that do this? Some don’t ban root users. Or at least some don’t do as good a job as others at detecting it. Magisk has at least some kind of root hiding stuff in it.
Add comment