this post was submitted on 09 Dec 2024
781 points (99.7% liked)

Privacy

32442 readers
605 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

cross-posted from: https://slrpnk.net/post/15995282

Real unfortunate news for GrapheneOS users as Revolut has decided to ban the use of 'non-google' approved OSes. This is currently being posted about and updated by GrahpeneOS over at Bluesky for those who want to follow it more closely.

Edit: had to change the title, originally it said Uber too but I cannot find back to the source of ether that's true or not..

you are viewing a single comment's thread
view the rest of the comments
[–] jagged_circle@feddit.nl 1 points 1 week ago* (last edited 1 week ago) (4 children)

Transmitting an OTP to the user is a security risk.

Banks in the EU are, in fact, forced to implement 2FA using phone numbers as part of "dynamic linking" requirement of PSD2, which makes more secure methods of 2FA (like TOTP) not allowed

[–] Aceticon@lemmy.dbzer0.com 1 points 1 week ago* (last edited 1 week ago) (3 children)

Ah, I see.

Your point is that the use of a secondary channel for a One Time Pass is still an insecure method versus the use of a time-based one time password (for example as generated in a mobile phone app or, even more secure, a dedicated device). Well, I did point out all the way back in my first post that SMS over GSM is insecure and SMS over GSM seems to be the secondary channel that all banks out there chose for their 2FA implementation.

So yeah, I agree with that.

Still, as I pointed out, challenge-response with smartchip signature is even safer (way harder to derive the key and the process can actually require the user to input elements that get added to the input challenge, such as the amount being paid on a transfer, so that the smartchip signs the whole thing and it all gets validated on the other side, which you can't do with TOTP). Also as I said, from my experience with my bank in The Netherlands, a bank using that system doesn't require 2FA, so clearly there is a bit more to the Revised Payment Systems Directive than a blanked requirement for dynamic linking.

[–] jagged_circle@feddit.nl 1 points 1 week ago (1 children)

Oh the smart chip is best, its just not an option for CNP or bank transfers online

If you send a large wire transfer from your Dutch bank to an acffount outside the EU, I guarantee your bank is going to demand a transaction confirmation. 99% of the time that's going to be a SMS, unleee you're using their (closed source) app on your (insecure) phone

[–] Aceticon@lemmy.dbzer0.com 1 points 1 week ago* (last edited 1 week ago)

Well, I haven't really made any large wire transfers to accounts outside the EU from that bank in over a decade so can't really confirm or deny.

I do know that in past experience with banks in general, the people checking the validity of suspicious transations (and large transfers to accounts outside the EU tend to fall into that classification given the prevalence of online scams from countries were the Law is a bit of a joke) will actually call you, or at least they did in the UK some years ago (pre-Brexit) which was the last time I had experience with something like that.

(At one point I also worked in a company that made Fraud Detection software).

Maybe they switched to SMS to save money, I don't know.

load more comments (1 replies)
load more comments (1 replies)