I keep interacting with systems-- like my bank, etc.-- that require (or allow) you to add one or more trusted devices, which facilitate authentication in a variety of ways.
Some services let you set any device as a trusted device-- Macbook, desktop, phone, tablet, whatever. But many-- again, like my bank-- only allow you to trust a mobile device. Login confirmation is on a mobile device. Transaction confirmation: mobile device. Change a setting: Believe it or not, confirm on mobile device.
That kind of makes sense in that confirming on a second device is more secure… That’s one way to implement MFA. But of course, the inverse is not true: If I’m using the mobile app, there’s no need to confirm my transactions on desktop or any other second device, and in fact, I’m not allowed to.
But… Personally, I trust my mobile device much less than my desktop. I feel like I’m more likely to lose it or have it compromised in some way, and I feel like I have less visibility and control into what’s running on it and how it’s secured. I still think it’s fairly trustworthy, but just not categorically better than my Macbook.
So maybe I’m missing something: Is there some reason that an Android/iOS device would be inherently more secure than a laptop? Is it laziness on the part of (e.g.) my bank? Or is something else driving this phenomenon?
I trust my mobile device much less than my desktop.
I’m with you. Phones are toys, a PC with disk encryption and well chosen software it way more trustworthy.
Your lack of control over the security of your phone is exactly what’s keeping the bad guys out. The extra control you have over your computer is what leads to people getting scammed out of their life savings. Perhaps you’re an expert in fraud detection or banking trojan analysis, but 99.9% of the population doesn’t have that knowledge, and that’s who the apps are built for.
Phones and tablets have either dedicated hardware or super low level software that runs alongside the other software to do secure computing. These features are used to detect if the device’s operating system has been altered in any way.
Without alterations, the bank can trust that its security code will execute as intended, and that nothing can spy on your connection or steal your money. If your phone has been rooted or jailbroken, that’s no longer the case. Some banks (like mine) don’t really care. Others will disable certain features or refuse to work. Many rooted phones are rooted without the owner’s knowledge by malware, so these concerns are legit.
On PC, there are very few ways to get the same level of trust. In theory, Windows with Secure Boot cranked up and a signed TPM can be trusted (using security mechanisms such as Windows Hello to authenticate using the TPM as dedicated security hardware). In practice, this is all very recent and because Windows allows arbitrary drivers to be loaded, the guarantees are much weaker.
Furthermore, phone apps are sandboxed. They can’t interact with each other beyond a few predefined APIs, they’re basically stuck in their own, separate sandbox, doing whatever they like, never crossing boundaries. PC software isn’t like that most of the time. Even if they are (i.e Windows UWP applications, Flatpak apps), other software may be running outside of the sandboxed environment making it impossible for a sandboxed app to protect itself.
Phones aren’t hacked as often as PCs, broadly speaking. That’s why iOS lacks antivirus protections and Android only has very weak ones. It’s also why many banking apps lack MFA on mobile devices.
As for your MacBook, your bank could probably make its authentication app work on your laptop, as Apple has very similar security APIs to the ones on iOS. Apple has a porting toolkit that will likely be able to run the iOS app directly on your MacBook, in fact! However, they would also need to ensure that you don’t break the MFA principle by logging in in a browser running alongside their app. And, let’s be honest, most people would do exactly that.
They’re more locked-down by the manufacturer than desktops, so they’re more “trusted” by corporations to act in corporate interests at the expense of yours.
Phones are generally seen as more secure because they’re less likely to have malware and the apps should be running in their own sandbox, meaning it’s more difficult to see what each app is doing and so theoretically it’s more secure.
Most desktop operating systems do not have sandboxing in place, have known malware that could be installed much easier than on a phone, and harder to verify that the system is secure. This is doubly so taking into account that basically the only way to use the banking information is through a web browser, which could have any number of junky web extensions installed.
While things are incrementally changing on the desktop front (mostly on Linux with Atomic distros, Flatpak/Snap, and Firefox container tabs), most banks are only familiar with Windows and macos, and since those two have the most security risks, they’d rather play it safe with the relatively more standardized, theoretically more secure phone OS.
To add to this:
We have to differentiate between physical and cybersecurity.
Are you more likely to physically lose your smartphone you carry around with you all day than your full ATX desktop standing in your office? Yeah.
But let’s consider the consequences for a moment.
If someone physically stole your desktop, chances are that at least a part of your data isn’t encrypted, the boot sequence probably isn’t (at least completely) verified, and your OS is wide open. There is little to no real isolation in most desktop setups. Once somebody managed to gain access to your system, it is outright trivial to steal your browser sessions, modify commands or run some code, at least in userland.
Physically stealing your smartphone is easy. But a modern smartphone is usually protected by verified boot and a password+fingerprint/Face ID combo. Unless you take active steps to compromise the security of the phone like rooting/jailbreaking it, disabling verified boot or disabling the passcode, it’s pretty hard if not near impossible to gain access to your data or modify it in a harmful way. If you visit an infected site or install an infected app, the damage is usually confined to that app’s data and the data accessible to it by permissions you probably had to allow to be set in the first place.
Now that’s speaking to your usual bad actors and usual setups. Exceptions, as always, make the rule. As soon as a sufficiently motivated and technically able actor with access to 0-day exploits, like a state actor, targets you for some reason, all bets are off. But even in this case, due to the advanced verified boot chain on most modern smartphones, those exploits rarely have the ability to survive beyond a reboot.
As things stand, mobile OSes have some pretty decent out-of-box ways for apps to be isolated. App A can’t fiddle with data private to app B. That Android video game you just downloaded can’t extract data from your web browser or generally fiddle with it.
Desktop OSes today don’t normally have software install and work like that. Yeah, you can manually set something like that up with containers or VMs, but your typical user isn’t going to do that.
Not really, banks are simultaneously really smart and really stupid about security. They do incredibly annoying things that don’t do anything or are negligible security wise all the time
Some bank apps won’t work if they detect your phone is rooted for “security” when root just gives you the ability to grant administrative access to apps. And yet this is the default way desktops/laptops operate.
Some banks refuse to let you pick your own username and instead assigns you a number that’s sometimes random and sometimes just your primary account number. Why? “Security” and just for even more “security” you have to wait for them to send you that info and a pin through snail mail
Some bank apps won’t work if they detect your phone is rooted for “security” when root just gives you the ability to grant administrative access to apps. And yet this is the default way desktops/laptops operate.
And is the default state if you use a browser to access the website on your phone.
Administrative access, in many cases, allows malicious apps to read and/or modify data, even memory and executables, of other apps. This is pretty much impossible with non-rooted phones out of the box. While the root detection feature is somewhat annoying, it is absolutely not a stupid measure.
The stupid part is they don’t stop their websites from working on desktops when they detect it’s being accessed with an administrative account.
If it was such a useful and important feature then why don’t they all do it? In fact it seems it’s mostly small time banks that do this. Most of the major ones I’ve used don’t seem to care at all to even attempt to detect it (Capital One, BofA) or if they do, they just display an easily dismissible warning (USAA)
This tells me that this “important security feature” is just very low hanging fruit for smaller banks to pick so they can say they have good security with minimal investment. It’s about as useful as that “unable to pick your own username” security thing I mentioned (which also seems to be only a smaller bank thing)
deleted by creator
