[izacus]

> If someone steals the secrets from a rooted phone and steals customer's money the bank is on the hook, so banks do everything they can to minimize this risk.

Now that's just not true now, is it? Sure the lawyers told you that (the ones that get paid to tell you that), but nowhere in EU was a bank actually fined for not root checking a device.

They were plenty fined by being utterly incompetent with security practices and doing them poorly - like trying to inject wierd .SOs to do the root detection you're defending.

[mike_hearn]

Literally three days ago: https://www.complianceweek.com/regulatory-policy/eu-agrees-r...

"Payment service providers (PSPs) operating in the EU will have to cover customers’ losses from fraud if their fraud protection regimes are inadequate or poorly implemented under new EU rules."

Other places like the UK had such rules already.

[izacus]

Note how this says nothing about root lockout.

The fact that no root lockout means "inadequate protection" is something you projected onto this statement and that's the part I'm addressing in my comment.

No one actually got fined for root protection specifically.

[mike_hearn]

Regulators love vague standards like "inadequate protection" because it means they can implement a ratchet effect without needing to understand anything or constantly rewrite the laws. If someone gets hurt they just look around at whatever the competition is doing, pick the most extreme thing, and declare that any other standard is inadequate.

So sure, if you want to not use security tactics your competitors are using and then try to lawyer out of it by arguing, "it didn't specifically say we had to do that" in front of the EU Commission, go ahead. But don't blame the banks that are more realistic about how this works.

[izacus]

Yeah, so you admit there's no real legal basis for those kind of restrictions.

Which anyone of us who worked with banks, mobile, banking security and their legal already knew. They're a source of greatest security hits like "let's use SMS for only auth for web banking" after all.

But what's really hiding behind all your fluff is something else: Abusing users with root lockouts is EASY for the programmers at banks. The auditors have a checkbox "root lockout" and they tick the box. Legal ticks the box. CISO ticks the box. All happy, who cares about user. That's what this is all about. The insulting thing is trying to sell it like some kind of security feature.

[mike_hearn]

The regulations are the "real" legal basis. The fact you don't like them or how they're written doesn't make them any less real. And you're not arguing with me or my "fluff", you're arguing with the entire banking industry.

If you really think this is all just fluff, by all means, go get yourself employed inside a bank's security team and convince them to turn all this stuff off. Let us know how it goes.

[Aspos]

No bank got fined for not root checking, correct. However banks are on the hook for unauthorized transactions. And "unauthorized" means different thing in different countries.

In some jurisdictions if bank can prove that transaction was made with customer's key then customer can not demand their money back. That's the best case, but there are only few of such jurisdictions and even there the burden of proof is on the bank and it costs a lot.

In other jurisdictions bank must reverse a transaction even if it was proven that the transaction was signed with a legitimate key, but the key _may_ have been stolen.

In some jurisdictions (i.e U.S.) banks are required to reverse a transaction at a customer’s request, even if the customer does not dispute having made the transaction.

In any case dealing with all this is too expensive and risky.

[izacus]

> In any case dealing with all this is too expensive and risky.

[Citation needed]

How much does it cost? How risky?

[Aspos]

Let's say you are a bank and you make $10 on each $100K transfer. If customer disputes a transaction and you must return the money, you lose the whole amount and twice as much on lawyers, internal audit, compliance people working on the case. With this math you can't afford the risk if it is more than 1 in 30000.

For many European banks the math is even more brutal.