I may be misunderstanding what you intended but how do you use traditional means of payment (credit card) without an identity? How do you check your email without identity?
What I said was that centralization is the problem.
Different tasks require different levels of identification. Cash (a traditional means of payment) requires no identification. I only carry up to about $200 in cash on me, which an amount I'm willing to bear if my wallet is stolen.
When I use chip&pin ("what you have and what you know") for small payments, I rarely need any authentication, and when I do it's the PIN. My wife can and has used my card, with my permission. I have my email password written down for her so she can access it, eg, if I die and my computer dies.
The banking system probably factors in my usual payment locations to make the choice of when to ask for a PIN, combined with the trust experience with the vendor.
My card, even with a PIN, has a spending limit. Years ago I had to authorize raising the limit because my client was willing to reimburse me for a business class flight across the Atlantic. Of COURSE I want more friction in the system when doing something riskier. If the way to authorize a $60 dinner and a $60,000 car are too similar, then it's easier to fool you.
For a higher amount, I can go to the bank and carry out a transaction in person, or I can authorize it through their online banking system.
"But wait, how?" you might ask. The bank figured this out years ago, when people started going online, using unpatched Windows PCs without virus scanners.
The system - whose security I trust much more than a phone's - uses a small device with a camera. The login screen shows me a pattern with colored dots. The camera reads those dots, decodes the message (and probably also validates it cryptographically) and displays a message asking me to verify I want to log in.
I enter the PIN, and it generates a response code, which I enter.
If I make a payment, or add a new recipient, or a few other things, I am required to use the device again.
This device stays at home, because I don't expect to make $10,000 payments while out.
I can use it on any web-enabled device, because the security is in "what I have" and "what I know", in a device which cannot be hacked, does not require any physical connection, and does not require network accessed.
I like this system more than a Yubikey because it does not require a hardware attachment, which isn't always possible.
Yes, Yubikeys feel like a step backwards compare to my bank's security practice. I don't understand why there is no provision for cable-free/wifi-free/mobile-system-free validation in this supposed privacy-oriented switch to passkeys, when I know such a system exists.
Furthermore, the bank has the legal obligation to ensure the system works. If the encryption system is somehow broken, they are required to update the hardware. Apple is not. Yubi is not. The cost is all on you. My bank has even shut down mobile phone banking for older hardware/OSes, claiming the security isn't high enough. But they have not needed to update my security device.
If you expect your phone to be able to do anything, and authorize anything, then I see it as a giant risk. You can be at the bar, drank to much, and be convinced to make a payment or authorization that you shouldn't of. There's no real, physical way to change your risk level depending on the circumstances if you always have your phone with you.
Centralization of identify, payment, and apps is fundamentally flawed.
> The system - whose security I trust much more than a phone's - uses a small device with a camera. The login screen shows me a pattern with colored dots. The camera reads those dots, decodes the message (and probably also validates it cryptographically) and displays a message asking me to verify I want to log in.
> I enter the PIN, and it generates a response code, which I enter.
How do they protect against phishing? That sounds like the weak MFA where attacks spoof the login page but make their own connection to your bank and pass through the challenge and response, which means that a user who doesn’t fastidiously check the hostname can be convinced to enter a TOTP, SMS, etc. code.
Phone-based WebAuthn systems are immune to that because they incorporate the hostname into the signing process so even if they convince you that they’re hugeb<cyrillic a>nk.com there’s no way for you to override that and give it a response which works for hugebank.com.
The same way they minimize the vulnerability when running on an exploited Windows machine?
Even if I log in, via a MITM attack, all they can do is read my account history.
Actually making changes requires further authorization. When I make a payment the screen asks me to confirm the amount I'm about to pay. The same applies to other security sensitive changes.
Still, you make a very valid point, and I thank you for pointing out the flaw in my understanding.
I still have a very deep distrust about centralizing identification, payment, and apps on a single device, and strongly dislike the inability to have physically very distinct trust levels.
> Actually making changes requires further authorization. When I make a payment the screen asks me to confirm the amount I'm about to pay. The same applies to other security sensitive changes.
That’s a good answer, too, especially of that custom message can be large enough to display the name & amount. Anything to jar people out of the “I thought I was sending $100 to the cable TV company, not $6,000 to someone in India” autopilot state.
I generally agree with your larger point and wish that banks would make it easier to do things like setup a Yubikey and require it be used on any transaction over a certain amount. I’ve never in my life needed to make a large transaction where I wouldn’t have been able to grab a token from my safe to approve it, and at some point delay becomes a security feature since it give the bank staff time to do things like call you and make sure you really intended to do something.
Certainly seeing articles like this about possible flaws in a centralized system, and the last of economic responsibility for fixing issues in affected customers, ... about people losing their Google id, the monopoly abuses of Google and Apple, and the e-waste issues of depending on apps which don't support old-but-working phones (sometimes in the name of security, but more often because it's expensive to maintain old phones) ... really gives me a bad feeling about this brave new world.
I mean, clearly if someone has a remote desktop view for my machine, then they can act as me, including any check for available hardware. The same should apply for a phone, yes?
If so, that sounds like my bank will never formally support running on a PinePhone or other user-inspectable/modifiable system - they will simply say they require a full chain of trust for the OS.
I'm glad the (relatively) open arenas of macOS and Windows existing, and that people have 10+-year-old machines, forcing my bank to support alternate login methods for less-trustworthy systems.
The majority of ecommerce purchases made today are done on mobile.
And majority of these would be secured via on device biometrics.
The fact that this is all happening with approval of credit card companies, banks, regulators etc means that the idea that centralisation is fundamentally flawed is simply wrong.
My bank's terms of services say they are not responsible for flaws in the mobile phone or privacy issues in the store.
If there is a vulnerability, who pays for fixing it? Who pays for the new phones?
Of course the credit card companies and banks don't want to be responsible. They currently aren't, and they don't want to take it on.
Why should the regulators care yet? Using a mobile phone is still under the fiction that it's an optional functionality, where the user has agreed to take on the risk themselves, in exchange for better convenience and non-essential services.
The premise is that you keep a separate device with the sensitive stuff on it (e.g. the chip in your physical credit card, a physical ID badge), and then you can't click on a link in your email or go to the wrong web page and compromise that data because the device you use for email or browsing never has it to begin with.
Using multiple devices: Credit cards for payment, instead og apple pay. A camera for taking pictures, instead of a camera app, a notebook to write notes, instead of an app.
From my perspective the original comment is not rocket science?
I learned from another commenter on HN when a post asks low-effort questions where the answer is common sense or implicitly understood, it’s most likely a bot or troll or shill. Best not to engage with them.
If you require someone to enter their credit card number every time they make a purchase they end up doing dumb, insecure things like storing it as a text file on their desktop.
And having external hardware just means more cables, batteries, updates to keep it secure etc.
Initiatives like PassKey, ApplePay, TouchID etc. have been a huge win for security and privacy.
Thanks, though I would say "different physical devices" not "different apps".
This also gets into e-waste issues. I really don't want multiple phones, and in any case, consumer phones are expected to be replaced every few years. A friend has an old iPhone which still works, but the local transit system's app no longer supports it. My bank's mobile app requires Android 7, etc.
I don't want to require everyone to do that. I'm fine if others are willing to accept the risks of centralization of identify, payment, and apps into a single device. I understand the benefits you say are true for many people.
I don't want to be forced into that model because I think it's too risky. I think YubiKeys and other devices which require physical device attachment to use to be too risky when I know other solutions exist (see a parallel comment, or below).
I want to teach my kids that if a phone is asking for permission, asking to verify id, asking to read complex terms of services, then you must be careful, and preferably not trust them. The current model is "identify yourself whenever the computer asks" and "click I Agree", which seems open to all sorts of abuse of power and trust.
How many people know they are giving up their rights to a trial in favor of forced arbitration? How many read the license which says to email 'law@example.com' to not waive that right? How many are able to understand the relevant issue? Effectively zero. Are high schools going to start teaching contract law so students are able to understand what they are expected to sign? No.
I also think switching to 2FA and passkeys empowers the Google and Apple duopoly. What happens if you lose your phone? How do you reestablish your passkeys?
"Simple. In your new phone, log back in to your Google or Apple account", right?
And if Google or Apple shuts down your account for some reason?
"Umm, make backups? Also have a YubiKey?"
That's a huge lock-in for the sort of people who would otherwise store their passwords in a cleartext file. At the very least everyone should be able to let their bank or other trust third-party store a copy of the end-to-end encrypted database, and that bank or third-party should have an enforceable legal obligation to store, maintain, and provide that encrypted database, and that new phones can restore from this database without needing Apple or Google authorization, after the person has physically visited the bank or police station and identified themselves sufficiently.
And if I say I want something more secure and more portable than a YubiKey to log in?
My bank login device has had one change of AAA batteries in about 7 years. It has had zero updates, because it is not programmable. It uses a camera to read something like a QR code, a screen to read the requested task, a number pad to enter a PIN, and I can read the response code on the screen, to enter into the computer. It can work with any device, even ones without available plugs.
(And my bank is legally responsible for ensuring the security level is enough, and updating if it is not. Apple is not. Google is not.)
If I need to pull it out, I know that I'm doing something that requires extra attention and care. The rituals needed for different levels of authorization should be very different, to make it hard to get confused about what you are doing. I also have the ability to physically leave my higher authentication devices at home while I'm out for the day.
(UPDATE: acdha correctly pointed out the phishing attack possible in this approach. I do not know what the bank does to protect against phishing. But since this is a low-use service, which is unlikely to be targeted, and I am fastidious about double-checking, it seems like a low risk issue. Security through diversity.)
Why should I trust ApplePay's privacy more than I do my bank's? Is ApplePay required to follow the same Swedish privacy restrictions that my bank does? Is ApplyPay equally liable in case of errors? Can the Swedish government audit how ApplePay works and confirm it complies to the same level of privacy as my bank?
Every time I look into it, it seems the answers are always "no." Maybe it's changed?
Basically, I trust international companies who have abused their monopoly position with my security and privacy far less than I trust the Swedish government.
