cross-posted from: https://slrpnk.net/post/15995282

Real unfortunate news for GrapheneOS users as Revolut has decided to ban the use of ‘non-google’ approved OSes. This is currently being posted about and updated by GrahpeneOS over at Bluesky for those who want to follow it more closely.

  • jagged_circle@feddit.nl
    link
    fedilink
    English
    arrow-up
    0
    ·
    edit-2
    13 days ago

    Transmitting an OTP to the user is a security risk.

    Banks in the EU are, in fact, forced to implement 2FA using phone numbers as part of “dynamic linking” requirement of PSD2, which makes more secure methods of 2FA (like TOTP) not allowed

    • Aceticon@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      0
      ·
      edit-2
      13 days ago

      Ah, I see.

      Your point is that the use of a secondary channel for a One Time Pass is still an insecure method versus the use of a time-based one time password (for example as generated in a mobile phone app or, even more secure, a dedicated device). Well, I did point out all the way back in my first post that SMS over GSM is insecure and SMS over GSM seems to be the secondary channel that all banks out there chose for their 2FA implementation.

      So yeah, I agree with that.

      Still, as I pointed out, challenge-response with smartchip signature is even safer (way harder to derive the key and the process can actually require the user to input elements that get added to the input challenge, such as the amount being paid on a transfer, so that the smartchip signs the whole thing and it all gets validated on the other side, which you can’t do with TOTP). Also as I said, from my experience with my bank in The Netherlands, a bank using that system doesn’t require 2FA, so clearly there is a bit more to the Revised Payment Systems Directive than a blanked requirement for dynamic linking.

      • jagged_circle@feddit.nl
        link
        fedilink
        English
        arrow-up
        0
        ·
        13 days ago

        Oh the smart chip is best, its just not an option for CNP or bank transfers online

        If you send a large wire transfer from your Dutch bank to an acffount outside the EU, I guarantee your bank is going to demand a transaction confirmation. 99% of the time that’s going to be a SMS, unleee you’re using their (closed source) app on your (insecure) phone