That's Google's SafeNet. HSBC picked a level that causes this. Google manages the blacklist of apps.
We are rapidly losing our freedoms to the will of these companies. If they decide they don't want to they can even if the law doesn't forbid it.
People in Switzerland and the EU are being de-banked by local banks because of US pressure allowing them to force any bank that wants to use USD. The US has started to sanction people for free speech resulting in de-banking.
Swiss law requires one bank (Postfinance) to offer banking irregardless but if you are sanctioned you can't use the wire system, no other currencies, no credit cards and you cant use Twint either so it's in effect useless. You can't pay for your health insurance or rent.
> and the EU are being de-banked by local banks because of US pressure allowing them to force any bank that wants to use USD
What is this about? I'm a EU citizen, never heard about any EU citizen getting removed from any EU bank because of USD. Nor have I heard anyone being sanctioned by the US in the EU unless they're Russia-related somehow. Is there any link to a story about this?
People investigation Israel for war crimes tend to get sanctioned by the Americans. Because European banks don't have the necessary guardrails to block an individual account from participating in their American-facing banking operations, they have to choose between being sanctioned themselves or kicking out their America-sanctioned customers.
The real solution is for them to fix their shitty systems but I don't a handful of judges, lawyers, and human rights activists are important enough for them to make that investment.
This isn't just about being a customer to a multinational bank: this also includes European banks who do business with American banks. For instance, most credit/debit cards in Europe are based on either Mastercard or Visa. All banks I know of will allow you to pay in dollars through online banking.
I don't think there are any European banks that don't communicate with American payment providers in some way by default. It's possible that there are some that trust their feature gates enough to take on these sanctioned people (like government-run banks for those who can't get a normal bank account, i.e. because of a history of fraud and crime), but I don't think these banks will advertise that ability.
Perhaps if she'd take an Iranian, North Korean, or Russian bank account, she might be able to do America-free banking, but that's not very practical outside of Iran, North Korea, or Russia at the moment.
I'm an EU citizen and UK resident. If I were to become one of those officials, my banking situation would become much more complex. One of the defining characteristics of the EU (not that the UK ever cared, even before leaving) is Freedom of Movement, and this is a credible threat to that freedom.
When in the EU the UK was actually one of the countries (if not the country) that made freedom of movement the easiest because, indeed, they did not care. You could move there with zero involvement or knowledge from the authorities.
Yeah, moving here involved basically buying a plane ticket, and, after I got here, booking an appointment to get a National Insurance number (basically equivalent to an American Social Security number). Never occurred to me that moving to any other EU country might be harder than that.
My experience moving to Germany from the UK in 2018 was only one step harder than that from bureaucracy — two appointments, one for social security and the other for an ID card. Not even that I had a much poorer grasp of the German language than I realised was a problem*, as the bureaucracy is mostly bilingual and when it isn't has interpreters.
The only actual hard part was just that the rental market in Berlin has vastly more demand than supply.
* hopefully next month I pass a B1 exam, which tells you how hard it has been for me to get fluent.
One of Cambridge's commuter villages. Was a home owner, still am, very useful passive income.
I'm not sure about how London compares, but Berlin has rent controls so the queues for open house viewings around here can go all the way down the apartment staircase and along the street.
> Never occurred to me that moving to any other EU country might be harder than that.
I don't think it is? I moved to Spain from other EU country the same way, basically bought the cheapest one-way plane ticket I could find, spent ~1 month here before deciding I wanted to live here, then got myself the local residence card one morning and that's about it. Everything else just worked by using my passport in the meantime.
It depends on the country. And Spain is not as simple as you say. Even getting the NIE is very difficult due to the foreign police not making enough appointments available. And expensive immigration agencies hoarding those appointments to make money.
Then you need a social security number exist is different than the NIE, you need empradonamiento, you need to register with the health service and you need to set up your tax if you're going to work here (or if you live there more than 180 days of the year)
No, it is significantly more difficult in other EU countries, yes.
Here in Finland for example the process is actually no different than for a non-EU migrant (same amount of time taken for an unproblematic application, same amount of appointments). You are just much more likely to be accepted but in fact they do still reserve the right to reject people. And it is, probably unintentionally, much harder to exist in Finland as a non-resident as you can't have a bank account, can't use foreign phone numbers for most things and any phone you can get is very limited (can't call many numbers, etc). I couldn't even log into the local eBay for the first 6 months. All the Nordics I would guess are similar.
And people have contested in the comments to you that Spain is not actually so easy as you suggested...
I actually don't know any western country that is as easy to move to as the UK was pre-Brexit. I still think the UK is in fact one of the easier Western countries to move to, especially if you can't find moderately paid work
Countries with a national id system I would guess tend to be more difficult overall though. And the UK famously is not one of those.
In Barcelona it is impossible to get an appointment for the residence card. There is online booking system, but it never shows any available slots. But then there are few companies that for 50-100 euros can get an appointment.
But then even with appointment one only gets a temporary permit unless one already got a job offer. One gets the permanent card only after starting a business or buying a property or getting a work.
Also to open a permanent bank account one needs to have at least a temporary residence. Otherwise banks can only open a tourist account valid for few months.
"There is online booking system, but it never shows any available slots. But then there are few companies that for 50-100 euros can get an appointment."
^^^ shouldn't complain about this on Hacker News.
I wrote my own bot and it took a day or so.
The appointment slot came in in 30 minutes thereafter ;)
If you're an EU citizen you by definition have a permanent permit, until either your country of origin or host country leaves the EU. If you are not then woe be you, but that's a separate matter.
In theory yes, one can stay in Spain as a citizen of a EU country indefinitely. In practice for anything in Spain you need a tax number. Even to get an Internet connection at home one needs it.
I had neither when I moved, sold my things, tried to survive, ended up sleeping outside for a few days and I found a job after I moved here, not before. But yeah, there is one or two more appointments in reality, one for the social security and one for registering with your local city government, both a lot easier to get than the residence permit which can be a bit of a hassle unless you work with agencies to get it.
> Then got myself the local residence card one morning
Well, exactly. Some countries require/required registration and residence card. That did not exist in the UK when it was in the EU, you just showed your passport/ID card when you needed to prove your right to be there (basically once in a blue Moon). Even now EU residents don't have any physical documents.
The National Insurance number @pdpi mentioned is unrelated as everyone has one once they work and an appointment is not always required to get one, and you can actually start working before you get one.
If you work as an employee there is also usually nothing to do regarding tax.
Visa and MasterCard, for a start: if a bank issues any kind of commonly accepted debit card to someone who is sanctioned then what is at stake is that bank's ability to continue issuing those cards. Realistically, the bank would be destroyed by being excluded from payment networks and card issuance. So only very little banks that don't interact with anything American (you might manage this with a credit union in the UK, potentially) would be your best bet.
You can't have a credit card which makes your life miserable in the modern world even if you can find a bank : Visa, Master Card, Amex are all American.
Russia after starting aggressive war against Ukraine quickly deployed own version of payment system. And it has been working much better than Visa/Madtercards with much more straightforward integration with online services and very intuitive apps. Russian people who moved from Russia as refugees or just to escape mobilization or prosecution have found banking system in EU/UK/US are rather unsmooth to put it mildly.
Many European countries still have their own (single-country) versions of debit cards - EC card/giropay in Germany for instance - and they are often accepted more widely than credit cards.
But international travel becomes painful. (Hence EC cards are co-badged as a fall-back with Visa Debit or Maestro, impossible if you are sanctioned.)
> He cannot: open or maintain accounts with Google, Amazon, Apple, or any US company; make hotel reservations (Expedia canceled his booking in France hours after he made it); conduct online commerce, since he can't know if the packaging is American; use any major credit card (Visa, Mastercard, Amex are all American); access normal banking services, even with non-American banks, as banks worldwide close sanctioned accounts; conduct virtually any financial transaction.
Same with recently Garry Kasparov been designated a "T" by Russia. Banks simply do not take risks dealing with hot customers, as this can affect their entire business (especially if they have branches in the US).
So they rather railroad individuals that have little power, then take the risk that they will lose millions if the US sanctions their bank. Its also linked to a lot of other things.
Somebody who worked at a bank gave a description yesterday on how it works. And if your on that list, you are really in a world of hurt.
I don't think GP misread your comment at all. I do, however, think you just deliberately truncated your own quote.
Here is what you said, in full (emphasis mine):
> There were some other sanctions involving visas, but as far as I understand that did not affect the individuals' ability to bank.
And here is a quote from the article you read (once again, emphasis mine):
> Beyond the ban on entry into the US, they report that from one day to the next they could no longer receive goods, services, or funds from US companies (e.g., Amazon, Airbnb, PayPal, Visa, Master Card), along with indirect (secondary) effects on transactions with European companies as well, such as their domestic bank or a travel company.
I'm sorry this is so difficult for everyone involved. US is sanctioning EU citizens, sometimes with their banks (Nicholas Guillou, Francesca Albanese, and others) and sometimes with visas (Thierry Breton, and others).
I've updated my original post with a link that hopefully helps explain what "other" means.
Yeah absolutely - I have an account with mBank in Poland and I got a letter from them saying that I need to declare if I'm a "tax person" in the US and if yes then unfortunately they will be forced to close my account as they would have to report all of my banking to some US insistution and that's not worth the hassle of having me as a client.
That doesn't sound like "the EU are being de-banked by local banks because of US pressure" at all, it sounds like EU banks or de-banking US residents/citizens, which is wildly different from the initial claim, or how I understood it at least. I thought EU residents/citizens were being cut off from EU banks.
The reason banks do this is that if they don't comply with US tax laws they'll be cut off from all US-based banking systems including international payments (universally conducted in USD), cut off from issuing any credit or debit cards (they are all US-based networks) and the CEO will be arrested if he ever steps foot on American soil. So basically, the US is forcing them to do this and they don't have a choice unless they want to stop being a bank. It's the same situation as dealing with US-sanctioned individuals. HTH.
I am a dual citizen of Poland and USA and haven't had any problems using mBank so far. I even opened 2 foreign currency accounts (USD, EUR) there after they had been made aware of my newly obtained US citizenship. Not sure why you're having issues with them.
That sort of sanctioning is world-wide, isn't it? Not specifically targeting EU banks, but rather she's blacklisted from any bank in the world who follows those blacklisting lists, at least from what I understand it.
Parent's comment gave me the impression that this was something exclusive to EU (and Swiss) banks in particular, since they were mentioned by name.
I'm not sure, skimmed the article and came across this:
> She cannot open a bank account anywhere in the world or have a credit card, because she has been placed on the Office of Foreign Assets Control (OFAC) list of the U.S. Treasury Department, which targets money laundering and terrorism.
Are you saying this isn't true then? She's not actually on OFAC, but instead just targeted via Visa/MC?
Scan the German press, there are several cases.
Esp in the last weeks:
Interesting is - it started with right-wing people getting de-banked, now left-wing people are following for what ever reason.
EU paid Russia since the full scale Russian aggression more money for gas, oil, coal etc. than to support Ukraine. By that logic almost all EU citizens has ties to Russia as they use electricity/gas partially supplied by Russia.
The largest buyer is Hungary, which is not representative of the EU in general to put it mildly, but a darling of the American far-right. Hungary has also been blocking many of EU's support initiatives: https://www.politico.eu/article/eu-ministers-outrageous-hung...
This is doing a lot of work. at what point person starts or stops having ties with russia?
if you have any siblings or parents or grandparents or cousins or classmates or ex girlfriends who are living in Russia?
I know a bunch of foreigners with stronger ties to Russia than some of my Russian friends by this logic my friend;) especially Ukrainians and Israelis but really anywhere in the world. debank them all you say?
What it sounds like is the old USSR way "make sure most people are guilty of something so that if you want to press them you always have some excuse"
Not sure what your point is, I'm not arguing for debanking anyone related or having ties to Russia, in any way. But I do understand there are victims of other circumstances here, and that has a collateral victims (which again, I don't want, but it is the reality).
> Nor have I heard anyone being sanctioned by the US in the EU unless they're Russia-related somehow
means you heard of ppl are arbitrarily sanctioned unless there is a specific criteria for what means Russia related
Remember you were replying to
> We are rapidly losing our freedoms to the will of these companies. If they decide they don't want to they can even if the law doesn't forbid it.
I asked some questions to see how solid your reply was. seems not very. you basically say nah, no one is losing freedom, people are only sanctioned if they fit... something very vague;)
The real issue is that most "legacy" banks have to comply with stupid regulations that force them to come up with these stupid solutions.
Banks are lazy and find the quickest way to comply with said regulations - simply by enabling Google Play Integrity.
About the whole US thingie - yes, that's true, and it's what happens if you get sanctioned. I'm pretty sure russians (and other people from sanctioned countries) have similar limitations elsewhere.
In Switzerland US nationals have huge problems in opening accounts because of the whole bank secrecy law that allowed many americans to hide money from the IRS in Switzerland.
I use GrapheneOS in Switzerland and am yet to find a bank or financial app that doesn't work. ZKB, UBS, Cembra, BEKB, SGKB, WIR, N26, Revolut, debiX+, SaxoTrader, Swisscard, various TWINT apps, YAPEAL and Yuh are all installed on my phone right now and all work. Most of them don't use the Play Integrity API at all and the few that do are satisfied with the minimal level that's satisfied by GrapheneOS.
The catch is that you need Google Play Services installed and for many, you need to disable GrapheneOS' "Secure App Spawning" feature, which often trips root detection heuristics.
I know many Russians living here and when sanctions came in, their accounts became unable to receive deposits until they provided evidence of a valid residence permit. Some have problems during permit renewals as well but overall, it's nothing like as bad as it is for Americans.
If they get enough complaints "the app doesn't work, please fix it or close my account" they'll fix it because they don't want to close more than a few accounts.
> We are rapidly losing our freedoms to the will of these companies
which companies? google? I'm the first to blame them for almost anything, but how about Postfinance, twint, health insurers, landlords, all those companies you mention? shouldn't they offer ways to do business with them that does not involve some third party? - for example, OP mentions that hsbc website still works for them on android, this is more than what can be said of other banks that basically removed certain "sensitive" features from their homepages. Or practically all the neobanks who 100% rely on apps.
Even those governments you mention: how hard/easy do they make for citizens to engage in commercial activity without relying on third parties or adversarial systems?
I know the argument used by all of them - companies, governments: we are just "following the rules enforced on us (as interpreted by our lawyers)".
Everyone goes to the "simplest" target - Google in this case - to blame for the status quo, but Google is in this position because everybody else - consumers, companies, governements, etc - buys into the "convenience" and neglect everything else.
>The US has started to sanction people for free speech resulting in de-banking.
The sanctioned people were "hate-speech" fighters. Which is the most Orwellian branch of Brussels machinery. While it irks me on pure power level, you could hardly imagine people more deserving to be taken couple of pegs down.
I can't find anything about this in the API docs for neither the old SafetyNet nor its replacement (Play Integrity), can you show a source for this being related to SafetyNet? I'd like to see Kore details on this API and the apps it blocks.
> People in Switzerland and the EU are being de-banked by local banks because of US pressure allowing them to force any bank that wants to use USD
That's not quit accurate.
American citizens will indeed have a very hard time to open a bank account in Switzerland. But the reason is not so much free speech than FATCA (Foreign Account Tax Compliance Act) [0] [1]
The requirements to host bank accounts for Americans are so onerous that banks rather forgo business with such clients than having to deal with the legal mess it incurs.
Another reason for a bank not wanting to deal with customers are if they are on a sanctions list. People winding up on such lists usually don't do so, because they said something nasty about Mr. Trump.
This, alas, may change if you look who got sanctioned in recent times just for raising the ire of the president (such as EC commissioners or ICC judges).
Any sovereign country can come up with whatever sanctions they want. The only reason the US ones have such broad reach particular in Europe is due to Europes hopeless reliance on US financial system, infrastructure and capital. Stop using eurodollar and us debt markets and sanctions would be much less impactful
I can confirm that the Postfinance app doesn't work on graphene. I left some feedback and they said they're working on it so maybe there is hope. But as such I need to keep an old iphone around for banking apps.
Also being an American in Switzerland trying to do banking is eye opening. Local banks mostly tell you to pound sand when they find out you're American. Regardless of this or that administration, the US is really totalitarian when it comes to finance and taxes.
They flag "sideloading" - or anything installed by anything outside of their store.
They don't always flag it. Only when SafeNet is set to paranoid levels. However, sideloading is considered a risk for some reason. Even if sideloading is a synonym for "installing".
>Swiss law requires one bank (Postfinance) to offer banking irregardless but if you are sanctioned you can't use the wire system, no other currencies, no credit cards and you cant use Twint either so it's in effect useless. You can't pay for your health insurance or rent.
What's funny is that this particular jurispudence was actually enforced due to a Russian oligarch (Vekselberg) on a C permit.
I am not sure regarding the rent and the health insurance, the health insurance especially as it is a legal requirement.
> Dismantling off-shore banking is generally a good thing since I'd like the ultra rich to pay tax as that funds services that I use.
There are lots of uses to off-shore banking than tax-evasion. In fact, I don't think it's feasible to use any modern (CRS/FATCA compliant) banking for tax-evasion.
Do you think US pressure is behind the push for online censorship across the West? It seems to be a coordinated effort in many countries, whatever it is.
The US doesn't need to pressure other nations to apply online censorship, because Facebook, Reddit, Instagram, Twitter, Youtube, Twitch, Google and Apple app stores, Steam and suchlike are all American, and censored in line with American norms.
Concerning an apparent coordinated effort it might be more complicated than that. The EU and Australia have always been on the verge of sweeping censorship. Look up "Zensursula" [1][2] and the censorship list that was about to be introduced in 2008 and that, for legal reasons, was illegal to even be looked at by journalists. Back then there was significant public backlash and also indirect cristicism by the US government [3].
Today there is no such criticism from the US because censorship is something that is also of an interest to the christian backers of the current government.
When the cat is out of the house, the mice dance on your dinner table.
Of course it is. Trump is actively trying to censor LGBTQ events and DEI at European companies, they will get blacklisted from selling anything to the US federal government.
When it comes to this kind of thing, an injury to one is an injury to all and we need to not tolerate it. At minimum, we need regulations guaranteeing that Visa and MasterCard, as well as participating banks, aren't allowed to debank anyone without judicial oversight. Make the same true of apps: call it a Banking Access Tribunal.
She's a UN Special Rapporteur on Palestine talking and writing about Israel-Palestine war in such a biased way that many, including me and US State Department led by Rubio, consider her a mouthpiece of Hamas. The system is what system does and person is what a person does.
You might agree or disagree about her de-facto supporting Hamas, or if US State Department (i.e. Marc Rubio) should sanction her for what she does but it's so dishonest to claim that it has anything to do with Trump.
So Trump can support war criminals like Netanyahu, but when someone says Israel shouldn't colonize Palestine and practice appartheid, she becomes a mouthpiece of Hamas? Get your facts together.
It's fair to assign the blame for actions of the executive branch of the US government to Trump while he holds the office of president. The policy of sanctioning people for being too critical of Israel required his assent whether or not he made the call to apply it in this case or delegated that to a subordinate.
Especially problematic is that her actions would be unambiguously protected speech under US law if she did them in the USA.
Condemning the 7/Oct attacks as an unacceptable act of terrorism is "being a mouthpiece of Hamas"!!! Fucking _disgusting_, and many stronger words I'm trying my best to contain.
We're reaching levels of wretchedness that I've never thought possible. Truly no shame anymore.
It doesn't. I don't know if she's an antisemite, but unless the bank dumps her for being one and an Italian judge agrees that they're allowed to for that reason, this is a clear result of foreign political influence.
Calling the UN special rapporteur for the Palestinian territories a "vile antisemite" sounds a lot like trolling, though.
First of all you need to provide some proof because being against a genocide is not antisemitic. Hating Israel is not antisemitic even if Bibi wants you to believe that.
Second of all, what happened to free speech? In fact I can list several actual antisemites currently operating freely in the US political discourse who are gathering larger and larger audiences. Why aren't they being sanctioned?
First they came for people who terrorized a music festival?
The only thing more naive than thinking that everything is a slippery slope is being blind to other things turning into a slippery slope (like closing your eyes to Islamist ideology)
Are you fucking joking? "They came for people who terrorised a music festival", really?? Did Francesca Albanese participate in the attacks of 7/Oct? Did she even, at any point, describe those attacks as anything less than an act of terrorism? It is simply not possible that you are this dense; you simply MUST be aware of the utter hogwash you are saying, and be fully aware that you're saying it with the intent of discrediting people who denounce a reprisal genocide that has killed 100,000 people in two years.
Fucking repugnant. How do certain people sleep at night.
You're the one advocating to help people whom not even their neighbours who share the same religion want nothing to do with it so I think you're the one who's joking
Just looking at the punctuation here makes it easy to guess you're fuming. No rational arguments, twisting the narration, moving goalposts and then frustrated because it doesn't work here, on HN.
You might want to find another outlet for that, why kick up the blood pressure this much?
Irrelevant. I'd prefer laws and the courts to decide punishment for transgressions, rather than the arbitrary whims of a quasi-fascist. I'm old fashioned, I know.
To play devil's advocate for a moment, could this not be a risk?
Is Google implementing a rule which blockes any 3rd party app which wants access to things like the keystore (which could be reasonable), or are they deliberately blocking Bitwarden?
Given there is a choice, and given HSBC is on the hook if you get hacked in most jurisdictions, it seems fair to chalk this one up as a stupid move by HSBC that's nevertheless within their rights.
HSBC is on the hook if I get hacked? I can't think of companies having to pay up because their customers got hacked because of their doing. Let alone if it wasn't directly their doing. Solarwinds was for example never forced to pay a dime.
> HSBC is on the hook if I get hacked? I can't think of companies having to pay up because their customers got hacked because of their doing. Let alone if it wasn't directly their doing. Solarwinds was for example never forced to pay a dime.
Even if they are not on the hook, there is still the hassle/overhead of dealing with the fraud (e.g., opening an investigation), and/or the bad press when a customer gets hacked and you refuse to refund money per the terms of service:
This is both good and bad. It's good because fraud is rife and the banks had little incentive to do anything about it. It took them absolutely years of foot-dragging to add a system that verifies the name of the destination account holder when you transfer money between accounts. It's bad because the reason fraud is rampant is that the police do nothing about it. It's the crime you can get away with. The government saw the easy way out: rather than organizing and funding the police sufficiently, let the banks deal with it.
In the UK, yes, banks are on the hook if _you_ get scammed. It seems the bar for them to prove that you were at fault is too high so in reality the banks just make the decision on what you can buy for you.
A good few years ago now (when it was possible to get something in good condition for such a measly sum) I was buying a car from a private individual. The transaction was in cash. You can't take £1500 out from an ATM, unless you spread it over multiple days, and probably doing that would also get you flagged. So I went to my bank (also HSBC coincidentally) and they required me to tell them what I was buying with that money.
Now I could have lied, of course. But they could also have just told me that I can't take cash out if they didn't believe me.
If you look around, there are news stories of people being denied access to their own money because the bank decided it was too risky.
You can get kicked out of a bank for being too risky. And there's not even any legal requirement in the UK for a bank to offer you an account. Or well, there _is_ but like with all UK regulations which protect the individual, it's full of caveats. You are entitled to a Basic Bank Account (BBA) if you can't get any other account except if you can't verify your identity/residency, or you have a history of financial misbehaviour, or if you are too closely associated with terrorism. So I guess homeless people or pro-palestine protesters aren't allowed bank accounts.
Yes you might, because Bitcoin doesn't solve anything correctly (notably, its value is so volatile it can't be relied upon), while consuming an absurd amount of energy.
By design, it made its first users stupidly rich, which is not a good characteristic.
More importantly, it's a technical solution for a societal issue (aka, it's not at all a solution).
Plenty of UK banks that don't require this, and whose apps will also work on a rooted device. Monzo will display a warning that sets out the fact there's an increased risk, and then lets you be an adult and choose to continue to use the app if that's what you want to do.
The best part is that the Current Account Switching Service makes it very easy to make the jump from a legacy bank like HSBC.
This was not my lived experience. I wanted to use the most common banks and most would not let me use it.
Chip contacted me at one point via their live assistant randomly without my doing and told me to stop using the app because they would soon be enforcing that rooted devices would no longer work. I continued to use the app rooted and nothing came of it.
Barclaycard, Nationwide and others don't let you use the app or require some circumvention of their detection to allow access.
Sure there are plenty of other apps, but those apps and banks have a worse product I found.
They've all started cracking down, in the past year the Barclays and Lloyds app have broken on my phone.
TSB still works for now, but even for a bank they're technologically incompetent so I'm going to just assume they're behind the curve rather than willingly not using SafetyNet.
The only one I would bank on still working in the future is Monzo, since, like you say, they detect it and just give you scary warning and let you continue.
Barclays have always played silly games with this stuff, they used to fund a whole team whose job it was to waste time on security theatre (this was nearly ten years ago).
My wife has tried to use a flip phone just for nostalgia's sake and she has a newer phone that supports android 14 (technically android go 14) and thus should work with most basic apps. However, one of her banking apps refuses to work claiming an app is screensharing (the POSB bank app thankfully identifies it as the "android system" app.) likely what is occuring I think is the second screen is drawn using some sort of thing that is reported as screen sharing, that POSB thinks could be malware.
Of course, asking POSB for help has lead to nothing being done. By and large the biggest threat to people finance wise in singapore isn't malware but are scams (what is called "pig butchering" in America is rampant here) whilst malware is always a threat sometimes I feel like just refusing to function is problem due to overzealous viligiance to a low probability threat.
If you've ever built a website for mobile but never heard of PWAs (Progressive Web Apps), I recommend checking them out. In essence, adding 2 files can make the site installable from a mobile browser and define caching behavior for offline functionality.
1. manifest.json: a JSON file that defines the app's name, icons, theme colors, and how it should launch when installed.
2. Service worker: a JS file that controls things like resource caching for offline usage
Unfortunately PWAs don't receive first class support compared to native apps. Still, I still hope to see wider adoption. I think for many not-too-complex apps, they can significantly lower the cost of development, and the development experience could be as simple as
- Building with HTML + JS + CSS. No clunky SDKs, reduced need to test on painfully slow emulators or expensive physical devices
- Installable from a browser. No need to maintain a listing in the Playstore/App Store, avoiding policy headaches, rent, etc.
PWAs have been around for several years, and have never caught on despite all the discussion about the evils of app stores, drama with side loading, etc. They're a fine solution, but not a good fit if you're expecting "normal" users to use the app.
It's still possible, you just need to declare which other apps you query for. Even then, there are loopholes that still let you query for all apps installed on the device.
> Apps that have a verifiable core purpose facilitating financial-transactions involving financially regulated instruments (for example, dedicated banking, dedicated digital wallets) may obtain broad visibility into installed apps solely for security-based purposes.
> Real-money gambling apps where the core purpose of the app is real money gambling and where the app requires broad package visibility in order to comply with technical standards mandated by applicable geofencing regulations.
I presume that's to allow the gambling apps to make sure you don't have a location spoofing app installed?
13 year olds can get groomed and addicted to gambling, be they at home, school, or a bus stop. But God forbid you install an app outside the approved™ app store®, citizen. What a world.
> I assume HSBC are using the "antivirus" use case.
There's an exception for banking apps
> Apps that have a verifiable core purpose facilitating financial-transactions involving financially regulated instruments (for example, dedicated banking, dedicated digital wallets) may obtain broad visibility into installed apps solely for security-based purposes.
Tangentially related, but some banking apps also implement their own in-app keyboard in their password fields, making password manager unusable and basically forcing me to use a easy to remember (to guess) password.
Yup, mine does this, even on the web. Oh god French banks do love their scrambled-digit-keyboards. And boy do they love 6 to 8 digits passwords. That you have to click on using your mouse. No password manager required!
Their app also likes to prompt me periodically for the password instead of the phone's biometrics, which would be good, except it always happens in a public place like the subway, which is the last place I'd want to enter a 6 digit code to my bank account on a scrambled visual keyboard which slows down typing to a point it's trivial to write down (instead of letting muscle memory do its job). Also, it seems like those apps did not get the ATM memo of giving visual/audio feedback on a random delay to user input, to y'know, not letting glancers know what you actually type.
AFAIK this trend of visual scrambled keyboard on the desktop started when keyloggers were rampant. They quickly adapted to screenshot the 20px around the mouse on click when on a bank website. The banks never adapted.
On the same tangent. My former bank forced me to use a 6 - 8 digit password with only numbers allowed. Not sure if in the few years since I am not a customer anymore, they changed this policy, though.
HSBC still operate a perfectly functional website for banking.
The more people who continue to use this, the better. It sends a clear signal that customers prefer the open web over restrictive and inconvenient mobile apps.
I’m also hanging on to my bank’s physical RSA fob as my 2FA, instead of using their app based version.
At least in UK, you'll need a physical token to do that. And you can't have both app and token. So if you had an app that is now not working, it'll take some time to get a token and restore your bank access.
There is actually mobile banking for these cases. Which at least for HSBC requires your account details, a (Up to? I don't know the minimum) 10 digit (numeric) pin and you have to say "My Voice is My Password" which sounds like complete theatre.
My country launched an identification app (https://mygov.be/) that does the same thing. I have no idea what they're trying to achieve. Security through obscurity? Trying to piss off power users?
I'm a developer and use adb and some dev settings daily. Annoying af to have to disable developer mode constantly.
It's fundamentally client-side security: the phone tells the server "no, I haven't been rooted" and the server believes it.
Any security system that relies on any form of client-side security is going to have other problems as well, since its designers haven't grasped this basic principle.
Banks in the UK take partial liability for their customers succumbing to scams, and refund lost funds unless customers go out of their way to ignore warnings.
Loss of control of devices is undeniably part of the scam lifecycle. Faking and intercepting messages from banks is a large part of that. An antivirus needs global permissions.
All of that being true, you don't have to be a contortionist to understand why they might want to lock down client devices as far as they can. Google happens to offer them an easy method.
Isn't it funny how most banking apps do all this borderline malware crap, yet most banks also have online banking that you use through a web browser that they have no technical means of "trusting"?
Keep in mind this is also often caused by arbitrary "security" consultants that crap out a list of stuff you need to implement. Like jailbreak detection and the like.
One I repeatedly got back in the day was hilarious: "After uninstalling the app credentials stay present in the keychain". Yes thanks genius, I don't get to run code on uninstall.
I recently came across Open Web Advocacy (OWA) who summarize my mobile-platform concerns well. They "advocate for the future of the open web by providing regulators, legislators and policy makers the intricate technical details that they need to understand the major anti-competitive issues in our industry and how to solve them."
Their top 3 priorities:
1. Apple's ban of third party browsers on iOS is deeply anti-competitive
2. Web Apps need to become just Apps. Apps built with the free and open web need equal treatment and integration. Closed and heavily taxed proprietary ecosystems should not receive any preference.
3. All artificial barriers placed by gatekeepers must be removed. Web Apps if allowed can offer equivalent functionality with greater privacy and security for demanding use-cases.
Most of them switched to stupid apps described above. 6 to 8 char passwords, 6 char PIN codes etc. I don't know how they pass security audits, unless the audits are merely a protection tax.
Problem is that you need to buy a new one of them once they do not get updated anymore, and the apps start requiring newer versions of android.
But yes, this seems like the best possible option - also it enables the extra security through clean separation, as long as the phone is dedicated for that use case only.
Most banks do this, they won't let the app run if you have developer mode turned on as well, even if you're not using it for root (or anything else in the developer menu)
Ditch apps on your phone and pick banking that gives good, robust online banking. I was cut off by Starling for something similar and had to choose between a factory reset of my phone and my bank. I explained that my phone had free software on it, some of which I'd written, and it made no difference.
Apps are a tool of control and surveillance and it is time we stopped tying ourselves to them. Dumb phones or degoogled operating systems (like e/OS/) are probably the answer here.
Ah. I've never come across this in the US - every bank I've seen also has a website. The only thing the apps do that the website won't is mobile check deposit typically.
We can't let banking apps invade our property.. things like banking apps need so much control in order to be secure that they need to exist on dedicated devices.
Bank security has and never had anything to do with real security. It's all stupid audit checkboxes and missing forest for the trees. I've dealt with PCI and similar auditors and I wouldn't trust them with my gym locker combination.
My only solution is to have multiple accounts, spread the risk, and rely on legal protections and bailouts when they inevitably screw up.
In Spain (I think the whole Hispano-America by proxy) the BBVA's banking app just allow a 6 char long password. This is bullshit. Also, if you try to root the smartphone the app might disable itself.
I'm tired of this. Can't wait to a good cyber attack from Russia+China so the whole security theater crumbles down (and in China too because of the social credit) until the civil rights get restored back.
That's not really necessary, though I understand why banks are doing this when they're held responsible for their customers' inability to spot fraud before hitting the "transfer my life savings into a Bitcoin wallet" button.
Having a dedicated "banking device" is a good solution for power users, though I'd probably just switch banks if my bank tries to pull that bullshit on me.
If Google can allow apps to block screenshot capability then it should also allow specific set of apps like financial apps having an option to block overlays too. It doesn't have to be all or nothing.
But the user needs to be able to override this faulty check, albeit my solution is to never let any app decide what I can have on my device by not installing the app.
EDIT: there's also Android Protected Confirmation that works in the TrustZone so apps can't display over that. It was made exactly for apps like banking apps, so they should use it.
This is "protect the users from themselves" as-a-feature to prevent scammers from using malware to obscure their scams. Letting the user override the warning would make the entire feature useless.
Using overlay permissions, it's relatively simple to trick someone into transferring money by overlaying a different UI that the malicious app makes the user type or paste into. I believe blocking access to the app while such an overlay is present makes a lot of sense. Trusting apps from Google Play to do this while blocking other install sources would be an obvious mistake, though.
I'd argue this feature shouldn't exist (because of things like the API you mention) but having a user override doesn't make sense here.
The problem (for the bank) is they are now liable in the UK[1] if you are defrauded because someone installs malware on the phone. There's basically zero upside for the bank to allow customers to use F-Droid, since probably 0.0001% of their customers would do this, compared to a vastly greater number of customers being tricked into installing random malware on their phones.
Accessibility settings are a tricky one since that's a separate law. I wonder if they whitelist screen reader apps from the official app store. Anyway that's not the case in the original article.
risk management is all about what the bank is willing to trust.
in this case it decided it was risky because have any information on the provenance of your overlay, but you could source an overlay from somewhere they trust, like the default app store.
Probably not, because whatever Google is calling its remote attestation scheme this week (SafetyNet? Play Integrity?) has a way to check where the app was sourced and whether it has been altered.
Google is an asshole for making this. When Microsoft first proposed a scheme like that for PCs under the name Palladium, everyone knew it was a corporate power grab. Somehow, it got normalized.
Whatever. They're just going to tie it to age verification, so it's only more control, only of the EU flavour. Might be an alternative for some people though.
I've worked with digital and smart tachographs and seen their security implementation. Its not pretty, mirrors EU bureaucracy. If Franz Kafka wrote specs, those would be it.
We are rapidly losing our freedoms to the will of these companies. If they decide they don't want to they can even if the law doesn't forbid it.
People in Switzerland and the EU are being de-banked by local banks because of US pressure allowing them to force any bank that wants to use USD. The US has started to sanction people for free speech resulting in de-banking.
Swiss law requires one bank (Postfinance) to offer banking irregardless but if you are sanctioned you can't use the wire system, no other currencies, no credit cards and you cant use Twint either so it's in effect useless. You can't pay for your health insurance or rent.
reply