Many banking apps require a non rooted phone and up to date OS, but even those phones can run a browser which provides access to the bank website, often with more functionality than the app.
Besides the security part, many companies us that data in their Machine Learning models. I've used it myself extensively over the past 10 years in Fintech.
As a small tidbit of information, did you know iPhone users are ~40% less likely to default on a small loan than Android users (at least in my country).
And the differences go all the way to specific models, OS versions, installed apps, IP range, browser of choice...
Sure but isn’t this due to income disparities between iPhone and android users? Android is available in more cheaper models so poorer groups include more android users. A bank is going to care more about proof of income than what phone OS you use, will they not?
You can normalize data in order to isolate the effects of a given variable. Essentially, you just change the question from 'Are android users more likely to default on a loan?' to 'Given that all other factors are roughly equal, are android users significantly more likely to default on a loan' and then you do some complex math I don't understand to determine whether income disparities are actually a factor or if the model phone you own affects your likelihood of repaying a loan without regard to your income.
Think about it this way - banks are prohibited from asking certain questions. However, if they have a strong correlation with another factor, then they can ask that and get the same result.
There are a lot of security guarantees that go away with a rooted phone, and I wonder if "in the wild" more often rooted devices are malware than user rooted.
From the perspective of a company, these things boil down to numbers. They have the data, and they can review it. If they find a correlation like that they lost large numbers to rooted phone, they will ban it.
I have had email forwarders and @protonmail.com accounts get blocked only because they are more likely to be fraudulent and companies can just block because the hassle isn't worth it.
And Big Capitalism doesn't give two shits. They drew some lines and people on your side of the line on average cost more than they produce (based on their numbers, which are likely not reliable) so you get banned.
I seriously wonder if there is any empirical evidence that safetynet and this play protect stuff leads to less incidents. Funny thing is that I am only rooting my phone to actually fake the attestation checks again because I want to run lineage OS with uptodate security patches on my China phone.
You can also get a mobile PIN device from the bank that uses the chip in your card to authenticate access and transactions. This infra has been around for a while and predates using your phone for this step in the transaction process.
Where I live you could barely survive without the bank app for daily payments. Sometimes is has maintenance around 1AM, which often coincides with trying to pay a bill after a night out. Causes some scrambling to find cash, or try another bank app.
Apps offer built in biometric login, websites don’t. So that’s one difference, and maybe it’s also the answer to the question of why they don’t allow rooted devices which might allow bypassing biometric checks.
Biometrics may help solve a problem but they also create a new one.
Tying account access to one small, portable, highly vulnerable device with questionable reliability is an inherently bad idea in my opinion. Lose access to the device for any reason (lost, stolen, dropped, the fingerprint reader fails or the phone simply dies) and you also lose access to your account.
I prefer to simply create decent login credentials and store them only in my head --- not in a app and not in a web browser either. This way, when (not if) my phone stops working, I can immediately switch to an older backup phone without missing a beat.
I keep banking apps off my phone and run them only on an iPad that never leaves home. It's a little clumsier for scanning checks. No biggie.
Of course, the phone has Apple Pay and keychain access ...
The "benefit" of Apple Pay is that by regular use, I am constantly reminded where the phone is. The watch hasn't griped about leaving the phone home when I take a spin around the "estate" here, so I'll check on that today. Matter of fact, neither does the phone when I drive off, leaving the other Apple goodies home.
That's not really how biometric app login works here. Credentials are configured locally and used as an alternative to the existing login method. Nothing changes about how you login with other devices, you can still choose to use your username and password on the device with biometrics enabled even.
Some banks in the EU do not even have an e-banking website (all app-only). Revolut is another example of an app-first / app-only bank, but I can think of plenty of other examples for my country
Here in Brazil, many banks require the use of an invasive "security" browser plugin to access your bank account through the browser, and that plugin obviously exists only for desktop browsers. And it's also not uncommon to require a confirmation through the phone app whenever doing a transaction through the web.
The root cause is malware. Intercepting the online banking session in the desktop browser to steal your money used to be very common.
Related: does anyone know of a bank that allows you to waive all security and protective measures in exchange for ease of use? I would happily sign a contract that basically says "if you get hacked, it's your fault and you lose all your money no matter what" if it means no 2FA, payment verification, fraud detection etc. I'm not sure if this would even be legal in many jurisdictions though.
yea, it’s called moving your fiat currency into digital currency.
Get your wallet’s private key yoinked and wallet drained? You are done.
And you get the added benefit of a highly volatile asset! Broke in 2023, but hitting it big in 2024.
I suppose you can just move assets into a stable coin, but what’s the fun in that?
(Being sarcastic by the way)
I doubt there’s any bank willing to design a custom legal agreement for those folks. The central bank system sort of relies on these systems as part of the FDIC member requirements. By opting out, you may also be opting out of insurance on your money in case of insolvency.
It's a no brainer. But most banks are very slow dinosaurs. You could have a specific, API available account where you keep funds, and whatever happens they cannot access your whole account, just that specific, digital API enabled part. There is no risk using these. You opened it, you allocated funds, if you F it up, it's your fault.
They could even check how able you are by making you fill forms, like they do it if you want to buy risky stocks.
I don't think financial institutions are legally allowed to even offer this as an option. Plus, it would be very expensive to opt you out of the risk systems. Plus, some subset of opted-out users would still sue when they are, inevitably, pwned and some hacker runs off with their life savings.
Probably keeps their support burden lower. If your rooted Android 4.0 device can run a new enough browser, the browser might work well enough and it's on you if it doesn't. If they let you run the app, when it doesn't work, you're going to tie up their support lines.
Security consultancy companies need to always point out something that needs to be changed, even though it is not really important to show themselves as useful.
And executives don't have enough tech knowledge to discern between security measures that are actually effective or not, so to avoid risks they just make their tech teams implement it because the consultancy said it should be done
Had a similar situation in my current job, and unfortunately it is not something worth picking a fight with senior leadership for.
Ironically most of these companies allow access from Web Browsers (which are completely controlled by the client).
If they could force you to use a terminal with hardware issued by the bank, they would. This is the next best thing.
The website is a legacy option and it will be removed eventually. Already many banks require to use their app in order to sign in to the website or approve transactions. New "challenge banks" are app-first. For example, Starling Bank will not let you create an account without a Google or Apple smartphone.
I also loathe that US banks don't use standard TOTP (which they could implement for free) but instead only offer SMS or app-based Symantec tokens, which are either insecure or impossible to backup.
Honestly they're just trying to cover all bases / their asses. It's a totally clueless act, but root detection is something that exists and therefore they use it. Realistically it's not making anything truly safer, but it exists in security reports and audits and whatnot, so they're putting it in. It makes managers happy.
Source: I've had to add this to some apps I've worked on. I tried convincing managers and gave up. They _really_ think it adds security. Our apps didn't even handle sensitive user data or anything. It just looked good on some security report they ordered.
As a small tidbit of information, did you know iPhone users are ~40% less likely to default on a small loan than Android users (at least in my country).
And the differences go all the way to specific models, OS versions, installed apps, IP range, browser of choice...