this post was submitted on 18 Aug 2023
67 points (100.0% liked)

Technology

58150 readers
3673 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
L3s@lemmy.world
enu@lemm.ee
L4s@lemmy.world
fry@fry.gs
L3s@fry.gs
enu@lemmy.world
L4s@fry.gs
67
OCBC Bank locks out mobile app if 3rd party apps are detected (www.zdnet.com)
submitted 1 year ago by Calcium5332@lemmy.world to c/technology@lemmy.world
14 comments fedilink hide all child comments
top 14 comments
sorted by: hot top controversial new old
[–] zurvan2@lemmy.world 30 points 1 year ago

The privacy implications of this are not cool. I'm not OK with every app knowing which apps I have installed. Or any app knowing that, frankly.

[–] viking@infosec.pub 20 points 1 year ago (1 children)

Same for DBS bank, also in Singapore. Their app, which is mandatory to generate login & transaction approval OTPs, doesn't even work on a stock OnePlus phone since it detects part of the OS as "modified".

Since I have to use that bank for my company, I had to buy a separate phone that's now sitting in my drawer 24/7 for that purpose alone.

[–] HidingCat@kbin.social 4 points 1 year ago (1 children)

WTF, I remember the UOB banking app not liking my phone being rooted and what not, but Magisk would work sometimes. But a stock phone not working is especially fucked up. Did you find out what was triggering the response?

[–] viking@infosec.pub 3 points 1 year ago

I've escalated this all the way to their app developers and in the end they told me something about permissions to draw over other apps being enabled in the default launcher, which they consider to be "malicious". So my options were to install a third party launcher and forcefully uninstall the default OnePlus launcher (via adb, since any other method would require root), or use a different phone altogether.

Now I'm using Nova Launcher anyway, but it had glitches every here and there where it would default back to the standard launcher, so uninstalling that was a risk I didn't want to take.

[–] otter@lemmy.ca 16 points 1 year ago* (last edited 1 year ago) (2 children)

Could you sandbox the banking app in the work profile with something like Shelter?

It's unfortunate for those that can't switch banks, but this would be a strong reason for making me want to switch. I'd rather skip the one mobile banking app than uninstall every other app lol

Amid the complaints, industry regulator Monetary Authority of Singapore (MAS) released a statement voicing its support for the bank's security feature, which it said aims to address risks associated with downloading applications from unauthorized sources, since these may contain malware.

Maybe I just haven't encountered it, but are there malware apps? Just trying to get legitimate apps to work sometimes means having to enable debugging, approve permissions and jump through a whole bunch of warnings. Even then apps will get flagged by Play services (ex. Those game currency spoofer apps)

OCBC was the center of a spate of SMS phishing scams last year, which wiped out SG$13.7 million ($10.17 million) from the accounts of 790 customers. Scammers had manipulated SMS Sender ID details to push out messages that appeared to be from OCBC, urging the victims to resolve issues with their bank accounts. They then were redirected to phishing websites and instructed to key in their bank login details, including username, PIN, and One-Time Password (OTP).

That's not from bad apps... If anything this new policy will make me use the mobile website instead of the app.

[–] Marxine@lemmy.ml 7 points 1 year ago

That's not from bad apps... If anything this new policy will make me use the mobile website instead of the app.

I'd also consider switching banks if it isn't too much of a hassle. They clearly can't invest well in terms of security for their users.

[–] HidingCat@kbin.social 1 points 1 year ago

Can't use the mobile website, because the OTP is generated via the app. So you'll still need the app. Standalone OTP tokens are being phased out; my bank's doing so from October this year.

[–] BuddyTheBeefalo@lemmy.ml 12 points 1 year ago* (last edited 1 year ago)

Hide My Applist (root) should make it work.

[–] chaircat@lemdro.id 7 points 1 year ago (2 children)

How are they managing to do this? Surely it requires a permission in Android to access the list of installed apps, right?

[–] sugartits@lemmy.world 7 points 1 year ago

It's a default permission which can't be revoked.

[–] outbound5231@lemmy.world 5 points 1 year ago

It might be checking for specific root-related files on your device.

[–] essteeyou@lemmy.world 3 points 1 year ago

Years ago a team I worked on came up with some ideas for how to use this ability in a music streaming service.

Just installed Tinder? Have a breakup playlist.

Just installed Airbnb? Have some travel playlists.

We didn't do it because it was such an invasion of privacy.

[–] totallynotfbi@lemm.ee 1 points 1 year ago

And here I thought DBS Digibank's anti-tamper protection was too strict. To be honest, I don't know why these banks spend so much effort protecting the app from hacking, when most fraud comes from someone divulging account information to a scammer

[–] CookieJarObserver@sh.itjust.works 1 points 1 year ago

Sound like you need to change your bank.