cross-posted from: https://slrpnk.net/post/15995282

Real unfortunate news for GrapheneOS users as Revolut has decided to ban the use of ‘non-google’ approved OSes. This is currently being posted about and updated by GrahpeneOS over at Bluesky for those who want to follow it more closely.

Edit: had to change the title, originally it said Uber too but I cannot find back to the source of ether that’s true or not…

      • c1a5s1c@feddit.org
        link
        fedilink
        English
        arrow-up
        0
        ·
        6 days ago

        copy that - thanks for the hint. honestly, if it doesn’t work in the future, I’ll probs just cancel my account with them

  • AnEilifintChorcra@sopuli.xyz
    link
    fedilink
    arrow-up
    0
    ·
    5 months ago

    Lol I spent a week going back and forth with Revolut support in august. I could sign into the app but it would always ask me for a “selfie” verification and every time support would say its a super dark selfie.

    Eventually I decided to try a stock ROM and it just worked and I realised what was happening so I transferred all of my money out and deleted my account.

    Most local banks here are terrible at making apps, some even require a separate device that looks like a calculator to use online banking, so hopefully they wont follow suit anytime soon

    • kevincox@lemmy.ml
      link
      fedilink
      arrow-up
      0
      ·
      5 months ago

      require a separate device that looks like a calculator to use online banking

      To be fair this actually provides a very high level of security? At least in my experience with AIB (in Ireland) you needed to enter the amount of the transactions and some other core details (maybe part of the recipient’s account number? can’t quite recall). Then you entered your PIN. This signed the transaction which provides very strong verification that you (via the PIN) authorize the specific transaction via a trusted device that is very unlikely to be compromised (unless you give someone physical access to it).

      It is obviously quite inconvenient. But provides a huge level of security. Unlike this Safety Net crap which is currently quite easy to bypass.

      • Aceticon@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        0
        ·
        edit-2
        5 months ago

        Those little boxes are just a bit of hardware to let the smartchip on the smartcard do what’s called challenge-response authentication (in simple terms: get big long number, encode it with the key inside the smartchip, send encoded number out).

        (Note that there are variants of the process were things like the amount of a transfer is added by the user to the input “big long number”).

        That mechanism is the safest authentication method of all because the authentication key inside the smartchip in the bank card never leaves it and even the user PIN never gets provided to anything but that smartchip.

        That means it can’t be eavesdropped over the network, nor can it be captured in the user’s PC (for example by a keylogger), so even people who execute files received on their e-mails or install any random software from the Internet on their PCs are safe from having their bank account authentication data captured by an attacker.

        The far more common two-way-authentication edit: two-channel-authentication, aka two-factor-autentication (log in with a password, then get a number via SMS and enter it on the website to finalize authentication), whilst more secure that just username+password isn’t anywhere as safe as the method described above since GSM has security weaknesses and there are ways to redirected SMS messages to other devices.

        (Source: amongst other things I worked in Smart Card Issuance software some years ago).

        It’s funny that the original poster of this thread actually refuses to work with some banks because of them having the best and most secure bank access authentication in the industry, as it’s slightly inconvenient. Just another example of how, as it’s said in that domain, “users are the weakest link in IT Security”.

        • jagged_circle@feddit.nl
          link
          fedilink
          English
          arrow-up
          0
          ·
          5 months ago

          You had me until banks are secure. Most banks use 2FA over SMS. All banks in the EU require a phone number for PSD2 requirements.

          With GPG and TOTP support, its been easier to secure s Facebook or google account better than 99% of bank accounts

          • Aceticon@lemmy.dbzer0.com
            link
            fedilink
            English
            arrow-up
            0
            ·
            5 months ago

            I literally said 2FA over SMS is not secure because of weaknesses in the GSM protocol.

            It’s still more secure than username + password alone, but that’s it.

            • jagged_circle@feddit.nl
              link
              fedilink
              English
              arrow-up
              0
              ·
              edit-2
              5 months ago

              Sure, but afaik all EU banks require a phone number so they can send OTPs using your phone for transaction auth. This is a mandate of PSD2.

              My disagreement is with your last paragraph. Because of this regulation, banks are horrendously insecure. If I refuse to enter a phone number when signing up for a bank account, I literally cannot get a bank account in Europe. That’s insecure despite the user, not because of the user.

              • Aceticon@lemmy.dbzer0.com
                link
                fedilink
                English
                arrow-up
                0
                ·
                edit-2
                5 months ago

                It think you’re confusing security (in terms of how easy it is to impersonate you to access your bank account) with privacy and the level of requirements on the user that go with it - the impact on banking security of the bank having your phone number is basically zero since generally lots individuals and companies who are far less security conscious than banks have that number.

                That said, I think you make a good point (people shouldn’t need a mobile phone to be able to use online banking and even if they do have one, they shouldn’t need to provide it to the bank) and I agree with that point, though it’s parallel to the point I’m making rather than going against it.

                I certainly don’t see how that collides with the last paragraph of my original post which is about how the original thread poster has problems working with banks which “require a separate device that looks like a calculator to use online banking” which is an element of the most secure method of all (which I described in my original post) and is not at all 2FA but something altogether different and hence does not require providing a person’s phone to the bank. I mean, some banks might put 2FA on top of that challenge-response card authentication methods, but they’re not required to do so in Europe (I know, because one of the banks in Europe with which I have an account uses that method and has no 2FA, whilst a different one has 2FA instead of that method) - as far as I know (not sure, though) banks in Europe are only forced to use 2FA if all they had before that for “security” was something even worse such as username + password authentication, because without those regulations plenty of banks would still be using said even worse method (certainly that was the case with my second bank, who back in the late 2010s still used ridiculously insecure online authentication and only started using 2FA because they were forced to)

                • jagged_circle@feddit.nl
                  link
                  fedilink
                  English
                  arrow-up
                  0
                  ·
                  edit-2
                  5 months ago

                  Transmitting an OTP to the user is a security risk.

                  Banks in the EU are, in fact, forced to implement 2FA using phone numbers as part of “dynamic linking” requirement of PSD2, which makes more secure methods of 2FA (like TOTP) not allowed

      • jagged_circle@feddit.nl
        link
        fedilink
        English
        arrow-up
        0
        ·
        5 months ago

        That’s pretty typical when its a low level machine learning algorithm that flagged the account. Usually the support rep legitimately doesn’t know, and you’ll get stuck in an infinite loop

  • yoshisaur@lemm.ee
    link
    fedilink
    arrow-up
    0
    ·
    5 months ago

    man, and i was gonna switch to graphene this christmas. if every app can just ban my OS, i might have to rethink this. i would use the website but they restrict so many things to apps now…

    • Im_old@lemmy.world
      link
      fedilink
      arrow-up
      0
      ·
      5 months ago

      I was about to switch bank because for a few days my current one (inadvertently) blocked it on grapheneOS. We sent them a few emails and they fixed in less than a week.

      • A_Union_of_Kobolds@lemmy.world
        link
        fedilink
        arrow-up
        0
        ·
        5 months ago

        I use a small local credit union that doesn’t appear on their supported list. It’s literally the only thing holding me back, I’m tempted to say fuck it anyway. But I wonder if it might work anyway…

    • Sips'@slrpnk.netOP
      link
      fedilink
      arrow-up
      0
      ·
      5 months ago

      TBF, this is the first time I’ve encountered an app not working - and it was before this. It’s just because of Google push towards monopoly via their Play Integrity API that’s ruining this.

      • RobotToaster@mander.xyz
        link
        fedilink
        arrow-up
        0
        ·
        5 months ago

        play “integrity” should be considered malware, any program that deliberately does something the user doesn’t want it to should.

    • BearOfaTime@lemm.ee
      link
      fedilink
      arrow-up
      0
      ·
      5 months ago

      Use a browser like Native Alpha or Hermit, which present a website like an app.

      And if you use Bitwarden/Vaultwarden for your passwords, it can be pretty seamless.

    • The 8232 Project@lemmy.ml
      link
      fedilink
      arrow-up
      0
      ·
      edit-2
      5 months ago

      Well, switching to GrapheneOS shows that you don’t care what those companies do, and that you’re willing to fight. It means those companies lose one more customer. The more people that use GrapheneOS, the more companies will be forced to support it.

  • Andromxda 🇺🇦🇵🇸🇹🇼@lemmy.dbzer0.com
    link
    fedilink
    English
    arrow-up
    0
    ·
    5 months ago

    I don’t think it’s a coincidence that the shittiest companies are those, who enforce Google’s broken and monopolistic “Play Integrity” API. Revolut has connections to Russia, McDonalds supports the Israeli genocide in Palestine and Authy has always just been a massive piece of shit, not even allowing users to export their TOTP seeds. These are three companies I would NEVER even consider using anyway.

    And “Play Integrity” API actually does NOTHING, absolutely NOTHING for your security as an end user.
    You use an outdated, unpatched Android version with multiple severe, publicly known exploits on an insecure device?
    Google doesn’t give a single fuck.
    You use the newest version of Android with all the patches applied on Google’s own hardware, with a locked boot loader and a hardened operating system?
    That’s not allowed by the “Play Integrity” API.
    It’s only purpose is to serve Google’s monopolistic business interests.

  • ouch@lemmy.world
    link
    fedilink
    arrow-up
    0
    ·
    5 months ago

    Google has ruined Android by closing it up.

    EU needs to step in and force Google to open it up.

    While at it, go for Apple’s monopoly as well.

  • BigDanishGuy@sh.itjust.works
    link
    fedilink
    arrow-up
    0
    ·
    5 months ago

    OK McDonald’s, I will not use your most cost effective ordering method. I guess I will just have to order my 10 individually custom cheeseburgers at the counter instead. I might have to have e the order read back, and change my mind about a few burgers.

    • bountygiver [any]@lemmy.ml
      link
      fedilink
      English
      arrow-up
      0
      ·
      5 months ago

      that’s just screwing with the workers though, and the workers sure as hell is not going to get paid extra for your custom order

      • Woht24@lemmy.world
        link
        fedilink
        arrow-up
        0
        ·
        5 months ago

        This viewpoint is so stupid.

        The cashier is paid to take orders, whether they take 1 long obnoxious order or 3 small orders, it’s the same shit.

        People are so swept up in ‘kindness and support’ (internet circlejerking), they think that the fact you inconvenienced some 17 year old, representing a massive corporation, as a fuck you to the company that employs them, you’ve committed some moral sin against your fellow man.

        • GHiLA@sh.itjust.works
          link
          fedilink
          arrow-up
          0
          ·
          5 months ago

          the cashier

          Who is also the manager, making drinks, doing the fries because that bitch called in sick…

            • PrettyFlyForAFatGuy@feddit.uk
              link
              fedilink
              arrow-up
              0
              ·
              5 months ago

              depends on the situation. otherwise good employee who rarely if ever is sick and works hard calls in about being unable to work? absolutely fine

              Person who i know knows exactly how many days a year over how many periods of absence it will take before HR get involved using it as a second pool of paid holiday days and leaving us high and dry to deal with the things she’s paid to help the team with then yeah, bitch

              her name was karen too…

              • Dragon Rider (drag)@lemmy.nz
                link
                fedilink
                English
                arrow-up
                0
                ·
                5 months ago

                Person who i know knows exactly how many days a year over how many periods of absence it will take before HR get involved using it as a second pool of paid holiday days

                This is a dick move if you don’t tell your coworkers how to exploit the loophole too, and a heroic act if you do.

        • neomachino@lemmy.dbzer0.com
          link
          fedilink
          arrow-up
          0
          ·
          5 months ago

          That worker doesn’t want to be there, that’s likely one of 3 jobs they need to barely scrape by.

          You holding them up from doing other tasks they need to do to keep a job that barely feeds them is doing nothing but making their day a little harder. It affects the company 0%. The company is faceless and doesn’t care how much you abuse the worker bees as long as they get your money.

          I don’t know what the answer is aside from not patronizing the company at all, but I know that’s not it.

          • Lag@lemmy.world
            link
            fedilink
            arrow-up
            0
            ·
            5 months ago

            If the company is always too busy, they will need to hire more workers or the existing ones will leave.

            • neomachino@lemmy.dbzer0.com
              link
              fedilink
              arrow-up
              0
              ·
              5 months ago

              I highly doubt it, if the store is too busy they’ll likely either do nothing because why would they or if it’s really bad add some robots who can handle the workload so they can get rid of those pesky employees.

              In the past few years almost all of the fast food places in the closest plaza to me have been working on a skeleton crew. Lines wrapped around the building, 2 miserable employees, upset customers, but the money is still coming in.

              Most people can’t just leave their job, even a days wage can crush a lot of people.

          • UnderpantsWeevil@lemmy.world
            link
            fedilink
            English
            arrow-up
            0
            ·
            5 months ago

            The company is faceless and doesn’t care how much you abuse the worker bees as long as they get your money.

            Hey now, sometimes the company employs security that’s extremely bored, incredibly racist, and looking for a low income punching bag to hassle.

    • purplemonkeymad@programming.dev
      link
      fedilink
      arrow-up
      0
      ·
      5 months ago

      I don’t know about other places but they haven’t had a counter for years round here. They have big screens that you go up to to order and pay, then you get a number and pick it up when called. Even if you wanted to do this, no one is going to listen to you trying to order at the kitchen.

      • boonhet@lemm.ee
        link
        fedilink
        arrow-up
        0
        ·
        5 months ago

        Entirely different country, but they still have a counter in addition to the screens; the counter is for when you want to pay cash

    • Railcar8095@lemm.ee
      link
      fedilink
      arrow-up
      0
      ·
      5 months ago

      As a former employee… That does nothing. Crazies that spend 15 min to order some fries were common.

      If you go at rush hour it can be annoying to the employee and other customers, but at the end of the day nobody will remember and you would have spent 20 min and 10 dollars (which is 9 dollars material profit for MacDonald).

      Just. Don’t. Go. To. Macdonald’s.

  • qaz@lemmy.world
    link
    fedilink
    English
    arrow-up
    0
    ·
    5 months ago

    Oh great, I guess I’ll have to change my payment info for everything now. Fantastic.

  • Realitätsverlust@lemmy.zip
    link
    fedilink
    English
    arrow-up
    0
    ·
    edit-2
    5 months ago

    Well that’s bad. I’ve been using revolut for years now.

    Does anyone have a suggestion for a new bank that’s operating under european law?

    • Jyek@sh.itjust.works
      link
      fedilink
      arrow-up
      0
      ·
      5 months ago

      Most banks restrict custom ROM and root access devices for security purposes. Same with MFA apps. I get it. From an IT security perspective, restrictions on software compatibility limit the number of failure points. Even if you find a custom OS that is more secure as an OS, it is installed through opening up your device to security risk and there is no real requirement for you to close up that security risk afterward. My company has made the same choice to restrict supported platforms for our services.

      McDonald’s app restricting the OS is probably some security decision they made because it’s more secure even when they probably don’t need it though.

        • boonhet@lemm.ee
          link
          fedilink
          arrow-up
          0
          ·
          5 months ago

          Wise has a banking license in Belgium much like Revolut has one in Lithuania.

          Wise is missing some cool things Revolut has like metal cards that require you to use an expensive plan, or the ability to buy stocks and crypto.

          What Wise has instead, is the ability to have both a REAL American AND European bank account in the same app, which you can instantly transfer money between. Revolut doesn’t give you an American bank account if you’re in Europe, idk if they give you an European bank account if you’re in the US. But Wise has both.

          Why is this so important? Well let’s say you’re in Europe, you land a side gig doing a bit of work for a big US corporation you’re connected to through your old job. You’ve got your rate negotiated, everything’s sweet. And then they hit you with the question: “Are you able to take ACH payments?”

          Now you have to google what an ACH payment is. Then you have to find out how to be able to receive them. Turns out these are internal to the US. Banks outside of the US just don’t accept them, because they’re not part of the system. But wait! Wise actually gives you an actual US bank account complete with routing numbers and everything. In your name, not in some proxy’s name either.

          Here’s a list of currencies/banking systems you can get local payments in, without going international

          Yes I sound like an advertisement at this point, but it’s ridiculous how useful this gets if you need to move money internationally. I didn’t get all the hype before I needed it, but when I did, it fit my use case like a glove.

          • jagged_circle@feddit.nl
            link
            fedilink
            English
            arrow-up
            0
            ·
            edit-2
            5 months ago

            I have wise accounts both as a US entity and a EU entity. They give you EU IBAN and US ACH accounts no matter which side of the Atlantic you’re registering from.

            They’re the best bank ive found in the EU too, but I didn’t think they were a bank. Its important because a US not-a-bank just collapsed and a lot of people lost their life savings. The not-a-bank assured customers that their money was safe because it was being stored in actual bank’s bank accounts. This would have been true, but the not-a-bank misplaced almost all their funds and, turns out, they weren’t in their partners’ bank accounts. Whoops.

            • boonhet@lemm.ee
              link
              fedilink
              arrow-up
              0
              ·
              5 months ago

              Turns out it’s not an actual bank in the EU either, they just give you an IBAN number and everything.

              However, funds in EU are still insured at 20k per account and since they’re not a bank, they can’t be giving out subprime mortgages using your money like banks do, they have to keep it as safe as possible.

              • jagged_circle@feddit.nl
                link
                fedilink
                English
                arrow-up
                0
                ·
                edit-2
                5 months ago

                Yeah but if they’re not regulated like s bank then they could do the same thing and “misplace” funds so they’re not stored in their partners banks, and you then have 0 insurance, right?

  • mlg@lemmy.world
    link
    fedilink
    English
    arrow-up
    0
    ·
    5 months ago

    I swear I am so close to jumping into the void of mainline linux on phones.

    The only main issue is device drivers, but I would be fine happily extracting them from android or making new ones. Modern Android is a complete full stack POS.

    • jagged_circle@feddit.nl
      link
      fedilink
      English
      arrow-up
      0
      ·
      5 months ago

      Oh yeah that’s an insta-ban. And even the waydroid app devs say their security is atrocious and you shouldn’t use it for banking.

  • Dr. Moose@lemmy.world
    link
    fedilink
    English
    arrow-up
    0
    ·
    5 months ago

    It always seems that with finance we take 2 steps forward and 1 step back. That’s why Bitcoin will never stop existing.

  • tisktisk@piefed.social
    link
    fedilink
    English
    arrow-up
    0
    ·
    5 months ago

    Is this not a sign of the true intentions on both sides of the dilemma here!?!?
    Let us go to the end. We cannot afford to carry on in fear of these bans. Let the lines be neatly placed and the sides chosen wisely. If sustained profits are desired, the walled-gardens must come down.

    Vote with your dollar and vote again with your data. Wary, but never afraid is the motto privacy comrades!

    • vividspecter@lemm.ee
      link
      fedilink
      arrow-up
      0
      ·
      5 months ago

      Agreed. Leave immediately to other services, and tell them why you’re leaving. It might not make a dent, but you’ll be doing the right thing at least.

  • zako@lemmy.world
    link
    fedilink
    arrow-up
    0
    ·
    5 months ago

    the problem here is not the banks or apps, the problem is Google Play Integrity API, which is supposed to enforce to run apps in secured phones and it is used to ban secured ROMs such as GrapheneOS and it allows to run apps on outdated phones without security patches.

    • kevincox@lemmy.ml
      link
      fedilink
      arrow-up
      0
      ·
      5 months ago

      which is supposed to enforce to run apps in secured phones

      The point of the Google Play Integrity API is to ensure that the user is not in control of their phone, but that one of a small number of megacorps are in control.

      Can the user pull their data out of apps? Not acceptable. Can the user access the app file itself? Not acceptable. Can the user modify apps? Not acceptable.

      Basically it ensures that the user has no control over their own computing.

      • umami_wasabi@lemmy.ml
        link
        fedilink
        arrow-up
        0
        ·
        edit-2
        5 months ago

        It’s simply the “secure” isn’t meant for users but the cooperations. Make it “secure” to their business.

        • NotMyOldRedditName@lemmy.world
          link
          fedilink
          arrow-up
          0
          ·
          edit-2
          5 months ago

          It’s used to help secure the businesses app yes. It helps with things like preventing resource abuse which would cost the company money. E.g. querying mass amounts of data on a loop to increase the companies bill.

      • zako@lemmy.world
        link
        fedilink
        arrow-up
        0
        ·
        5 months ago

        If you install GrapheneOS, you do not need root, so GrapheneOS is in control of the phone not the user. The key here is if GrapheneOS is secure enough to be certified by Google Play Integrity API. is it security or other issue? perhaps Google is not supporter of FOSS ROMs, perhaps it is not fun of how GrapheneOS removes permissions to Google Apps, …

        If it is not security, this is a kind of monopoly to control which ROMs are allowed to run apps.

    • jagged_circle@feddit.nl
      link
      fedilink
      English
      arrow-up
      0
      ·
      edit-2
      5 months ago

      Oh, the banks and regulators are to blame. Especially in Europe.

      Find me a PSD2 bank bank that doesn’t require a phone number

        • boonhet@lemm.ee
          link
          fedilink
          arrow-up
          0
          ·
          5 months ago

          So the Play Integrity API is literally why I moved to iOS. My bank apps didn’t work with Lineage and the stock OnePlus ROM just sucked ass after the ColorOS or whatever update. I figured I might as well go iOS if I can’t have a custom ROM anyway, and so far it has indeed been a much nicer experience than stock Android. If you can’t TRULY customize everything, might as well at least get stability and consistency out of it, right? Plus at the time, there wasn’t a single Android OEM out there with truly long OS update support.

          Anyway, if this succeeds and custom ROMs are considered to have sound integrity, I might just move back to Android. Graphene seems cool, I haven’t tried it yet because I’ve never owned a Pixel.

          • jagged_circle@feddit.nl
            link
            fedilink
            English
            arrow-up
            0
            ·
            edit-2
            5 months ago

            How would iOS be better? There is no blob-free, secure version on their devices at all. Right?

            • boonhet@lemm.ee
              link
              fedilink
              arrow-up
              0
              ·
              5 months ago

              It’s not for privacy. But without access to custom ROMs, Android is shit.

                • boonhet@lemm.ee
                  link
                  fedilink
                  arrow-up
                  0
                  ·
                  5 months ago

                  Sure, but my point was if you can’t even use ROMs because then you lose access to your bank (and now McD apparently), there’s much less reason to use Android - certainly was so 2.5 years ago when they were mostly all promising 2-3 years of support for flagship devices and Apple had a track record of 6-7 years.