alt Hacker News> If someone steals the secrets from a rooted phone and steals customer's money the bank is on the hook, so banks do everything they can to minimize this risk.
Now that's just not true now, is it? Sure the lawyers told you that (the ones that get paid to tell you that), but nowhere in EU was a bank actually fined for not root checking a device.
They were plenty fined by being utterly incompetent with security practices and doing them poorly - like trying to inject wierd .SOs to do the root detection you're defending.
Replies
No bank got fined for not root checking, correct. However banks are on the hook for unauthorized transactions. And "unauthorized" means different thing in different countries.
In some jurisdictions if bank can prove that transaction was made with customer's key then customer can not demand their money back. That's the best case, but there are only few of such jurisdictions and even there the burden of proof is on the bank and it costs a lot.
In other jurisdictions bank must reverse a transaction even if it was proven that the transaction was signed with a legitimate key, but the key _may_ have been stolen.
In some jurisdictions (i.e U.S.) banks are required to reverse a transaction at a customer’s request, even if the customer does not dispute having made the transaction.
In any case dealing with all this is too expensive and risky.
Literally three days ago: https://www.complianceweek.com/regulatory-policy/eu-agrees-r...
"Payment service providers (PSPs) operating in the EU will have to cover customers’ losses from fraud if their fraud protection regimes are inadequate or poorly implemented under new EU rules."
Other places like the UK had such rules already.