This is how I think it roughly works where I live: You get a per-user token dire... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		xgb84j on April 23, 2023 \| parent \| context \| favorite \| on: iOS 17 app sideloading might only be available in ... This is how I think it roughly works where I live: You get a per-user token directly at the bank or via mail (not email, but a physical envelope). Your banking app can use this token once to get a secret key. Secret key + user name + password allows you to use the banking app. Any way to circumvent this requires app isolation to be broken somehow.

JimDabell on April 25, 2023 [–]

Sadly, there’s a far more straightforward way. The phisher says “Sorry, your token has expired! You will need to get a new one…” Plenty of people will fall for it.

Also, I wouldn’t personally describe an out-of-band token delivery / exchange mechanism like that as “actually trivial” for apps to do.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact