I'm not sure what your point is here. How credentials are stolen today is irrelevant to the fact that today, right now, at this very moment, banks can and do already do the thing you're worried will be possible only due to the prevalence of passkeys.

Oh my point is that their device attestation thing is security theater.

It's clearly just for getting that iso certification.

It's a power play by the platform vendors.

The vendors are literally saying:

We now have this "security" feature and banks have to use it to be compliant and it only works on our platforms, so I guess you have to use our platform unless you want to be unbanked.

I mean, I would agree that it's not a particularly useful thing for consumer-phone-bank usecases, but that doesn't mean the feature is bad (or harmful).

Just to be clear, no one is saying

> banks have to use it to be compliant

nor are they saying

> it only works on our platforms

As far as I know, if systems were to use attestation it would be in a lot of senses more open than what attestation is available today (in the sense that more devices could use it). But also I don't think anyone who works on passkeys is saying banks need to support FIDO attestation to be "compliant".