this post was submitted on 01 Jul 2024
32 points (92.1% liked)
No Stupid Questions
2308 readers
55 users here now
There is no such thing as a Stupid Question!
Don't be embarrassed of your curiosity; everyone has questions that they may feel uncomfortable asking certain people, so this place gives you a nice area not to be judged about asking it. Everyone here is willing to help.
- ex. How do I change oil
- ex. How to tie shoes
- ex. Can you cry underwater?
Reminder that the rules for lemmy.ca still apply!
Thanks for reading all of this, even if you didn't read all of this, and your eye started somewhere else, have a watermelon slice ๐.
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Phones are generally seen as more secure because they're less likely to have malware and the apps should be running in their own sandbox, meaning it's more difficult to see what each app is doing and so theoretically it's more secure.
Most desktop operating systems do not have sandboxing in place, have known malware that could be installed much easier than on a phone, and harder to verify that the system is secure. This is doubly so taking into account that basically the only way to use the banking information is through a web browser, which could have any number of junky web extensions installed.
While things are incrementally changing on the desktop front (mostly on Linux with Atomic distros, Flatpak/Snap, and Firefox container tabs), most banks are only familiar with Windows and macos, and since those two have the most security risks, they'd rather play it safe with the relatively more standardized, theoretically more secure phone OS.
To add to this:
We have to differentiate between physical and cybersecurity.
Are you more likely to physically lose your smartphone you carry around with you all day than your full ATX desktop standing in your office? Yeah.
But let's consider the consequences for a moment.
If someone physically stole your desktop, chances are that at least a part of your data isn't encrypted, the boot sequence probably isn't (at least completely) verified, and your OS is wide open. There is little to no real isolation in most desktop setups. Once somebody managed to gain access to your system, it is outright trivial to steal your browser sessions, modify commands or run some code, at least in userland.
Physically stealing your smartphone is easy. But a modern smartphone is usually protected by verified boot and a password+fingerprint/Face ID combo. Unless you take active steps to compromise the security of the phone like rooting/jailbreaking it, disabling verified boot or disabling the passcode, it's pretty hard if not near impossible to gain access to your data or modify it in a harmful way. If you visit an infected site or install an infected app, the damage is usually confined to that app's data and the data accessible to it by permissions you probably had to allow to be set in the first place.
Now that's speaking to your usual bad actors and usual setups. Exceptions, as always, make the rule. As soon as a sufficiently motivated and technically able actor with access to 0-day exploits, like a state actor, targets you for some reason, all bets are off. But even in this case, due to the advanced verified boot chain on most modern smartphones, those exploits rarely have the ability to survive beyond a reboot.