At a previous employer of mine, it was common to share dev accounts for certain things. These were not security sensitive things. They were there purely for dev purposes and these were things like anayltics tools and stuff that the software being built had to integrate with, so they were basically development sandboxes.
Many of these tools had MFA enabled and so it was common to share MFA codes on Slack because the MFA code was sent to an email address that only one person had access to.
One lunch and learn a group of developers shared how they solved this problem by having the MFA codes pushed to a device that was effectively an on-prem server / dev box that they installed custom built software on to take a screenshot of the MFA code and broadcast it on the relevant Slack channel.
The main point of the lunch and learn, however, wasn't so much to share the tool that they had built, but to talk about how they got around the Mac OS security protections that are there to prevent this sort of thing.
My first thought was "we've just written malware."
I'm specifically responding to this sentence of yours:
> It's especially annoying when employed by the banking apps.
After my experience with that MFA code sniffer ... I know exactly why banking apps and other privacy/security-centred apps prevent taking screenshots :)
I fail to see how your conclusion follows from the premise.
Banking apps in the US don't even show any PINs for 2FA, so, why exactly is Schwab doing that again?
BTW, Google Wallet does let you take screenshots of all the views except for just one or two views where you enter card number, billing and card security code. Honestly, even that is an overreach; it's not like I can't use the camera to take a photo of my credit card with CVV in view, so, why should the camera function of any app prevent that again? Google never blocks screenshots of any transactions, last-4 of any card, or any other screens. If they ever did, I'd be far less happy with them, and would go out of my way to find an alternative contactless provider. Wells Fargo used to provide contactless on Android in their app for their own cards, but, probably thanks to Apple, this feature was removed for feature parity with iOS.
You're laser focusing on MFA sniffing, specifically. The point is that malware can take screenshots to harvest information. Your banking information has a ton of sensitive information about you that could be used for a variety of different purposes, such as for identity theft. My point was that making it impossible to take screenshots is trying to protect against the possibility that there is malware harvesting anything through screenshots.
>why should the camera function of any app prevent that again?
Because you taking a photo of it with a physical camera is intentional. Another app on the device screen recording that view may not be intentional by the user.
Starting the recording may have been intentional, but the recording of sensitive content may not be. For example Twitch streamers frequently leak their personal information by accident. If that personal information could automatically be blacked out it would save them from trouble.
I feel fairly confident asserting that users are not trained to go through the steps to enable screenshots. Blindly clicking allow is one thing. Going back and forth to enable restricted settings and then grant the permission is quite another. I use a screenshot app, and am pretty technical, and it took me multiple tries and several minutes including having to go read https://support.google.com/android/answer/12623953#allowrest... because Android is so concerned with protecting me.
Yes, by blindly clicking allow. But in this thread we're arguing about specifically problems with screenshots, which are behind much stronger permission gates that can't be blindly clicked through.
Why would headphones need contacts permissions? Where are you getting these headphones from?
I routinely deny permissions to most apps on Android, and never have any issues. In my years of using random apps, the only app I'm aware of, which doesn't work without permissions, is Capital One banking app, which refuses to work unless it gets the phone permission. So, I just 1-star Capital One in the Play Store, uninstall as defective, and move on.
BTW, where are the permission screens on iOS? Or is the blissful ignorance more secure than being able to click "deny" a few times?
Some do that, and it's super annoying. I take a screenshot, and then silently my login doesn't work, with a weird error returned instead. Get another PIN, type it in, take a screenshot before submit, again get a nondescript error that makes no sense.
Don't they star the PIN in any case?
Why exactly is me taking a screenshot of my signup process for my records suddenly a disqualifier for signing up?
If all these companies never lied to us about the terms of the deals we're signing up for, needing proof of what actually happened, we'd never be taking these screenshots.
Honestly, this whole "security" theatre ought to be investigated by the consumer protection agencies, and any app that prevents screenshots being taken, or gives these nondescript errors when someone takes it and is subsequently unable to sign-in, should be fined for their anti-consumer behaviours.
I replied to someone else with the same response. I'll repeat it here. The point of my reply wasn't to do with MFA codes, specifically, but the fact that MALWARE can take screenshots in order to harvest things, such as MFA codes or anything else. Preventing screenshots is likely, in my opinion, a defence against malware harvesting anything that way. Your online banking can present a lot of sensitive information visually that could be used for things like identity theft etc.
And yes, there are other ways that malware can harvest information and if your device has been root-kitted you're screwed no matter what. But the fact that there are 100 ways to attack you doesn't mean the banks don't see value in trying to prevent 50 of them.
Yes, you are correct. You know what my assumption was? That everyone is competent and know what they are doing with their phones. Obviosuly 100% biased judgement.
Many of these tools had MFA enabled and so it was common to share MFA codes on Slack because the MFA code was sent to an email address that only one person had access to.
One lunch and learn a group of developers shared how they solved this problem by having the MFA codes pushed to a device that was effectively an on-prem server / dev box that they installed custom built software on to take a screenshot of the MFA code and broadcast it on the relevant Slack channel.
The main point of the lunch and learn, however, wasn't so much to share the tool that they had built, but to talk about how they got around the Mac OS security protections that are there to prevent this sort of thing.
My first thought was "we've just written malware."
I'm specifically responding to this sentence of yours:
> It's especially annoying when employed by the banking apps.
After my experience with that MFA code sniffer ... I know exactly why banking apps and other privacy/security-centred apps prevent taking screenshots :)