You could ask that question the other way around. Should the bank allow people to put up a fake front for the ATM recording the customers card and PIN?
Not all problems can be solved server side. And no bank is going to come into anyones house. But they need a resonable assurance the environment the customer uses to conduct their bussines in safe and trustworthy. It's either that or no mobile customer service at all. Or everyone needs a "digital drivers licence" which I think some "IT people" I know wouldn't even pass for.
Phishing is a real threat. It might never ever happen to you. But a lot of people thought just that and got phished anyways because they where learned to trust certain signs (eg: green padlocks).
> Should the bank allow people to put up a fake front for the ATM recording the customers card and PIN?
This is a false dichotomy. The hardware attestation for SafetyNet is orthogonal to being able to use hardware attestation for e.g. session/user keys, or even chain-of-trust down to the fingerprint sensor level.
Keys can be kept secure using secure enclaves even if the OS is rooted.
Blocking rooted phones with SafetyNet is just spite.
Not to mention, an ATM is property of the bank and is shared-use. The user is not the owner. The phone belongs to the user.
Not all problems can be solved server side. And no bank is going to come into anyones house. But they need a resonable assurance the environment the customer uses to conduct their bussines in safe and trustworthy. It's either that or no mobile customer service at all. Or everyone needs a "digital drivers licence" which I think some "IT people" I know wouldn't even pass for.
Phishing is a real threat. It might never ever happen to you. But a lot of people thought just that and got phished anyways because they where learned to trust certain signs (eg: green padlocks).