From what I've gathered, they've decided to make this completely unusable without a Google- or Apple-approved smartphone. Horrible! Are individual banks even allowed to make that an option for clients? Though even if they are, I doubt any will.
I would LOVE a PayPal alternative, but this is just not it.
If it works, it's by happenstance not officially. According to the link above (official FAQ):
> If the operating system is an Android variant (also called a 'custom ROM'), such as LineageOS or Pixel Experience, then the wero app can’t be installed for security reasons.
As long as it works on a degoogled Android phone I'm fine with it. Maybe someone in the supported countries with an GraphenOS or /e/OS phone can confirm?
Edit: for some banks it will just forward to the bank's app. So most likely it works as long as your bank supports degoogled Android, similar to how iDEAL + Tikkie works on degoogled Android with most Dutch banks.
> I’m seeing this error message: "Your device does not meet our security requirements".
> /../ If the operating system is an Android variant (also called a 'custom ROM'), such as LineageOS or Pixel Experience, then the wero app can’t be installed for security reasons.
The thing is, with most banks you aren't even allowed to use the Wero app that has this play integrity restriction. The banks integrate Wero directly into their own apps. So its mostly up to your bank.
It does not say anything about remote attestation, only rooted/unlocked phones. Most likely it works fine if you run GrapheneOS with a locked bootloader.
Many European banking apps work on degoogled Android like GrapheneOS or /e/OS fine, as long as you have locked the bootloader and USB debugging disabled.
This is not a wallet (the name is a bit confusing). Wero (like iDEAL, which it is partly based on), is an online payment system directly backed by your bank account. This is an app that uses the Wero system for doing P2P payments (like Tikkie in The Netherlands).
Most likely, Wero (like iDEAL) will also support alternative apps for P2P payments.
Also, Wero will support in-store payments in the future, making Google Pay/Apple Pay unnecessary [1] unnecessary, which is a big win.
[1] Strictly spoken it's unnecessary now as well, but then each bank needs to implement its own NFC app and most simply opt foor Google/Apple Pay.
On Smartcards yes, maybe Android, but certainly not on iPhones. On iOS, it's only been possible to implement alternatives to Apple Pay since 17.4 (2024), and only in Europe (EEA).
But they already had their own solutions that worked just fine. I can't see how switching to integrate a new system instead would save on dev costs. There surely must be some other reason?
It can be both, the plumbing is straight forward, simply a matter of will to implement. UPI in India, Pix in Brazil, FedNow in the US, etc. Trimmings are things like paying via QR code and alias support (phone, email IDs). Pix had native alias support, Wero is alias support on top of SEPA Instant payment rails (with a ~ten second settlement SLA).
This gets you to utility cost recovery fee structures and sovereignty over your payment infra, versus other countries controlling your value transfer capabilities.
Oh, awesome, thanks. For someone like me who does not own a phone, this is valuable information. Now I know that I don't have to waste my time looking into this.
Thanks. Android 9 is the lowest they go version wise (which is ancient, 2018) but they don't say anything about Google requirements which is the real barrier.
This is a regulatory thing, devices used for instant payments should be somehow attested and be authenticated (or be a physical device the bank issued e.g your card).
It’s a difficult thing, we don’t want to have to force smartphone choices but the number of users without one these devices is so vanishingly small it’s very difficult to change the legislation in order to support them too.
I think the happy middle ground is making this system also work with bank issued cards.
This is not true. Many European bank apps allow instant payments and work without Google's remote attestation. They typically require a locked bootloader. I am in The Netherlands, use GrapheneOS and do instant payments all the time.
(GrapheneOS does support remote attestation, but the app needs to add their verified boot key fingerprints.)
This is great news if it’s true, these regulations are so hazy it’s maddening. Even tho I’m being downvoted I am actually on the side of removing these barriers I was just sharing what I was made to understand by my bank. shrug
All Dutch banks for example? I do instant online payments and P2P payments all the time with a degoogled phone. My VISA credit card app (ICS) also works fine.
I can't pick up a slab of beer at Albert Heijn because it requires Google Pay. But some banks (I think Rabobank) have their own NFC app and then it works fine.
But instant online iDEAL payments etc. work fine. Person to person payments using Tikkie/betaalverzoek as wel.
Put differently, I never use my bank's web interface, only the phone app.
I don't see, why a smartphone plus NFC enabled token device wouldn't work within the regulation, we should go that way, (or any way decoupling Google & Co. from it) because we should be prepared for US companies to be forced to act unreasonably by an unreasonable leader.
There's technical possibility and then real world practicality.
For the same reason, a pure WebAuthn flow in a compliant browser could technically implement secure payment confirmation mandated by the DSP, but afaik no bank does that, and the W3C is still working on the spec.
Our governments can't even manage not to depend on Microsoft/Google/AWS (and Palantir, the US military industrial complex, Israel, ...), our banks are regularly under the fire of extraterritorial bullshit due to the USD dependence.
Being worried about consumer devices and their OS is cute, but it's missing the forest for the trees.
I agree, I’m not saying it’s totally correct or there aren’t answers, but those are the current rules at least in my bank.
Instant payments bypass typical surveillance and fraud systems and so need some kind of authentication, if you don’t want to 2fa every time you’re at the checkout then the application has to have been previously authenticated (e.g setup with some kinda TAN from your bank) and execute on an attested device. We can def extend attestation to other devices (e.g is the kernel modified, does the app have reasonable version and checksums etc) but again, who is gonna fund that for 10 users?
edit: We have a long road to go before this stuff gets better, I think we should be happy at each step instead of really wishing we were already at the finish.
That’s authenticated and 2fa’d, so it doesn’t have the same use case as a tap to pay system, though. I’m not defending these choices, but there is a reality here.
> we don’t want to have to force smartphone choices but the number of users without one these devices is so vanishingly small
You are missing the point. The issue is that once the "vanishingly small" number of alternatives disappears, users will be completely trapped, and Google and Apple will then free to abuse that position of power (they already do). Worse, since power is centralized, it is very easy for government interference to take place, and we already see that with things such as identity and age verification requirements. It is the possibility of competition that matters more than actual competition.
Because we don’t need it. The US banking system for example is fairly archaic. Where I live, paper checks went extinct about 30 years ago. Now with SEPA, bank transfers are cheap (cents), fast (seconds) and easy (IBAN). If our banking system would not be as convenient, I’m pretty sure something like PayPal would have been very popular.
Oh, you will underestand. When, besides your bank, half of the planet will know about your shopping habits.
The device called "Smartphone" is only used to collect every possible detail about your life. The smart thing on a "Smartphone" is that, besides your bank, a lot of other "vendors" have access (not only) to your financial information.
> I have been sick with COVID all week /../, while working from bed with a fever and very little sleep, I unintentionally made a serious journalistic error in an article about Scott Shambaugh.
Being under stress and being ill at the same time can change your modus operandi. I know, because that happens to me, too.
When I'm too tired, too stupid, and too stressed, I stop after a point. Otherwise things go bad. Being sick adds extra mental fog, so I try to stop sooner.
Paste the original blog post into ChatGPT asking it to summarize or provide suggestions. Unintentionally copy and paste quotes from the ChatGPT output rather than the original blog post.
What are they changing to prevent this from happening in the future? Why was the use of LLMs not disclosed in the original article? Do they host any other articles covertly generated by LLMs?
As far as I can tell, the pulled article had no obvious tells and was caught only because the quotes were entirely made up. Surely it's not the only one, though?
The _claim_ is that the article wasn’t AI generated, only the quote (the journalist rather unwisely trusted in the ability of an LLM to summarise things).
I'm dealing with such attack, so if you'd like, you can send me IPv4 addresses, and I'll grep my logs for them. Email address is on the website linked on my profile.
As for what you can do on your own, it really depends on your network. OpenWRT routers can run tcpdump, so you can check for suspicious connections or DNS requests, but it gets really hard to tell if you have lots of cloud-tethered devices at home. IoT, browser extensions, and smartphone applications are the usual suspects.
I'm also dealing with a scraper flood on a cgit instance. These conclusions come from just under 4M lines of logs collected in a 24h period.
- Caching helps, but is nowhere near a complete solution. Of the 4M requests I've observed 1.5M unique paths, which still overloads my server.
- Limiting request time might work, but is more likely to just cause issues for legitimate visitors. 5ms is not a lot for cgit, but with a higher limit you are unlikely to keep up with the flood of requests.
- IP ratelimiting is useless. I've observed 2M unique IPs, and the top one from the botnet only made 400 well-spaced-out requests.
- GeoIP blocking does wonders - just 5 countries (VN, US, BR, BD, IN) are responsible for 50% of all requests. Unfortunately, this also causes problems for legitimate users.
- User-Agent blocking can catch some odd requests, but I haven't been able to make much use of it besides adding a few static rules. Maybe it could do more with TLS request fingerprinting, but that doesn't seem trivial to set up on nginx.
Quick question but do these bots which you mention are from a 24H period but how long will this "attack" continue for?
Because this is something which is happening continuously & i have observed so many HN posts like these (Anubis iirc was created by its creator out of such frustration too). Git servers being scraped to the point of its effectively an DDOS.
Yes, the attack is continuous. The rate fluctuates a lot, even within a day. It's definitely an anomaly, because eg. from 2025-08-15 to 2025-10-05 I saw zero days with more than 10k requests. Here's a histogram of the past 2 weeks plus today.
It's plausible that the AI companies have given up storing data for training runs and just stream it off the Internet directly now. It's probably cheaper to stream than buying more SSDs and HDDs from a supply constrained supply chain at this point.
"Wiki" normally refers to user-editable sites, while the graph part is normally implied from being a website. Perhaps Wiregraph would be more accurate? Maybe Wireview? These kinds of networking sites are often called looking glasses, so Wireglass might also work, besides the confusion with the material.
Can I use it without installing their software on my smartphone? Question is rhetorical - of course not, and your smartphone also needs to pass Google's or Apple's remote attestation schemes. Good riddance.
Is it really just PayPal left offering a sane online payment service?
reply