> If your bank's app uses SafetyNet, it's probably about some manager's very confused concept of security.
Or about making the auditor for the government-imposed security certification happy with the least amount of effort. It's always more work to come up with good answers why you are not doing the industry standard thing.
True security can only come from understanding how your system works. Otherwise, you're just inventing a religion, and doing everything on faith. "We're fine, we update our dependencies." Except you have no idea what's in those dependencies, or how they work. This is, apparently, a controversial opinion now.
This comment pops up every time someone talks about social security numbers. Yes, they were never supposed to be private, but now they are. So either Congress can do something about it, or big companies can stop leaking them. Clever "well, actually"s didn't stop my identity from being stolen recently after a breach, and they never will.
They're not really private+, and nobody should design a system with the assumption that they are. afaik nobody does these days. There are extra authentication checks done in addition to simply "I have the SSN".
+ e.g. until very recently there were US states that used your SSN as your driver license number.
