Should Online Banking Use Flash for Verification? 139
A user asks: "One of my banks has instituted a new 'Secure Sign-in' setup. They allow you to register your computer with them so that you don't have to go through the new extra security steps. This involves the use of cookies -and- Flash Objects: 'Adobe Flash objects store data in much the same way that cookies do on your computer. If you have Flash installed, we can recognize your computer in the event that you erase all your cookies.' This requirement of Flash will probably negate my ability to access my bank account when running Linux on my PowerMac since Flash Player is not available for it(haven't tested it yet). However, the real question is: Is Flash a good, secure option that a bank should use to help identify you?"
No. (Score:5, Insightful)
No.
Next question?
Re: (Score:2, Insightful)
Should they use it at all?
Re: (Score:3, Insightful)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Flex is up to version 2, but here are some 1.5 sample apps [adobe.com].
Re: (Score:2)
I do stand corrected on the byte code compile point h
Re: (Score:2)
Also no. Banks should be using https/html and https/cgi. I don't rent my cpu out to them, and I don't want their code running on my computer. That goes for everyone else, too. As soon as you presume you can run a "client" application on my machine, you may be impacting other things I am doing without my permission. If you don't have the CPU power you need to run your operation, I decline to run it for you except in special cases that I will pick according to my own needs.
And hey, as a bonus, your stuff
Re: (Score:2)
Re:No. (Score:5, Insightful)
Bank sites should be as server-side as possible. Anything else opens the user up to exploits; I'm not even a big fan of their push toward Ajax. Putting a lot of effort into cosmetic widgets is problematic at best.
Re: (Score:2)
It is common for security holes to go long periods of time before they are discovered, patched or that user actualy applies the patch for varying reasons. I would hope this doesn't give someone a new approach to identity theft or fraud.
BTW, I wonder if the fla
Re: (Score:1)
Re: (Score:2, Interesting)
Although I must admit ING Direct has a pretty good "feel good" authentication. It will at least make it more difficult to determine your password over your shoulder.
Wrong answer (Score:2, Funny)
You must be mistaken. The correct answer is "Hell, no! " or "Fuck, no!" or "No, and you should be executed for having suggested it!"
Hope that clears things up. : )
Re: (Score:2)
Re: (Score:2)
You're very kind. I would say they should be tortured for the rest of eternity for having suggested it. They should suffer for it like we will.
Seriously though the crazy thing is that they require flash for those temporary credit card numbers that some credit card companies offer. As if I'm so paranoid that I'm going to take the trouble using
Re: (Score:1)
Flash is evil and can be life-threatening! (Score:2)
Right now, there is a severe storm in Europe. People have died, thousands are stranded and can't get home tonight because of closed roads and shutdown public transport. The official emergency site to keep people informed about this crisis has been unreachable for most of the day. Why? Because the front page is riddled with Flash applets. Because of this the servers are severely overloaded. Nice going, for an emerge
Requiring additional browser plugins is a bad idea (Score:3, Insightful)
Re:Requiring additional browser plugins is a bad i (Score:5, Funny)
Re: (Score:2)
Re: (Score:2)
2) I can't remember the last time I've actually had to download and install Flash player. It's either been installed already or the browser took care of it for me.
Adobe Flash Player Version Penetration (Score:2, Informative)
http://www.adobe.com/products/player_census/flash
Re: (Score:2)
It's somewhere between 96% [adobe.com] and 98% [adobe.com]. Persons who don't know enough to install plugins most likely bought a PC with said plugins pre-installed [adobe.com]. Pretty much the only persons who don't have Flash installed are the neo-Luddites who hang out here.
Re: (Score:2)
Them, and non-x86 Linux users.
There are so few *BSD users that we won't even mention them...
Re: (Score:2)
Non-x86 Linux users and Slashdot neo-Luddites. Oddly enough, those two groups have almost 100% overlap.
Re: (Score:1)
Re: (Score:2)
How is a Slashdot neo-Luddite different from a regular Luddite?
Re: (Score:2)
neo-Luddites [answers.com].
Re: (Score:2)
Re: (Score:2)
As long as you only use a console and Lynx.
Re:Requiring additional browser plugins is a bad i (Score:4, Insightful)
When you throw closed standards into the mix, you start make things harder. If my platform of choice doesn't have an HTMl renderer, I can write one. If my platform of choice doesn't have a Flash player, I can't. I either do without Flash, or I switch platforms.
Of course, some people can't switch platforms. My Windows Mobile 5.0 phone doesn't work with Flash--at least, the default browser doesn't. If I use NetFront, I can get Flash 7. Will this banking website work with that, or will Flash 9 be required?
My only problem with this is that the standard isn't open. If it's an open standard, even one for which my platform of choice has no current support, I'm ok with it. If it's a closed standard, the answer is 'no'.
Chimp-attract is not new technology (Score:2)
Some corporations don't allow Flash or other widgets to be installed, either as a matter of security or just to prevent support problems on the user's desktop. Others block Flash content at the firewall.
Saying that 90-something percent of people have Flash is a bit like saying 50% to 80% of American adults have herpes simplex. It may be true, but it doesn't make it a good idea, and the people without
Re: (Score:2)
I did my own checking on a busy non-biased (i.e. non-geeky) site a few years ago. I came up with around 73% market penetration. And this was BEFORE all the overlay Flash ads and pop-ups were so prevalent. For the record, MM was still claiming 97+% of users had it installed back then.
In all fairness, this was before Flash video had arrived with Youtube and Google Vids, etc.
Re: (Score:1)
I said Flash is available for 99% of internet users.
Comment removed (Score:4, Insightful)
Re:Requiring additional browser plugins is a bad i (Score:2)
Yes it is.
Flash has had so many serious security vulnerabilities that I uninstalled it (which was way too hard, but that's another story) and don't want to reinstall it.
Why flash? (Score:1, Informative)
Re: (Score:2)
No. (Score:3, Interesting)
Re: (Score:1)
Re: (Score:2, Insightful)
Re: (Score:2)
Maybe for your bank. My old bank required IE. "For security reasons."
Re: (Score:1)
Flash doesn't need to store information permanently on the client side. Flash can communicate with any dynamic pages (Coldfusion, ASP, PHP, etc) asynchronously, like AJAX can.
Well not really (Score:2)
Key's a physical object you can physically protect. Pin Code doesn't have to be carried which is both a benefit and a disadvantage.
It's quite interesting actually. Pretty much everybody locks their house with a physical token (a key) and accesses online services with pin/password - and consider this is secure.
If you reversed it, they'd be convinced somebody else would guess, brute-force their front door and would complain about carrying
NO! (Score:2, Insightful)
EOM. (Temojen at work)
I don't like flash shared objects (Score:1, Informative)
The only reason I can think of... (Score:3, Interesting)
1. Connect via HTTPS
2. Log in. Sites sets tokens (with expiration times) in cookies and Flash data.
3. If cookies and Flash data disagree, assume the connection has been hijacked by another app on the PC and discontinue session.
4. Delete tokens on log-out.
I'm not sure if this would actually accomplish anything, and I'm not exactly thrilled about requiring a third-party plug-in, that it's the only thing I can think of that might actually be useful.
Re: (Score:3, Interesting)
0 factor authentication (Score:1)
I'm not familiar with the specifics of Adobe Flash, but I know many people have password-less logins so how does removing authentication layers help anyone (apart from the poor user who must remember their password)? Isn't Flash just an extra attack vector on top of the existing XSS, keylogging and such?
Short term memory loss? (Score:1)
Re: (Score:3, Informative)
From this article:
From the article you point to:
Re: (Score:1)
Re: (Score:2)
It will if your Linux box runs on a PowerPC chip.
Re: (Score:2)
A petition to bring flash to PPC linux. I suspect it's less of an issue now than ever, seeing as macs are moving to x86 chips, and they were by far the largest supplier of consumer ppc chips (though not the only one).
Dear Slashdot, (Score:5, Funny)
Re: (Score:2)
Thank you for a very good (although incredibly immature) laughing fit.
Re: (Score:3, Funny)
What? (Score:3, Interesting)
If somebody is erasing all their cookies, chances are they don't want you hiding data elsewhere too. What happens when one of your customers wipes their cookies before selling their computer, and the buyer fishes out the sensitive data from the Flash storage instead because you've overridden their wishes?
Re: (Score:2)
Uh, no. (Score:3, Informative)
As part of a multi-factor authentication system it can help.
The probably are not using it as the primary authentication (account number, password). (If they are, they'll get shut down quickly.)
If your platform can't handle the Flash, chances are they'll make you go through a longer more customized login procedure, like answer previously arranged "security questions" and so on. It will be slower, but it will work.
There are some pretty aggressive new regulations concerning online banking login methods, so more and more of this stuff will be appearing. They will all still have a primary user/pass combo of some kind though.
Absolutely not (Score:1, Offtopic)
Re: (Score:1)
1998 just called and they want their rant back.
Should Flash be used for verification? No (Score:1)
You can argue that "they shouldn't use proprietary tech", well... if you want to push it, I'll bet you are using a computer that has proprietary tech in it somewhere and probably your ISP has a bi
The real question... (Score:5, Insightful)
Banks shouldn't make it easy to remove the "what you know"-part of the authentication. It's there for a reason.
(Then again, I probably misunderstood what "the new extra security steps" are. But there ya go.)
Re: (Score:2)
Questions about dogs name = EXTRA security step
Which is usually triggered by lack of cookie or new IP or new operating system or browser or whatever.
In other words, in place of having to do some sort of extra assurance the user/password holder is legit, you can get this file to act like a cookie and bypass dumb questions about your dog. This thing is supposed to make the extra security step less of an annoyance, not replace a user/pass combo.
So, stealing the computer just means
Cue the Flash Bashing in 3... 2... 1... (Score:3, Insightful)
Re: (Score:1)
Re: (Score:2)
Actually it does make it a bad idea, when you're talking about applications beyond something that's either in-house or advertising-oriented. The problem is just that you haven't yet grasped the importance of the open, standards-based technology that brought you the Internet.
The need for standards. (Score:4, Insightful)
However, the real question is: Is Flash a good, secure option that a bank should use to help identify you?"
This is a foolish, short sighted strategy. Do you really think Flash is going to be the same 5 years from now? Is it even going to exist in 10 years? Does this solution even address the real security concerns, or is it just an ugly hack dreamed up by some people that have no other solution? I'd say the latter.
Banks need to get together and solve this problem outright. It's hurting all of them because they all have to develop these proprietary technologies (that only wind up sucking). They need to get together and find someone they all trust to lead development of a technology to secure transactions. If they were smart they'd hire someone like Bruce Schneier to design and oversee development of a system for them to secure web transactions.
IMO this techology lies under the "something you have" category of authentication, unlocked by "something you know". In other words a hardware device of some type that plugs into a USB port, and verifies that:
A. You're talking to the bank you think you are. Thus avoiding phishing attacks that get people to connect to sites pretending to be the bank.
B. That you are who you say you are.
Design it in such a way that if one component fails, the whole thing isn't compromised. I'm not a crypto/security expert, but from what I know all these requirements aren't even very technically challenging.
Re: (Score:2, Interesting)
No, they could just use SSL Client Certificates. The standard already exists, and is implemented in most browsers.
On the net everything devolves to "something you know" until matter transporters are invented.
Re: (Score:2)
Ah, yes, the old "but it seems so simple to my admittedly uneducated self." Really, isn't it common sense that if it were that easy it would have been done already?
Do you think it's a
Re: (Score:2)
Ah, yes, the old "but it seems so simple to my admittedly uneducated self." Really, isn't it common sense that if it were that easy it would have been done already?
I didn't say I knew NOTHING about security/crypto, I'm just not an expert along the lines of Bruce Schneire. Sheesh, there IS a middle ground between being a total neophyte and knowing everything about something.
You seem to think the problems must obviously be technical, and that's why no one has done it yet. It's hardly ever that way in busine
Re: (Score:2)
Not at all. My point was that if there was an easy, fool-proof technical solution, it would be in place. But even when the technical aspects are rock-solid, the system isn't necessarily secure -- which is why we don't have a uniform system.
I don't. It was just the first easy example I though of, of what can go wrong when you implement an in
Re: (Score:2)
My point was that if there was an easy, fool-proof technical solution, it would be in place.
Well, I guess we simply disagree on why solutions aren't implemented. I don't think we live in a world where the biggest barrier to adoption of a better solution for everyone is simply technical.
The fact still remains, though, that someone who's cracked one bank's system will have a huge leg up on cracking other banks' systems. Why expose yourself to the extra risk when you can use a proprietary system without that
Client-side certs? (Score:2)
From my (limited) experience with this, it seems like it's a workable solution that would work on most browsers, no matter the OS, without a proprietary plug-in like Flash.
Re: (Score:2)
I hope not... (Score:1)
No web site should make Flash a REQUIREMENT (Score:4, Insightful)
However, all web sites should be usable by someone who doesn't use flash at all.
Banks have been acting really dumb (Score:2)
Obviously requiring closed (therefore unauditable, therefore not even possible to secure) software is a bad idea. I'm not even sure how someone gets as far as the question "is this a good idea?" since it has absolutely nothing positive going for it at all.
The cookie thing is really stupid, too. My credit union made everyone use it a month or two ago. The only thing it does, is make things less convenient. Since I don't save cookies, I have to "verify" every time I log in. That means I have to answer t
Re: (Score:2)
Worst part is, many of the IT regulators already agree that MFA is worthless, however they still required banks to push its inconvenience onto their customers. Its been a pretty large hassle on bank's end as well and it costs us thousands of dolla
Re: (Score:2)
You know, your "mother's maiden name" could be xj7_oSS:19. I bet she didn't mind changing when she got married.
Heck, there is no flash for 64-bit IE... (Score:2)
And, double checking, apparently the OP is talking about the bank I use. Their main online login doesn't work on my Windows machine. Although in the place where the login box is on my Flash-laden computer is a simple 'login' button that takes me to a new (HTML-only) page that states "For a better security experience, we recommen
Wrong kind of flash. (Score:2, Insightful)
Flash software? Were my credit union (what's a bank?) to require this, I would close my account in a...well, you know.
Would You Want To? (Score:2)
I would much rather type my password, answer a captcha, and whatever else every time I log in to my bank than make it at all easier for an unauthorized user of my computer to log in to my bank. I'm even annoyed that Firefox auto-suggests my bank login.
Flash 9 is Our for Linux (Score:2, Insightful)
"Out for Linux" (Score:1)
Flash and Video (Score:3, Interesting)
Security questions (Score:2, Informative)
Not necessarily. It sounds like, if you use the plugin, the bank won't ask you those stupid "security questions" at login time, since they will be able to "recognize the computer."
Ideas for security questions:
The answer has got to be... (Score:2)
Someone's got in the LSD-tainted water supply, again.
NO. Heeeeeeellllllll NO.
Re: (Score:2, Informative)
How about accessibility? (Score:2)
Re: (Score:1)
The problem is, like Web development in general, to achieve full accessibility, it usually takes additional time/effort/money - which often doesn't happen.
Re: (Score:1)
Wrong approach - use SmartCards (Score:1, Interesting)
They should simply switch to using smartcards. Use them as part of a client side https handshake (ie you need to insert your smartcard). Offer it as an additional service to their customers.
I see card readers in all kinds of shops that take the standard magnetic reader - and have a spot where you could insert a smartcard.
Windows has had support fo
Not no but hell no. (Score:1)
-uso.
gnash (Score:2)
Try Gnash [gnu.org]. It supports most of Flash 7, and the stuff it doesn't support (e.g., sound) may not matter to you for this application. Don't forget to install flashblock!
What I don't understand is the bank's rationale for using flash for this. If a user deletes his cookies, it's probably because he wanted to delete his cookies.
Phishers are already using Flash (Score:2)
Does anybody know which bank the submitter is talking about?
You tell us... (Score:2)
Actually, don't worry - we'll all just check for ourselves
Wrong architecture (Score:2)