Slashdot Mirror
Should Online Banking Use Flash for Verification?
larrystotler asks: "One of my banks has instituted a new 'Secure Sign-in' setup. They allow you to register your computer with them so that you don't have to go through the new extra security steps. This involves the use of cookies -and- Flash Objects: 'Adobe Flash objects store data in much the same way that cookies do on your computer. If you have Flash installed, we can recognize your computer in the event that you erase all your cookies.' This requirement of Flash will probably negate my ability to access my bank account when running Linux on my PowerMac since Flash Player is not available for it(haven't tested it yet). However, the real question is: Is Flash a good, secure option that a bank should use to help identify you?"
No.
Next question?
c++;
The idea itself isn't bad, but the requirement to install a third-party software add-on isn't, especially one which is only available for a few platforms.
Mainframe/UNIX Bit Twiddler and long time Windows/Linux Hobbyist.
The Theorem Theorem: If If, Then Then.
I hope they're not using flash just to obscure the source code, as it is very easy to get to it with a decompiler like flare...
Really.
Don't start these topics without trying to find the answer yourself first...
Haven't tested it yet...
"...since Flash Player is not available for it(haven't tested it yet)."
Test it and do some research first...
I would agree with Richard Steiner (1585) that the idea is a good one... though the third party requirement is bogus.
It's simply irresponsible to permanently store security credentials on the client. Also call and ask them how long they spent auditing the source code for flash player before implementing this.
Vote with your wallet.
Use SSL Client Certificates.
EOM. (Temojen at work)
Sure! Voting machines don't use Flash... so Flash must be secure.
I don't like flash shared objects. You can disable them outside of flash by fudging up Flash's directory structure (essentially creating a file in place of the directory so flash can't recreate it). Instructions and bash file are available here.
http://macromedia.mplug.org/
I think your linux box should be good to go with this??
...is to use two sets of authentication tokens, like this:
1. Connect via HTTPS
2. Log in. Sites sets tokens (with expiration times) in cookies and Flash data.
3. If cookies and Flash data disagree, assume the connection has been hijacked by another app on the PC and discontinue session.
4. Delete tokens on log-out.
I'm not sure if this would actually accomplish anything, and I'm not exactly thrilled about requiring a third-party plug-in, that it's the only thing I can think of that might actually be useful.
Surely more authentication is more better?
I'm not familiar with the specifics of Adobe Flash, but I know many people have password-less logins so how does removing authentication layers help anyone (apart from the poor user who must remember their password)? Isn't Flash just an extra attack vector on top of the existing XSS, keylogging and such?
Was there not a story about Flash for Linux within the last 72 hours? http://linux.slashdot.org/article.pl?sid=07/01/17/ 1315228
Anyway, I don't think it's a good idea, but it's not going to stop you from using it in Linux (in theory.)
I could be wrong.
Recently, I've moved from a house that had an electric water heater to a house with a gas water heater. Sadly for me, this means that I'll no longer be able to use my custom-built circuit monitoring hardware (which uses a Linux-based electricity usage tracking app I wrote myself!) to estimate what percentage of my monthly electrical bill was used to generate hot water. However, the real question is: is it really a good idea to pound on the gas main with a ball-peen hammer?
Obliteracy: Words with explosions
If somebody is erasing all their cookies, chances are they don't want you hiding data elsewhere too. What happens when one of your customers wipes their cookies before selling their computer, and the buyer fishes out the sensitive data from the Flash storage instead because you've overridden their wishes?
Bogtha Bogtha Bogtha
If they are using Flash and a feature intended to help make sure they know you are using a computer you previously used it helps. (Like a cookie)
As part of a multi-factor authentication system it can help.
The probably are not using it as the primary authentication (account number, password). (If they are, they'll get shut down quickly.)
If your platform can't handle the Flash, chances are they'll make you go through a longer more customized login procedure, like answer previously arranged "security questions" and so on. It will be slower, but it will work.
There are some pretty aggressive new regulations concerning online banking login methods, so more and more of this stuff will be appearing. They will all still have a primary user/pass combo of some kind though.
More often than not, Flash is a horrible bandwidth hog and slows page loading drastically. And if someone is on a dial-up connection (which still exists in many places due to no high-speed being available, and satellite being far too expensive), any slower page loading means less likelihood of a resource being used. Plus, not everyone will have a Flash player available, especially if you're using the latest version. So do you want to alienate your customers?
The summary says that he's got Linux on a PowerMac. Neither Macromedia nor Adobe has ever released a version of Flash for Linux that runs on PowerPC, just 32-bit Intel.
But banks get to do whatever the hell they want for the most part in the USA (subject to state regs) and so it doesn't take much for special interest groups to tell the IT departments of those banks what is the "best" way to do things and since "everybody" has flash...what's the problem? (I'm being sarcastic here)
You can argue that "they shouldn't use proprietary tech", well... if you want to push it, I'll bet you are using a computer that has proprietary tech in it somewhere and probably your ISP has a bit of a monopoly in your area and etc. etc. etc. So using proprietary flash technology isn't that big a deal for most people. (except us on Slashdot!)
In other countries, where banks are regulated by the country's main government, it is a bit harder..
The real question is: should any bank make it easy to "register your computer with them so that you don't have to go through the new extra security steps". The answer ofcourse is "no". If I break into your house and steal your computer, I now also have access to your bank account (which you probably have a handy bookmark for to make it even easier). Also, anyone you trust into your house (babysitter, etc.) can now get into your bank account.
Banks shouldn't make it easy to remove the "what you know"-part of the authentication. It's there for a reason.
(Then again, I probably misunderstood what "the new extra security steps" are. But there ya go.)
Regardless of the actual security issues, asking "Should Flash be used for(fill in blank here)?" on Slashdot is a question that I think we all know the probable responses to already...
However, the real question is: Is Flash a good, secure option that a bank should use to help identify you?"
This is a foolish, short sighted strategy. Do you really think Flash is going to be the same 5 years from now? Is it even going to exist in 10 years? Does this solution even address the real security concerns, or is it just an ugly hack dreamed up by some people that have no other solution? I'd say the latter.
Banks need to get together and solve this problem outright. It's hurting all of them because they all have to develop these proprietary technologies (that only wind up sucking). They need to get together and find someone they all trust to lead development of a technology to secure transactions. If they were smart they'd hire someone like Bruce Schneier to design and oversee development of a system for them to secure web transactions.
IMO this techology lies under the "something you have" category of authentication, unlocked by "something you know". In other words a hardware device of some type that plugs into a USB port, and verifies that:
A. You're talking to the bank you think you are. Thus avoiding phishing attacks that get people to connect to sites pretending to be the bank.
B. That you are who you say you are.
Design it in such a way that if one component fails, the whole thing isn't compromised. I'm not a crypto/security expert, but from what I know all these requirements aren't even very technically challenging.
AccountKiller
I may be a little lost here, but if you're going to authenticate a client, why not use a client-side certificate? Is it too difficult to understand? Is the support in browsers/servers not there?
From my (limited) experience with this, it seems like it's a workable solution that would work on most browsers, no matter the OS, without a proprietary plug-in like Flash.
I know a number of people who don't know enough to install plugins, so your 99% figure is highly suspect. :-)
Mainframe/UNIX Bit Twiddler and long time Windows/Linux Hobbyist.
The Theorem Theorem: If If, Then Then.
The last thing I need to hear is a talking Bank of America ATM screaming when a dirty old man flashes for verification.
2) I can't remember the last time I've actually had to download and install Flash player. It's either been installed already or the browser took care of it for me.
Flash is ok to add eye candy and a sound track.
However, all web sites should be usable by someone who doesn't use flash at all.
Just to sprinkle some numbers into the discussion...
p layer/version_penetration.html
http://www.adobe.com/products/player_census/flash
Obviously requiring closed (therefore unauditable, therefore not even possible to secure) software is a bad idea. I'm not even sure how someone gets as far as the question "is this a good idea?" since it has absolutely nothing positive going for it at all.
The cookie thing is really stupid, too. My credit union made everyone use it a month or two ago. The only thing it does, is make things less convenient. Since I don't save cookies, I have to "verify" every time I log in. That means I have to answer three questions. It's just another password! Except unlike my old password (which I made up and keep in my head) these passwords are answers to real world questions, which means someone who isn't me could look up the answers. Brilliant.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
One of the reasons I use the 64-bit version of IE when I'm forced to use Windows is specifically to avoid plugins. There are basically *NO* plugins for 64-bit IE, including Flash.
And, double checking, apparently the OP is talking about the bank I use. Their main online login doesn't work on my Windows machine. Although in the place where the login box is on my Flash-laden computer is a simple 'login' button that takes me to a new (HTML-only) page that states "For a better security experience, we recommend installing Adobe Flash Player", but has an old fashioned form-based login.
"Security experience"???? Security shouldn't be an "experience"! Just say "For better security", even though the statement is debatable.
Another non-functioning site was "uncertainty.microsoft.com."
The purpose of that site was not known.
It's somewhere between 96% and 98%. Persons who don't know enough to install plugins most likely bought a PC with said plugins pre-installed. Pretty much the only persons who don't have Flash installed are the neo-Luddites who hang out here.
Flash drive? Yeah sure, I might consider accepting a dongle of sorts and popping it into the USB port when I want to access my account info. Of course, you still need the password and pin and all the other fun stuff, if just the dongle itself could access my account I'd smash it with a hammer.
Flash software? Were my credit union (what's a bank?) to require this, I would close my account in a...well, you know.
If you can log in using FlashCookies, someone who steals your computer can log in using FlashCookies.
I would much rather type my password, answer a captcha, and whatever else every time I log in to my bank than make it at all easier for an unauthorized user of my computer to log in to my bank. I'm even annoyed that Firefox auto-suggests my bank login.
Ceci n'est pas une signature.
Don't believe the Macromedia/Adobe hype. Of course they're gonna tell you that everyone has Flash.
I did my own checking on a busy non-biased (i.e. non-geeky) site a few years ago. I came up with around 73% market penetration. And this was BEFORE all the overlay Flash ads and pop-ups were so prevalent. For the record, MM was still claiming 97+% of users had it installed back then.
In all fairness, this was before Flash video had arrived with Youtube and Google Vids, etc.
I said Flash is available for 99% of internet users.
Them, and non-x86 Linux users.
There are so few *BSD users that we won't even mention them...
"I don't know, therefore Aliens" Wafflebox1
Not commenting on whether this is a good idea, but the article states that there is no Flash player for linux. Actually, Adobe just released a Linux version on Flash Player 9 a few days ago. And even before that you could install version 7. So you can remove crippling Linux users as a reason to bash this.
Actually, Flash has the potential to revolutionize online security. With the increasing numbers of webcams, users could opt to require a "video signature" to log on, in addition to regular password credentials. The video signature could quickly be checked by a company like Brinks to see if the remote user is the correct user, and grant access to the user accordingly once the correct password has been provided.
The Political Programmer
Non-x86 Linux users and Slashdot neo-Luddites. Oddly enough, those two groups have almost 100% overlap.
If only you could edit posts. (And now Slashdot is making me wait to post this correction--in order to give people a fair chance to mock my lack of editing skill.)
Not necessarily. It sounds like, if you use the plugin, the bank won't ask you those stupid "security questions" at login time, since they will be able to "recognize the computer."
Ideas for security questions:It goes beyond 'neo-luddites'. We have open standards for a reason--and that reason is so that if I want to create a platform and communicate with the existing infrastructure, I have everything that I need to make an application on that platform that will work with everyone else. The HTML specification is an excellent example of this. People have made HTML rendering engines for almost every device that has an IP address, and for many that don't, as well (my old Palm IIIxe had an offline webpage reader).
When you throw closed standards into the mix, you start make things harder. If my platform of choice doesn't have an HTMl renderer, I can write one. If my platform of choice doesn't have a Flash player, I can't. I either do without Flash, or I switch platforms.
Of course, some people can't switch platforms. My Windows Mobile 5.0 phone doesn't work with Flash--at least, the default browser doesn't. If I use NetFront, I can get Flash 7. Will this banking website work with that, or will Flash 9 be required?
My only problem with this is that the standard isn't open. If it's an open standard, even one for which my platform of choice has no current support, I'm ok with it. If it's a closed standard, the answer is 'no'.
You must be mistaken. The correct answer is "Hell, no! " or "Fuck, no!" or "No, and you should be executed for having suggested it!"
Hope that clears things up. : )
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
.....
Someone's got in the LSD-tainted water supply, again.
NO. Heeeeeeellllllll NO.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
1. They use the Cookies and/or Flash to negate the requirement of answering "up to" 3 extra security questions. They still require you to use your password regardless of anything else.(of course, if you password is on a post-it note on your monitor and your computer gets stolen.....kinda makes it easier, especially in the case of a laptop).
2. I haven't fired up my PowerMac 9600 to see if I can even log into my account, but I doubt it since I have to click on the flashbloker icon to even be able to get to the logon on my Dell.
3. I have Firefox set to clear private data when it is closed. The Flash part is supposed to "help" verify my computer if the cookies aren't present. This would ONLY apply if I actually "register" my computer with the bank, which I don't forsee myself doing since I have a computer in about every room except the bathroom.
4. Does Flash store information about my browsing history on my system that would allow such a verification? If so, then it sounds like it needs to be removed from my system in my interest of a secure experience.
5. Reminds me of how a large sat TV company requires it's dealers to use IE6/ActiveX to input Credit Card info and Social Security numbers to create an account because it was the "Most secure" way to do it.....
Flash is mainly for graphics. How is this going to work for people who have vision problems? Does Flash have accessibility support?
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
I guess we are cool giving a big "FU!" to anyone who is disabled (blind) and using a specialized browser. After all 99% of the population can see just fine. For that matter lets get rid of all those damn wheelchair ramps cluttering up the place.
Finkployd
They're storing a token that basically says "I've authenticated myself previously from this computer" which means you -only- need to provide your account details and online banking password.
Without this token, it also asks you one of your secret questions, because you're not logging in from a previously "authenticated" computer.
It's like comparing locking your front door with a key or a pin-code.
Key's a physical object you can physically protect. Pin Code doesn't have to be carried which is both a benefit and a disadvantage.
It's quite interesting actually. Pretty much everybody locks their house with a physical token (a key) and accesses online services with pin/password - and consider this is secure.
If you reversed it, they'd be convinced somebody else would guess, brute-force their front door and would complain about carrying around an RSA token for every site they use (Paypal have just started to introduce tokens and I bet the take-up is pathetic)
I have flash running on my amd64 linux laptop (that I'm using to write this comment). You have to jump through a few hoops with nspluginwrapper to get it to work with 64-bit Firefox but it hasn't crashed ye---
mattdev@server$ touch
cannot touch `/dev/genitals': Permission denied
Right now, there is a severe storm in Europe. People have died, thousands are stranded and can't get home tonight because of closed roads and shutdown public transport. The official emergency site to keep people informed about this crisis has been unreachable for most of the day. Why? Because the front page is riddled with Flash applets. Because of this the servers are severely overloaded. Nice going, for an emergency service.
Don't use Flash, it's dangerous.
!ERR: Signature not found.
It's just the Banks being stupid and tight. They do everything to protect their massive profits, while the least amount possible to protect their clients funds.
They should simply switch to using smartcards. Use them as part of a client side https handshake (ie you need to insert your smartcard). Offer it as an additional service to their customers.
I see card readers in all kinds of shops that take the standard magnetic reader - and have a spot where you could insert a smartcard.
Windows has had support for Smartcards since the days of NT 4.0.
Linux has support as well (Fedora Core 6 installs it by default).
The readers are cheap to get for your PC - have a look on eBay.
Deploying more software to the clients computer is not the answer. It just creates more long term support issues for them.
The Web wasn't made for heavy sites built on proprietary toolkits. It was made for content, delivered in the form of HTML pages. I think Flash is a blight on the whole Web and should not be used ANYWHERE.
-uso.
What you hear in the ear, preach from the rooftop Matthew 10.27b
Try Gnash. It supports most of Flash 7, and the stuff it doesn't support (e.g., sound) may not matter to you for this application. Don't forget to install flashblock!
What I don't understand is the bank's rationale for using flash for this. If a user deletes his cookies, it's probably because he wanted to delete his cookies. There's no incredible hardship involved with logging in again.
Find free books.
Does anybody know which bank the submitter is talking about?
RichM
Data Center Knowledge
How is a Slashdot neo-Luddite different from a regular Luddite?
"I don't know, therefore Aliens" Wafflebox1
Note: "Dumb" not directed toward the poster but the We (with a capital 'w').
There have already been many informative comments addressing the security issue, so I'll restrict myself to this: After 15 years of lawsuits in numerous countries to make online banking acessible, why do the banks keep trying to back-track?
I usually bank with a text browser. When I can't, I'll switch banks. I already spent two years complaining to my bank (back in 1999 or so) that I couldn't bank with my browser of choice - any of them - and that I had to have my browser tell the bank site that I was using IE (which then worked fine, even in Lynx). That's enough complaining for me.
"First they ignore you, then they laugh at you, then they fight you, then you win." - Mohandas Gandhi
... it should never have been asked!
Flash is not open. Period. Their licence specifically covered this: one cannot make independent Flash players.
So, ultimately, they (Adobe, and Microsoft, by means of deals) will be able to control your access to your own money. Now, that rates 11 in my 0-to-10 stupidity scale.
Besides, there's nothing special with Flash! It's just a display (bitmap & vector) language. This has been done since the dawn of times, since PDPs had vector displays.
We are one day after a long winter of waiting for a final release of a decent Flash player; how long till Windows have a new one which Linux won't run?
I'm so just waiting for Gnash to be usable to give these morons a well deserved kick in the butt...
>The idea itself isn't bad,
Yes it is.
Flash has had so many serious security vulnerabilities that I uninstalled it (which was way too hard, but that's another story) and don't want to reinstall it.
question one: are you a flash dev?
question two: aren't client-side applications inherently less secure? A great deal more work has to go into securing them, and thus there exists more possibilities for an overlooked vulnerability?
Browsing with classic discussion, noscript, at -1 and nested
no hidden comments and I only mod UP
Shortly after this article hits /. front page, tell us how much money you have left in your bank account.
;)
Actually, don't worry - we'll all just check for ourselves
How is a Slashdot neo-Luddite different from a regular Luddite?
:)
It sounds slightly worse. First of all, more words adds impact. Compare "you dummy" vs. "you stupid big fat dummy". Secondly, if you're really stuck with a word that's already become commonplace, you can make it sound fresh again by prefixing with "neo-". For example, calling someone a "conservative" doesn't by itself carry sufficient negative connotation to be effective as an epithet, so people use "neocon". There's also "arch-", so if "neo-Luddite" ever becomes overused, one can always switch to "arch-Luddite".
Attention zealots and haters: 00100 00100
Ok, I tried loggin in with my PowerMac 9600 running Linux, and I was able to. It didn't ask me about not having flash. I did get asked whether I wanted to register the computer, but of course I didn't. I'm definately considering removing Flash permanently from my machines. And to think I just copied the Flash 9 files to where they belong(use the installer? heck, all it does is copy the files, which I can do myself). Other than my son wanted to go to nick.com and stuff, I don't really need it.
> This all makes me sad because I am a professional Flash and Flex Developer.
This all makes me sad because I am a Shlockwave Trash victim. I happen to surf the web a lot. I used to remove the Shlockwave Trash plugin manually, before Youtube, etal, required it. I now run with Flashblock installed.
The problem for you is that 99 and 44/100 percent of the Shlockwave Trash that people see is either crappy singing/dancing/flashing/jumping ads, or totally pointless "intro pages" at web sites that otherwise don't need it. Disabling Shlockwave Trash "greatly improves my web-browsing experience".
I'm not repeating myself
I'm an X window user; I'm an ex-Windows user
> This all makes me sad because I am a professional Flash and Flex Developer.
This all makes me sad because I am a Shlockwave Trash victim. I happen to surf the web a lot. I used to remove the Shlockwave Trash plugin manually, before Youtube, etal, required it. I now run with Flashblock installed.
The problem for you is that 99 and 44/100 percent of the Shlockwave Trash that people see is either crappy singing/dancing/flashing/jumping ads, or totally pointless "intro pages" at web sites that otherwise don't need it. Disabling Shlockwave Trash "greatly improves my web-browsing experience".
I'm not repeating myself
I'm an X window user; I'm an ex-Windows user
No.
#1 - Flash is only required if you want to have this easy log-in functionality, a blind person can use the site just fine without it
#2 - The site isn't actually in flash, it's still a regular HTML website, a blind person can still use the site even if they're using the easy log-in functionality
#3 - Using a screenreader with websites sucks, a blind person is more likely to use a phone service if their bank offers it. I know it's not super high-tech so you don't care about it, but most banks still offer a phone service that lets you check the balance on your account, make transfers, etc.
So go fuck yourself, alright?
neo-Luddites.
Some corporations don't allow Flash or other widgets to be installed, either as a matter of security or just to prevent support problems on the user's desktop. Others block Flash content at the firewall.
Saying that 90-something percent of people have Flash is a bit like saying 50% to 80% of American adults have herpes simplex. It may be true, but it doesn't make it a good idea, and the people without it are better off.
The main reason for the success of Flash is that it's good at doing "chimp attract", making shiny moving flashy things to help web advertisers better target the half of the bell curve whose higher brain functions go into suspend mode when confronted with anything brightly colored that moves. That doesn't make it a technological advance, no matter what the marketing department told you.
Well, we can't be too Luddite-ish if we use computers for recreational purposes...
"I don't know, therefore Aliens" Wafflebox1
As long as you only use a console and Lynx.