Slashdot Mirror

← Back to Stories (view on slashdot.org)

Should Online Banking Use Flash for Verification?

Posted by Cliff on from the is-this-really-a-good-idea dept.

larrystotler asks: "One of my banks has instituted a new 'Secure Sign-in' setup. They allow you to register your computer with them so that you don't have to go through the new extra security steps. This involves the use of cookies -and- Flash Objects: 'Adobe Flash objects store data in much the same way that cookies do on your computer. If you have Flash installed, we can recognize your computer in the event that you erase all your cookies.' This requirement of Flash will probably negate my ability to access my bank account when running Linux on my PowerMac since Flash Player is not available for it(haven't tested it yet). However, the real question is: Is Flash a good, secure option that a bank should use to help identify you?"

7 of 139 comments (clear)

  1. Why flash? by Anonymous Coward · · Score: 1, Informative

    I hope they're not using flash just to obscure the source code, as it is very easy to get to it with a decompiler like flare...

  2. I don't like flash shared objects by Anonymous Coward · · Score: 1, Informative

    I don't like flash shared objects. You can disable them outside of flash by fudging up Flash's directory structure (essentially creating a file in place of the directory so flash can't recreate it). Instructions and bash file are available here.

  3. Uh, no. by jafiwam · · Score: 2, Informative

    If they are using Flash and a feature intended to help make sure they know you are using a computer you previously used it helps. (Like a cookie)

    As part of a multi-factor authentication system it can help.

    The probably are not using it as the primary authentication (account number, password). (If they are, they'll get shut down quickly.)

    If your platform can't handle the Flash, chances are they'll make you go through a longer more customized login procedure, like answer previously arranged "security questions" and so on. It will be slower, but it will work.

    There are some pretty aggressive new regulations concerning online banking login methods, so more and more of this stuff will be appearing. They will all still have a primary user/pass combo of some kind though.

  4. Re:Short term memory loss? by Bogtha · · Score: 2, Informative

    From this article:

    This requirement of Flash will probably negate my ability to access my bank account when running Linux on my PowerMac

    From the article you point to:

    The official Adobe Linux Flash blog has announced that Flash player for x86 Linux is now final

    --
    Bogtha Bogtha Bogtha
  5. Adobe Flash Player Version Penetration by jamesbulman · · Score: 2, Informative

    Just to sprinkle some numbers into the discussion...

    http://www.adobe.com/products/player_census/flashp layer/version_penetration.html

  6. Security questions by MCZapf · · Score: 2, Informative
    This requirement of Flash will probably negate my ability to access my bank account when running Linux on my PowerMac since Flash Player is not available for it(haven't tested it yet).

    Not necessarily. It sounds like, if you use the plugin, the bank won't ask you those stupid "security questions" at login time, since they will be able to "recognize the computer."

    Ideas for security questions:
    • What is the name of the second-largest river that flows through the town where your grandmother on your father's side bought her first four-door car?
    • OK, what's your REAL password?
  7. Some more info by larrystotler · · Score: 2, Informative
    Here's a little more info, but some of it has already been covered by other replies:

    1. They use the Cookies and/or Flash to negate the requirement of answering "up to" 3 extra security questions. They still require you to use your password regardless of anything else.(of course, if you password is on a post-it note on your monitor and your computer gets stolen.....kinda makes it easier, especially in the case of a laptop).

    2. I haven't fired up my PowerMac 9600 to see if I can even log into my account, but I doubt it since I have to click on the flashbloker icon to even be able to get to the logon on my Dell.

    3. I have Firefox set to clear private data when it is closed. The Flash part is supposed to "help" verify my computer if the cookies aren't present. This would ONLY apply if I actually "register" my computer with the bank, which I don't forsee myself doing since I have a computer in about every room except the bathroom.

    4. Does Flash store information about my browsing history on my system that would allow such a verification? If so, then it sounds like it needs to be removed from my system in my interest of a secure experience.

    5. Reminds me of how a large sat TV company requires it's dealers to use IE6/ActiveX to input Credit Card info and Social Security numbers to create an account because it was the "Most secure" way to do it.....