Slashdot Mirror

← Back to Stories (view on slashdot.org)

Should Online Banking Use Flash for Verification?

Posted by Cliff on from the is-this-really-a-good-idea dept.

larrystotler asks: "One of my banks has instituted a new 'Secure Sign-in' setup. They allow you to register your computer with them so that you don't have to go through the new extra security steps. This involves the use of cookies -and- Flash Objects: 'Adobe Flash objects store data in much the same way that cookies do on your computer. If you have Flash installed, we can recognize your computer in the event that you erase all your cookies.' This requirement of Flash will probably negate my ability to access my bank account when running Linux on my PowerMac since Flash Player is not available for it(haven't tested it yet). However, the real question is: Is Flash a good, secure option that a bank should use to help identify you?"

8 of 139 comments (clear)

  1. No. by Anonymous Coward · · Score: 3, Interesting

    It's simply irresponsible to permanently store security credentials on the client. Also call and ask them how long they spent auditing the source code for flash player before implementing this.

  2. Re:No. by Bastardchyld · · Score: 2, Interesting

    I agree. With my money is involved I don't want any sort of additional "feel good" authentication. Unless of course it is physical such as an RSA token. That way if it goes missing I can report it as such. How will you know if someone figures out how to move that flash object from one computer to another. How will you know?

    Although I must admit ING Direct has a pretty good "feel good" authentication. It will at least make it more difficult to determine your password over your shoulder.

    --
    $diff terrorists hippies
    $
    $rm -rf *terrorists *hippies
  3. The only reason I can think of... by Kelson · · Score: 2, Interesting

    ...is to use two sets of authentication tokens, like this:

    1. Connect via HTTPS
    2. Log in. Sites sets tokens (with expiration times) in cookies and Flash data.
    3. If cookies and Flash data disagree, assume the connection has been hijacked by another app on the PC and discontinue session.
    4. Delete tokens on log-out.

    I'm not sure if this would actually accomplish anything, and I'm not exactly thrilled about requiring a third-party plug-in, that it's the only thing I can think of that might actually be useful.

    1. Re:The only reason I can think of... by Bandman · · Score: 2, Interesting

      My bank does this, but I still have to login every time. If it detects that I have the flash data, it only asks for my username and password. If it doesn't see the data, it asks for the username/password AND one of my security questions.

      --
      Check out my sysadmin blog!
  4. What? by Bogtha · · Score: 2, Interesting

    If you have Flash installed, we can recognize your computer in the event that you erase all your cookies.

    If somebody is erasing all their cookies, chances are they don't want you hiding data elsewhere too. What happens when one of your customers wipes their cookies before selling their computer, and the buyer fishes out the sensitive data from the Flash storage instead because you've overridden their wishes?

    --
    Bogtha Bogtha Bogtha
  5. Re:The need for standards. by Anonymous Coward · · Score: 2, Interesting
    they all have to develop these proprietary technologies

    No, they could just use SSL Client Certificates. The standard already exists, and is implemented in most browsers.

    IMO this techology lies under the "something you have" category of authentication, unlocked by "something you know".

    On the net everything devolves to "something you know" until matter transporters are invented.

  6. Flash and Video by rice_web · · Score: 2, Interesting

    Actually, Flash has the potential to revolutionize online security. With the increasing numbers of webcams, users could opt to require a "video signature" to log on, in addition to regular password credentials. The video signature could quickly be checked by a company like Brinks to see if the remote user is the correct user, and grant access to the user accordingly once the correct password has been provided.

    --
    The Political Programmer
  7. Wrong approach - use SmartCards by Anonymous Coward · · Score: 1, Interesting

    It's just the Banks being stupid and tight. They do everything to protect their massive profits, while the least amount possible to protect their clients funds.

    They should simply switch to using smartcards. Use them as part of a client side https handshake (ie you need to insert your smartcard). Offer it as an additional service to their customers.

    I see card readers in all kinds of shops that take the standard magnetic reader - and have a spot where you could insert a smartcard.

    Windows has had support for Smartcards since the days of NT 4.0.

    Linux has support as well (Fedora Core 6 installs it by default).

    The readers are cheap to get for your PC - have a look on eBay.

    Deploying more software to the clients computer is not the answer. It just creates more long term support issues for them.