Slashdot Mirror

← Back to Stories (view on slashdot.org)

Should Online Banking Use Flash for Verification?

Posted by Cliff on from the is-this-really-a-good-idea dept.

larrystotler asks: "One of my banks has instituted a new 'Secure Sign-in' setup. They allow you to register your computer with them so that you don't have to go through the new extra security steps. This involves the use of cookies -and- Flash Objects: 'Adobe Flash objects store data in much the same way that cookies do on your computer. If you have Flash installed, we can recognize your computer in the event that you erase all your cookies.' This requirement of Flash will probably negate my ability to access my bank account when running Linux on my PowerMac since Flash Player is not available for it(haven't tested it yet). However, the real question is: Is Flash a good, secure option that a bank should use to help identify you?"

31 of 139 comments (clear)

  1. No. by pipatron · · Score: 5, Insightful

    No.

    Next question?

    --
    c++; /* this makes c bigger but returns the old value */
    1. Re:No. by FunkyELF · · Score: 2, Insightful

      Next Question:

      Should they use it at all?

    2. Re:No. by Bastardchyld · · Score: 2, Interesting

      I agree. With my money is involved I don't want any sort of additional "feel good" authentication. Unless of course it is physical such as an RSA token. That way if it goes missing I can report it as such. How will you know if someone figures out how to move that flash object from one computer to another. How will you know?

      Although I must admit ING Direct has a pretty good "feel good" authentication. It will at least make it more difficult to determine your password over your shoulder.

      --
      $diff terrorists hippies
      $
      $rm -rf *terrorists *hippies
    3. Re:No. by spyder913 · · Score: 2, Insightful

      Also no, unless they are using it to show funny animations (the only real good use of flash so far).

    4. Re:No. by SatanicPuppy · · Score: 5, Insightful

      No.

      Bank sites should be as server-side as possible. Anything else opens the user up to exploits; I'm not even a big fan of their push toward Ajax. Putting a lot of effort into cosmetic widgets is problematic at best.

      --
      ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
    5. Re:No. by Anonymous Coward · · Score: 2, Insightful

      Internet explorer is the clients choice, there are other web browsers, not so with flash player. No excuse for requiring javascript or flash in a banking application, especially not for authentication.

  2. Requiring additional browser plugins is a bad idea by Richard+Steiner · · Score: 2, Insightful

    The idea itself isn't bad, but the requirement to install a third-party software add-on isn't, especially one which is only available for a few platforms.

    --
    Mainframe/UNIX Bit Twiddler and long time Windows/Linux Hobbyist.
    The Theorem Theorem: If If, Then Then.
  3. No. by Anonymous Coward · · Score: 3, Interesting

    It's simply irresponsible to permanently store security credentials on the client. Also call and ask them how long they spent auditing the source code for flash player before implementing this.

  4. NO! by Anonymous Coward · · Score: 2, Insightful

    Use SSL Client Certificates.

    EOM. (Temojen at work)

  5. Re:Requiring additional browser plugins is a bad i by TheGreek · · Score: 5, Funny
    The idea itself isn't bad, but the requirement to install a third-party software add-on isn't, especially one which is only available for a few platforms.
    I think you misspelled "99% of the people who use the Internet."
  6. The only reason I can think of... by Kelson · · Score: 2, Interesting

    ...is to use two sets of authentication tokens, like this:

    1. Connect via HTTPS
    2. Log in. Sites sets tokens (with expiration times) in cookies and Flash data.
    3. If cookies and Flash data disagree, assume the connection has been hijacked by another app on the PC and discontinue session.
    4. Delete tokens on log-out.

    I'm not sure if this would actually accomplish anything, and I'm not exactly thrilled about requiring a third-party plug-in, that it's the only thing I can think of that might actually be useful.

    1. Re:The only reason I can think of... by Bandman · · Score: 2, Interesting

      My bank does this, but I still have to login every time. If it detects that I have the flash data, it only asks for my username and password. If it doesn't see the data, it asks for the username/password AND one of my security questions.

      --
      Check out my sysadmin blog!
  7. Dear Slashdot, by American+AC+in+Paris · · Score: 5, Funny

    Recently, I've moved from a house that had an electric water heater to a house with a gas water heater. Sadly for me, this means that I'll no longer be able to use my custom-built circuit monitoring hardware (which uses a Linux-based electricity usage tracking app I wrote myself!) to estimate what percentage of my monthly electrical bill was used to generate hot water. However, the real question is: is it really a good idea to pound on the gas main with a ball-peen hammer?

    --

    Obliteracy: Words with explosions

    1. Re:Dear Slashdot, by ajlitt · · Score: 2, Funny

      Of course not. An acetylene torch is the appropriate destructor for a gas main.

  8. What? by Bogtha · · Score: 2, Interesting

    If you have Flash installed, we can recognize your computer in the event that you erase all your cookies.

    If somebody is erasing all their cookies, chances are they don't want you hiding data elsewhere too. What happens when one of your customers wipes their cookies before selling their computer, and the buyer fishes out the sensitive data from the Flash storage instead because you've overridden their wishes?

    --
    Bogtha Bogtha Bogtha
  9. Uh, no. by jafiwam · · Score: 2, Informative

    If they are using Flash and a feature intended to help make sure they know you are using a computer you previously used it helps. (Like a cookie)

    As part of a multi-factor authentication system it can help.

    The probably are not using it as the primary authentication (account number, password). (If they are, they'll get shut down quickly.)

    If your platform can't handle the Flash, chances are they'll make you go through a longer more customized login procedure, like answer previously arranged "security questions" and so on. It will be slower, but it will work.

    There are some pretty aggressive new regulations concerning online banking login methods, so more and more of this stuff will be appearing. They will all still have a primary user/pass combo of some kind though.

  10. Re:Short term memory loss? by Bogtha · · Score: 2, Informative

    From this article:

    This requirement of Flash will probably negate my ability to access my bank account when running Linux on my PowerMac

    From the article you point to:

    The official Adobe Linux Flash blog has announced that Flash player for x86 Linux is now final

    --
    Bogtha Bogtha Bogtha
  11. The real question... by MagicM · · Score: 4, Insightful

    The real question is: should any bank make it easy to "register your computer with them so that you don't have to go through the new extra security steps". The answer ofcourse is "no". If I break into your house and steal your computer, I now also have access to your bank account (which you probably have a handy bookmark for to make it even easier). Also, anyone you trust into your house (babysitter, etc.) can now get into your bank account.

    Banks shouldn't make it easy to remove the "what you know"-part of the authentication. It's there for a reason.

    (Then again, I probably misunderstood what "the new extra security steps" are. But there ya go.)

  12. Cue the Flash Bashing in 3... 2... 1... by mad.frog · · Score: 2, Insightful

    Regardless of the actual security issues, asking "Should Flash be used for(fill in blank here)?" on Slashdot is a question that I think we all know the probable responses to already...

  13. The need for standards. by Vellmont · · Score: 3, Insightful


      However, the real question is: Is Flash a good, secure option that a bank should use to help identify you?"

    This is a foolish, short sighted strategy. Do you really think Flash is going to be the same 5 years from now? Is it even going to exist in 10 years? Does this solution even address the real security concerns, or is it just an ugly hack dreamed up by some people that have no other solution? I'd say the latter.

    Banks need to get together and solve this problem outright. It's hurting all of them because they all have to develop these proprietary technologies (that only wind up sucking). They need to get together and find someone they all trust to lead development of a technology to secure transactions. If they were smart they'd hire someone like Bruce Schneier to design and oversee development of a system for them to secure web transactions.

    IMO this techology lies under the "something you have" category of authentication, unlocked by "something you know". In other words a hardware device of some type that plugs into a USB port, and verifies that:

    A. You're talking to the bank you think you are. Thus avoiding phishing attacks that get people to connect to sites pretending to be the bank.

    B. That you are who you say you are.

    Design it in such a way that if one component fails, the whole thing isn't compromised. I'm not a crypto/security expert, but from what I know all these requirements aren't even very technically challenging.

    --
    AccountKiller
    1. Re:The need for standards. by Anonymous Coward · · Score: 2, Interesting
      they all have to develop these proprietary technologies

      No, they could just use SSL Client Certificates. The standard already exists, and is implemented in most browsers.

      IMO this techology lies under the "something you have" category of authentication, unlocked by "something you know".

      On the net everything devolves to "something you know" until matter transporters are invented.

  14. No web site should make Flash a REQUIREMENT by pyite69 · · Score: 3, Insightful

    Flash is ok to add eye candy and a sound track.

    However, all web sites should be usable by someone who doesn't use flash at all.

  15. Adobe Flash Player Version Penetration by jamesbulman · · Score: 2, Informative

    Just to sprinkle some numbers into the discussion...

    http://www.adobe.com/products/player_census/flashp layer/version_penetration.html

  16. Wrong kind of flash. by stile99 · · Score: 2, Insightful

    Flash drive? Yeah sure, I might consider accepting a dongle of sorts and popping it into the USB port when I want to access my account info. Of course, you still need the password and pin and all the other fun stuff, if just the dongle itself could access my account I'd smash it with a hammer.

    Flash software? Were my credit union (what's a bank?) to require this, I would close my account in a...well, you know.

  17. Flash 9 is Our for Linux by DJ_Adequate · · Score: 2, Insightful

    Not commenting on whether this is a good idea, but the article states that there is no Flash player for linux. Actually, Adobe just released a Linux version on Flash Player 9 a few days ago. And even before that you could install version 7. So you can remove crippling Linux users as a reason to bash this.

  18. Flash and Video by rice_web · · Score: 2, Interesting

    Actually, Flash has the potential to revolutionize online security. With the increasing numbers of webcams, users could opt to require a "video signature" to log on, in addition to regular password credentials. The video signature could quickly be checked by a company like Brinks to see if the remote user is the correct user, and grant access to the user accordingly once the correct password has been provided.

    --
    The Political Programmer
  19. Security questions by MCZapf · · Score: 2, Informative
    This requirement of Flash will probably negate my ability to access my bank account when running Linux on my PowerMac since Flash Player is not available for it(haven't tested it yet).

    Not necessarily. It sounds like, if you use the plugin, the bank won't ask you those stupid "security questions" at login time, since they will be able to "recognize the computer."

    Ideas for security questions:
    • What is the name of the second-largest river that flows through the town where your grandmother on your father's side bought her first four-door car?
    • OK, what's your REAL password?
  20. Re:Requiring additional browser plugins is a bad i by Sancho · · Score: 3, Insightful

    It goes beyond 'neo-luddites'. We have open standards for a reason--and that reason is so that if I want to create a platform and communicate with the existing infrastructure, I have everything that I need to make an application on that platform that will work with everyone else. The HTML specification is an excellent example of this. People have made HTML rendering engines for almost every device that has an IP address, and for many that don't, as well (my old Palm IIIxe had an offline webpage reader).

    When you throw closed standards into the mix, you start make things harder. If my platform of choice doesn't have an HTMl renderer, I can write one. If my platform of choice doesn't have a Flash player, I can't. I either do without Flash, or I switch platforms.

    Of course, some people can't switch platforms. My Windows Mobile 5.0 phone doesn't work with Flash--at least, the default browser doesn't. If I use NetFront, I can get Flash 7. Will this banking website work with that, or will Flash 9 be required?

    My only problem with this is that the standard isn't open. If it's an open standard, even one for which my platform of choice has no current support, I'm ok with it. If it's a closed standard, the answer is 'no'.

  21. Wrong answer by mrchaotica · · Score: 2, Funny

    You must be mistaken. The correct answer is "Hell, no! " or "Fuck, no!" or "No, and you should be executed for having suggested it!"

    Hope that clears things up. : )

    --

    "[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz

  22. Some more info by larrystotler · · Score: 2, Informative
    Here's a little more info, but some of it has already been covered by other replies:

    1. They use the Cookies and/or Flash to negate the requirement of answering "up to" 3 extra security questions. They still require you to use your password regardless of anything else.(of course, if you password is on a post-it note on your monitor and your computer gets stolen.....kinda makes it easier, especially in the case of a laptop).

    2. I haven't fired up my PowerMac 9600 to see if I can even log into my account, but I doubt it since I have to click on the flashbloker icon to even be able to get to the logon on my Dell.

    3. I have Firefox set to clear private data when it is closed. The Flash part is supposed to "help" verify my computer if the cookies aren't present. This would ONLY apply if I actually "register" my computer with the bank, which I don't forsee myself doing since I have a computer in about every room except the bathroom.

    4. Does Flash store information about my browsing history on my system that would allow such a verification? If so, then it sounds like it needs to be removed from my system in my interest of a secure experience.

    5. Reminds me of how a large sat TV company requires it's dealers to use IE6/ActiveX to input Credit Card info and Social Security numbers to create an account because it was the "Most secure" way to do it.....

  23. Re:Requiring additional browser plugins is a bad i by finkployd · · Score: 3, Insightful

    I guess we are cool giving a big "FU!" to anyone who is disabled (blind) and using a specialized browser. After all 99% of the population can see just fine. For that matter lets get rid of all those damn wheelchair ramps cluttering up the place.

    Finkployd