Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Should Online Banking Use Flash for Verification?

Cliff posted more than 7 years ago | from the is-this-really-a-good-idea dept.

Security 139

larrystotler asks: "One of my banks has instituted a new 'Secure Sign-in' setup. They allow you to register your computer with them so that you don't have to go through the new extra security steps. This involves the use of cookies -and- Flash Objects: 'Adobe Flash objects store data in much the same way that cookies do on your computer. If you have Flash installed, we can recognize your computer in the event that you erase all your cookies.' This requirement of Flash will probably negate my ability to access my bank account when running Linux on my PowerMac since Flash Player is not available for it(haven't tested it yet). However, the real question is: Is Flash a good, secure option that a bank should use to help identify you?"

cancel ×

139 comments

Sorry! There are no comments related to the filter you selected.

No. (5, Insightful)

pipatron (966506) | more than 7 years ago | (#17666730)

No.

Next question?

Re:No. (2, Insightful)

FunkyELF (609131) | more than 7 years ago | (#17666786)

Next Question:

Should they use it at all?

Re:No. (2, Insightful)

spyder913 (448266) | more than 7 years ago | (#17666828)

Also no, unless they are using it to show funny animations (the only real good use of flash so far).

Re:No. (1)

LordWoody (187919) | more than 7 years ago | (#17670370)

Actually Flash is quite useful for creating mostly cross platform applications (consider business/government audiences), not just animations and simple games although it does excel in those uses. The company I work for solved the need for an interface for cross platform requirements by writing an entire interface in Flash. Flash allows you to frame, create menus, show graphs, transport data back and forth between the client and server, create secondary windows, have frames and windows trigger events in other frames and windows, trigger print jobs and so forth. With Linux being brought up to Flash 9, the ability to use the latest flash backend (flex, aka actionscript3) actually simplifies our work. Classes, data types, it's there. It does not require client side compiles (eg java byte code) and runs faster than cross platform java can dream of. We cover Windows, MacOSX, and Linux x86 (and x86_64 with the 32 to 64 wrapper for Mozilla products) all with one fell swoop.

Your perception probably stems from a lack of exposure. I assure you though that Flash can do much more and that you will be experiencing it more and more at time moves on. That a bank has noticed Flash's capability only now, surprises me. Although I see yet a whole new opportunity for phishers praying on the weak minded.

Re:No. (1)

spyder913 (448266) | more than 7 years ago | (#17672538)

Definitely a lack of exposure. I've not yet personally seen apps like that, and I'm sure it's nice to not have to worry about the stuff you do with a web app (like cross browser display issues). From my personal experience though, flash is almost always well used for animations or games, or badly used to make an interface that's fancier (and clunkier) than a regular website. So I guess it's just like any other tool. Use it well and we won't have to complain about it =)

Re:No. (1)

kwark (512736) | more than 7 years ago | (#17672736)

"It does not require client side compiles (eg java byte code) and runs faster than cross platform java can dream of."

You sure know what you are talking about:
http://www.adobe.com/cfusion/search/index.cfm?loc= en_us&term=AVM2+JIT [adobe.com]

To summarize. The JVM is slow because of bytecode since it has to be compiled to native code on the client. AVM2 is fast because by using bytecode it can compile to the most effecitive native code possible.

Re:No. (1)

SpaceLifeForm (228190) | more than 7 years ago | (#17666974)

No, I recommend that they all find another bank.

Re:No. (5, Insightful)

SatanicPuppy (611928) | more than 7 years ago | (#17667130)

No.

Bank sites should be as server-side as possible. Anything else opens the user up to exploits; I'm not even a big fan of their push toward Ajax. Putting a lot of effort into cosmetic widgets is problematic at best.

Re:No. (1)

sumdumass (711423) | more than 7 years ago | (#17670926)

On the side of server side verses using the host computer, Could someone controling a virus that take advantage of some undisclosed or patched exploit obtain these files and then give access to the bank and account information for the virus' controler.

It is common for security holes to go long periods of time before they are discovered, patched or that user actualy applies the patch for varying reasons. I would hope this doesn't give someone a new approach to identity theft or fraud.

BTW, I wonder if the flash cookie could be accessed in simular ways as the regula cookie. i have heard of webpages asking for cookie information from websites other then itself (think double click).I'm wondering how much information could be aquired by requesting both these files and comparing them or using them in conection with each other. It seems one request for bankA cookie could be used to gather information based on the acount and then present a flash login with the soted account information of the flash file. Then If people have the remeber password thing set, It might be possible to generate a submit after a certain time frame and steal not only the password, but the username and account info. Now craft this into a nifty email and send it to outlook users and see what happens.

I would hope this isn't possible. I just thought of it in the time it took to write the post. Of course, I'm not a web programer/hacker or bad guy in general so this could just be unfounded fear combined with hollywood like over glamorization of programing web stuff.

Re:No. (1)

elyk (970302) | more than 7 years ago | (#17671976)

Exactly. It's difficult enough to defend against cross site cookie attacks, and supporting both cookie and flash-based authentication adds another layer, and one that the site owner cannot as easily defend against. There's not the same standards documentation for flash as there is for cookies. They also fail to mention that what they claim is a feature-that you're less likely to delete your authentication info-is also another large security flaw that makes it more difficult to manually delete your login info in the event that their web-based logout system malfunctions. Ideally, anything as sensitive as bank accounts should not even have a remember password option, but I guess that's a tradeoff between security and convenience, and many consumers prefer convenience

Re:No. (2, Interesting)

Bastardchyld (889185) | more than 7 years ago | (#17666820)

I agree. With my money is involved I don't want any sort of additional "feel good" authentication. Unless of course it is physical such as an RSA token. That way if it goes missing I can report it as such. How will you know if someone figures out how to move that flash object from one computer to another. How will you know?

Although I must admit ING Direct has a pretty good "feel good" authentication. It will at least make it more difficult to determine your password over your shoulder.

Wrong answer (2, Funny)

mrchaotica (681592) | more than 7 years ago | (#17668334)

You must be mistaken. The correct answer is "Hell, no! " or "Fuck, no!" or "No, and you should be executed for having suggested it!"

Hope that clears things up. : )

Re:Wrong answer (1)

silentounce (1004459) | more than 7 years ago | (#17670668)

Your forgot the part about calling them a Nazi. This is the internet after all.

Re:No. (1)

matt_king (19018) | more than 7 years ago | (#17668636)

There are plenty of resources for the banking community out there that can help you. If this is a US bank, remember that there are several laws and regulations you need to comply with, such as GLBA, FFIEC, FISMA, etc.

Flash is evil and can be life-threatening! (1)

MrBoombasticfantasti (593721) | more than 7 years ago | (#17670140)

Flash is only used for ads and other blinking crap. It bloats pages making them load slower.


Right now, there is a severe storm in Europe. People have died, thousands are stranded and can't get home tonight because of closed roads and shutdown public transport. The official emergency site to keep people informed about this crisis has been unreachable for most of the day. Why? Because the front page is riddled with Flash applets. Because of this the servers are severely overloaded. Nice going, for an emergency service.


Don't use Flash, it's dangerous.

Requiring additional browser plugins is a bad idea (2, Insightful)

Richard Steiner (1585) | more than 7 years ago | (#17666740)

The idea itself isn't bad, but the requirement to install a third-party software add-on isn't, especially one which is only available for a few platforms.

Re:Requiring additional browser plugins is a bad i (5, Funny)

TheGreek (2403) | more than 7 years ago | (#17666916)

The idea itself isn't bad, but the requirement to install a third-party software add-on isn't, especially one which is only available for a few platforms.
I think you misspelled "99% of the people who use the Internet."

Re:Requiring additional browser plugins is a bad i (1)

Richard Steiner (1585) | more than 7 years ago | (#17667470)

I know a number of people who don't know enough to install plugins, so your 99% figure is highly suspect. :-)

Re:Requiring additional browser plugins is a bad i (1)

TheGreek (2403) | more than 7 years ago | (#17667572)

I know a number of people who don't know enough to install plugins, so your 99% figure is highly suspect. :-)
1) You said "available," not "installed."

2) I can't remember the last time I've actually had to download and install Flash player. It's either been installed already or the browser took care of it for me.

Re:Requiring additional browser plugins is a bad i (1)

Scaba (183684) | more than 7 years ago | (#17667800)

It's somewhere between 96% [adobe.com] and 98% [adobe.com] . Persons who don't know enough to install plugins most likely bought a PC with said plugins pre-installed [adobe.com] . Pretty much the only persons who don't have Flash installed are the neo-Luddites who hang out here.

Re:Requiring additional browser plugins is a bad i (1)

Nutria (679911) | more than 7 years ago | (#17668076)

Pretty much the only persons who don't have Flash installed are the neo-Luddites who hang out here.

Them, and non-x86 Linux users.

There are so few *BSD users that we won't even mention them...

Re:Requiring additional browser plugins is a bad i (1)

Scaba (183684) | more than 7 years ago | (#17668178)

Non-x86 Linux users and Slashdot neo-Luddites. Oddly enough, those two groups have almost 100% overlap.

Re:Requiring additional browser plugins is a bad i (1)

mattdev121 (727783) | more than 7 years ago | (#17669956)

I have flash running on my amd64 linux laptop (that I'm using to write this comment). You have to jump through a few hoops with nspluginwrapper to get it to work with 64-bit Firefox but it hasn't crashed ye---

Re:Requiring additional browser plugins is a bad i (1)

Nutria (679911) | more than 7 years ago | (#17672082)

Slashdot neo-Luddites

How is a Slashdot neo-Luddite different from a regular Luddite?

Re:Requiring additional browser plugins is a bad i (3, Insightful)

Sancho (17056) | more than 7 years ago | (#17668294)

It goes beyond 'neo-luddites'. We have open standards for a reason--and that reason is so that if I want to create a platform and communicate with the existing infrastructure, I have everything that I need to make an application on that platform that will work with everyone else. The HTML specification is an excellent example of this. People have made HTML rendering engines for almost every device that has an IP address, and for many that don't, as well (my old Palm IIIxe had an offline webpage reader).

When you throw closed standards into the mix, you start make things harder. If my platform of choice doesn't have an HTMl renderer, I can write one. If my platform of choice doesn't have a Flash player, I can't. I either do without Flash, or I switch platforms.

Of course, some people can't switch platforms. My Windows Mobile 5.0 phone doesn't work with Flash--at least, the default browser doesn't. If I use NetFront, I can get Flash 7. Will this banking website work with that, or will Flash 9 be required?

My only problem with this is that the standard isn't open. If it's an open standard, even one for which my platform of choice has no current support, I'm ok with it. If it's a closed standard, the answer is 'no'.

Re:Requiring additional browser plugins is a bad i (1)

buzzbomb (46085) | more than 7 years ago | (#17667846)

Don't believe the Macromedia/Adobe hype. Of course they're gonna tell you that everyone has Flash.

I did my own checking on a busy non-biased (i.e. non-geeky) site a few years ago. I came up with around 73% market penetration. And this was BEFORE all the overlay Flash ads and pop-ups were so prevalent. For the record, MM was still claiming 97+% of users had it installed back then.

In all fairness, this was before Flash video had arrived with Youtube and Google Vids, etc.

Re:Requiring additional browser plugins is a bad i (0)

TheGreek (2403) | more than 7 years ago | (#17667976)

Of course they're gonna tell you that everyone has Flash.
I didn't say everyone has Flash, because that would have been simply retarded.

I said Flash is available for 99% of internet users.

Re:Requiring additional browser plugins is a bad i (3, Insightful)

finkployd (12902) | more than 7 years ago | (#17669290)

I guess we are cool giving a big "FU!" to anyone who is disabled (blind) and using a specialized browser. After all 99% of the population can see just fine. For that matter lets get rid of all those damn wheelchair ramps cluttering up the place.

Finkployd

Why flash? (1, Informative)

Anonymous Coward | more than 7 years ago | (#17666744)

I hope they're not using flash just to obscure the source code, as it is very easy to get to it with a decompiler like flare [nowrap.de] ...

Re:Why flash? (1)

Kelson (129150) | more than 7 years ago | (#17666866)

Judging by the quote in the summary, it sounds like it's a way to work around cookies being disabled/deleted.

HELL NO! (0)

Anonymous Coward | more than 7 years ago | (#17666756)

Really.

Don't start these topics.... (1)

PablosBrain (71669) | more than 7 years ago | (#17666792)

Don't start these topics without trying to find the answer yourself first...
Haven't tested it yet...
"...since Flash Player is not available for it(haven't tested it yet)."
Test it and do some research first...

I would agree with Richard Steiner (1585) that the idea is a good one... though the third party requirement is bogus.

No. (3, Interesting)

Anonymous Coward | more than 7 years ago | (#17666806)

It's simply irresponsible to permanently store security credentials on the client. Also call and ask them how long they spent auditing the source code for flash player before implementing this.

Re:No. (1)

Anonymous Coward | more than 7 years ago | (#17666936)

Also call and ask them how long they spent auditing the source code for flash player before implementing this.
Probably about the same amount of time they spent auditing the source code for Internet Explorer, idiot.

Re:No. (2, Insightful)

Anonymous Coward | more than 7 years ago | (#17667456)

Internet explorer is the clients choice, there are other web browsers, not so with flash player. No excuse for requiring javascript or flash in a banking application, especially not for authentication.

Re:No. (1)

lord aDam (860397) | more than 7 years ago | (#17668096)

It's simply irresponsible to permanently store security credentials on the client

Flash doesn't need to store information permanently on the client side. Flash can communicate with any dynamic pages (Coldfusion, ASP, PHP, etc) asynchronously, like AJAX can.

Re:No. (0)

Anonymous Coward | more than 7 years ago | (#17669160)

Flash doesn't need to store information permanently on the client side. Flash can communicate with any dynamic pages (Coldfusion, ASP, PHP, etc) asynchronously, like AJAX can.
So where's the auth token it sends to identify you come from then Einstein? Try reading the summary next time:

This involves the use of cookies -and- Flash Objects: 'Adobe Flash objects store data in much the same way that cookies do on your computer. If you have Flash installed, we can recognize your computer in the event that you erase all your cookies.'

Well not really (1)

goldcd (587052) | more than 7 years ago | (#17669918)

It's like comparing locking your front door with a key or a pin-code.
Key's a physical object you can physically protect. Pin Code doesn't have to be carried which is both a benefit and a disadvantage.
It's quite interesting actually. Pretty much everybody locks their house with a physical token (a key) and accesses online services with pin/password - and consider this is secure.
If you reversed it, they'd be convinced somebody else would guess, brute-force their front door and would complain about carrying around an RSA token for every site they use (Paypal have just started to introduce tokens and I bet the take-up is pathetic)

Change bank (0)

Anonymous Coward | more than 7 years ago | (#17666842)

Vote with your wallet.

NO! (2, Insightful)

Anonymous Coward | more than 7 years ago | (#17666882)

Use SSL Client Certificates.

EOM. (Temojen at work)

Re: Should Online Banking.. WHERE `rsstool_dl_url` (0)

Anonymous Coward | more than 7 years ago | (#17666890)

Sure! Voting machines don't use Flash... so Flash must be secure.

I don't like flash shared objects (1, Informative)

Anonymous Coward | more than 7 years ago | (#17666950)

I don't like flash shared objects. You can disable them outside of flash by fudging up Flash's directory structure (essentially creating a file in place of the directory so flash can't recreate it). Instructions and bash file are available here [elifulkerson.com] .

uhh.. pls correct me if i am wrong but... (0)

Anonymous Coward | more than 7 years ago | (#17666972)

http://macromedia.mplug.org/ [mplug.org]

I think your linux box should be good to go with this??

Wrong architecture (1)

Kelson (129150) | more than 7 years ago | (#17667066)

The summary says that he's got Linux on a PowerMac. Neither Macromedia nor Adobe has ever released a version of Flash for Linux that runs on PowerPC, just 32-bit Intel.

The only reason I can think of... (2, Interesting)

Kelson (129150) | more than 7 years ago | (#17666976)

...is to use two sets of authentication tokens, like this:

1. Connect via HTTPS
2. Log in. Sites sets tokens (with expiration times) in cookies and Flash data.
3. If cookies and Flash data disagree, assume the connection has been hijacked by another app on the PC and discontinue session.
4. Delete tokens on log-out.

I'm not sure if this would actually accomplish anything, and I'm not exactly thrilled about requiring a third-party plug-in, that it's the only thing I can think of that might actually be useful.

Re:The only reason I can think of... (2, Interesting)

Bandman (86149) | more than 7 years ago | (#17668142)

My bank does this, but I still have to login every time. If it detects that I have the flash data, it only asks for my username and password. If it doesn't see the data, it asks for the username/password AND one of my security questions.

0 factor authentication (1)

Anonymous Coward | more than 7 years ago | (#17666984)

Surely more authentication is more better?

I'm not familiar with the specifics of Adobe Flash, but I know many people have password-less logins so how does removing authentication layers help anyone (apart from the poor user who must remember their password)? Isn't Flash just an extra attack vector on top of the existing XSS, keylogging and such?

Short term memory loss? (1)

therpham (953844) | more than 7 years ago | (#17666990)

Was there not a story about Flash for Linux within the last 72 hours? http://linux.slashdot.org/article.pl?sid=07/01/17/ 1315228 [slashdot.org] Anyway, I don't think it's a good idea, but it's not going to stop you from using it in Linux (in theory.) I could be wrong.

Re:Short term memory loss? (2, Informative)

Bogtha (906264) | more than 7 years ago | (#17667132)

From this article:

This requirement of Flash will probably negate my ability to access my bank account when running Linux on my PowerMac

From the article you point to:

The official Adobe Linux Flash blog has announced that Flash player for x86 Linux is now final

Re:Short term memory loss? (1)

therpham (953844) | more than 7 years ago | (#17668072)

Whoops, my bad. Totally forgot about the whole "Macs used to not be x86" thing.

Re:Short term memory loss? (0)

Anonymous Coward | more than 7 years ago | (#17668920)

Totally forgot about the whole "Macs used to not be x86" thing.

Which sort of makes the subject appropriate for the thread...

Re:Short term memory loss? (1)

Kelson (129150) | more than 7 years ago | (#17667134)

it's not going to stop you from using it in Linux (in theory.)

It will if your Linux box runs on a PowerPC chip.

Dear Slashdot, (5, Funny)

American AC in Paris (230456) | more than 7 years ago | (#17666992)

Recently, I've moved from a house that had an electric water heater to a house with a gas water heater. Sadly for me, this means that I'll no longer be able to use my custom-built circuit monitoring hardware (which uses a Linux-based electricity usage tracking app I wrote myself!) to estimate what percentage of my monthly electrical bill was used to generate hot water. However, the real question is: is it really a good idea to pound on the gas main with a ball-peen hammer?

Re:Dear Slashdot, (1)

MagicM (85041) | more than 7 years ago | (#17667224)

ball-peen

Thank you for a very good (although incredibly immature) laughing fit.

Re:Dear Slashdot, (2, Funny)

ajlitt (19055) | more than 7 years ago | (#17669876)

Of course not. An acetylene torch is the appropriate destructor for a gas main.

Re:Dear Slashdot, (0)

Anonymous Coward | more than 7 years ago | (#17672470)

Many gas heaters now make use of an electric fan to move the exhaust out of the house. You could try monitoring that circuit and estimating using the first month's usage to figure out the $ to time ratio. Either that or thermo sensor that measures when the gas heater kicks on.

What? (2, Interesting)

Bogtha (906264) | more than 7 years ago | (#17666994)

If you have Flash installed, we can recognize your computer in the event that you erase all your cookies.

If somebody is erasing all their cookies, chances are they don't want you hiding data elsewhere too. What happens when one of your customers wipes their cookies before selling their computer, and the buyer fishes out the sensitive data from the Flash storage instead because you've overridden their wishes?

Re:What? (1)

pilot-programmer (822406) | more than 7 years ago | (#17670860)

What happens? Exactly the same thing that would happen if they wiped cookies and flash before selling their computer. I expect that most Slashdotters wipe their drives before giving away or selling a computer, but most people just delete and think the data is gone.

Uh, no. (2, Informative)

jafiwam (310805) | more than 7 years ago | (#17667006)

If they are using Flash and a feature intended to help make sure they know you are using a computer you previously used it helps. (Like a cookie)

As part of a multi-factor authentication system it can help.

The probably are not using it as the primary authentication (account number, password). (If they are, they'll get shut down quickly.)

If your platform can't handle the Flash, chances are they'll make you go through a longer more customized login procedure, like answer previously arranged "security questions" and so on. It will be slower, but it will work.

There are some pretty aggressive new regulations concerning online banking login methods, so more and more of this stuff will be appearing. They will all still have a primary user/pass combo of some kind though.

Absolutely not (1, Offtopic)

tarlos25 (1036572) | more than 7 years ago | (#17667016)

More often than not, Flash is a horrible bandwidth hog and slows page loading drastically. And if someone is on a dial-up connection (which still exists in many places due to no high-speed being available, and satellite being far too expensive), any slower page loading means less likelihood of a resource being used. Plus, not everyone will have a Flash player available, especially if you're using the latest version. So do you want to alienate your customers?

Re:Absolutely not (0)

Scaba (183684) | more than 7 years ago | (#17667962)

More often than not, Flash is a horrible bandwidth hog and slows page loading drastically. And if someone is on a dial-up connection (which still exists in many places due to no high-speed being available, and satellite being far too expensive), any slower page loading means less likelihood of a resource being used. Plus, not everyone will have a Flash player available, especially if you're using the latest version. So do you want to alienate your customers?

1998 just called and they want their rant back.

Should Flash be used for verification? No (1)

Anonymous Coward | more than 7 years ago | (#17667082)

But banks get to do whatever the hell they want for the most part in the USA (subject to state regs) and so it doesn't take much for special interest groups to tell the IT departments of those banks what is the "best" way to do things and since "everybody" has flash...what's the problem? (I'm being sarcastic here)
You can argue that "they shouldn't use proprietary tech", well... if you want to push it, I'll bet you are using a computer that has proprietary tech in it somewhere and probably your ISP has a bit of a monopoly in your area and etc. etc. etc. So using proprietary flash technology isn't that big a deal for most people. (except us on Slashdot!)

In other countries, where banks are regulated by the country's main government, it is a bit harder..

The real question... (4, Insightful)

MagicM (85041) | more than 7 years ago | (#17667148)

The real question is: should any bank make it easy to "register your computer with them so that you don't have to go through the new extra security steps". The answer ofcourse is "no". If I break into your house and steal your computer, I now also have access to your bank account (which you probably have a handy bookmark for to make it even easier). Also, anyone you trust into your house (babysitter, etc.) can now get into your bank account.

Banks shouldn't make it easy to remove the "what you know"-part of the authentication. It's there for a reason.

(Then again, I probably misunderstood what "the new extra security steps" are. But there ya go.)

Re:The real question... (0)

Anonymous Coward | more than 7 years ago | (#17668380)

My bank does this too. The idea is that, when you're logging in from your home computer, you just enter in your usual account name and PIN; no additional hassles.

But if you're logging on from another computer -- or, if someone is phishing you, playing man-in-the-middle, or has keyboard-sniffed your password -- and tries to use it from their own computer, they're given an extra step and need to answer an additional question.

For man-in-the-middle attacks and phishing, it helps to raise the user's alertness before they give up their PIN, hopefully stopping them from going further. For keyboard-sniffers, since the extra question isn't a part of every login sequence, the sniffer hopefully won't have seen it (though I suppose they could just as easily steal the cookie -- but it's always going to be a game of cat-and-mouse with malware authors.)

In my [professional, fwiw] opinion, the extra cookie-based step is actually a smart security practice. The Flash thing I haven't given any thought to.

Cue the Flash Bashing in 3... 2... 1... (2, Insightful)

mad.frog (525085) | more than 7 years ago | (#17667192)

Regardless of the actual security issues, asking "Should Flash be used for(fill in blank here)?" on Slashdot is a question that I think we all know the probable responses to already...

Re:Cue the Flash Bashing in 3... 2... 1... (1)

OptimusPaul (940627) | more than 7 years ago | (#17668098)

This all makes me sad because I am a professional Flash and Flex Developer. I personally don't see a problem with using Flash in this case as long as other steps are taken to ensure security. I also used to work for a company that did Online Banking for Financial Institutions, and from what I know about all the research we did in this area Flash is no more or less secure. One that that it does offer over other options was we could do a catchpa and still have it be accessible to vision impaired people. So all I can say to Flash bashing is grow up, open up you mind, just because it isn't as open or "free" as whatever crap you use doesn't make it a bad idea. And don't use the argument that it isn't available for everyone, neither is the internet or banks for that mater.

The need for standards. (3, Insightful)

Vellmont (569020) | more than 7 years ago | (#17667216)


  However, the real question is: Is Flash a good, secure option that a bank should use to help identify you?"

This is a foolish, short sighted strategy. Do you really think Flash is going to be the same 5 years from now? Is it even going to exist in 10 years? Does this solution even address the real security concerns, or is it just an ugly hack dreamed up by some people that have no other solution? I'd say the latter.

Banks need to get together and solve this problem outright. It's hurting all of them because they all have to develop these proprietary technologies (that only wind up sucking). They need to get together and find someone they all trust to lead development of a technology to secure transactions. If they were smart they'd hire someone like Bruce Schneier to design and oversee development of a system for them to secure web transactions.

IMO this techology lies under the "something you have" category of authentication, unlocked by "something you know". In other words a hardware device of some type that plugs into a USB port, and verifies that:

A. You're talking to the bank you think you are. Thus avoiding phishing attacks that get people to connect to sites pretending to be the bank.

B. That you are who you say you are.

Design it in such a way that if one component fails, the whole thing isn't compromised. I'm not a crypto/security expert, but from what I know all these requirements aren't even very technically challenging.

Re:The need for standards. (2, Interesting)

Anonymous Coward | more than 7 years ago | (#17667546)

they all have to develop these proprietary technologies

No, they could just use SSL Client Certificates. The standard already exists, and is implemented in most browsers.

IMO this techology lies under the "something you have" category of authentication, unlocked by "something you know".

On the net everything devolves to "something you know" until matter transporters are invented.

Re:The need for standards. (1)

Red Flayer (890720) | more than 7 years ago | (#17667686)

Design it in such a way that if one component fails, the whole thing isn't compromised. I'm not a crypto/security expert, but from what I know all these requirements aren't even very technically challenging.

Ah, yes, the old "but it seems so simple to my admittedly uneducated self." Really, isn't it common sense that if it were that easy it would have been done already?

They need to get together and find someone they all trust to lead development of a technology to secure transactions.
Do you think it's a good idea to put everyone's eggs all in one basket, so that if an inside job compromises the single system, everyone's screwed?

Re:The need for standards. (1)

Vellmont (569020) | more than 7 years ago | (#17668766)


Ah, yes, the old "but it seems so simple to my admittedly uneducated self." Really, isn't it common sense that if it were that easy it would have been done already?

I didn't say I knew NOTHING about security/crypto, I'm just not an expert along the lines of Bruce Schneire. Sheesh, there IS a middle ground between being a total neophyte and knowing everything about something.

You seem to think the problems must obviously be technical, and that's why no one has done it yet. It's hardly ever that way in business. The problems in technology are usually just getting everyone on-board and agreeing that "something has to be done", and "we should all try to do the same thing". This is in contrast with what often happens whith everyone trying to go in a different direction because they're afraid that they might wind up being screwed by some other company, or that co-operating will help the competition more than it helps them. Or maybe no one even at the company recognizes that there's a problem, so they just go on and ignore it until it becomes blindingly obvious that "something must be done".

Do you think it's a good idea to put everyone's eggs all in one basket, so that if an inside job compromises the single system, everyone's screwed?

Why would you think that security relies on one or a few people "pulling an inside job" to screw everyone? If you design the system properly knowing the details of the implementation won't help you. If you're REALLY paranoid, just get independant reviewers to make sure there's no backdoors built into the system. Or better yet publish the standard and let anyone that wants to work on an implementation. Then choose the one you like the best.

Re:The need for standards. (1)

Red Flayer (890720) | more than 7 years ago | (#17669420)

You seem to think the problems must obviously be technical
Not at all. My point was that if there was an easy, fool-proof technical solution, it would be in place. But even when the technical aspects are rock-solid, the system isn't necessarily secure -- which is why we don't have a uniform system.

Why would you think that security relies on one or a few people "pulling an inside job" to screw everyone?
I don't. It was just the first easy example I though of, of what can go wrong when you implement an industry-wide security method. There are plenty of others. The fact still remains, though, that someone who's cracked one bank's system will have a huge leg up on cracking other banks' systems. Why expose yourself to the extra risk when you can use a proprietary system without that risk?

Re:The need for standards. (1)

Vellmont (569020) | more than 7 years ago | (#17669990)


My point was that if there was an easy, fool-proof technical solution, it would be in place.

Well, I guess we simply disagree on why solutions aren't implemented. I don't think we live in a world where the biggest barrier to adoption of a better solution for everyone is simply technical.

The fact still remains, though, that someone who's cracked one bank's system will have a huge leg up on cracking other banks' systems. Why expose yourself to the extra risk when you can use a proprietary system without that risk?

Because a proprietary system is likely to suck rocks compared to a system that's been well studied by multiple people. Security benefits from being transparent, not through being obscure and secretive. It also benefits (like anything) from more funding that multiple-banks can provide. If you don't have a lot of money to throw at a problem, you might rely on this short term flash based crap rather than well proven cryptographic authentication.

If everyone relies on a system and a flaw is found then there's more impetus (and funding) to fix the flaw rather than justs hoping no one else discovers it. If you're just one little credit union relying on your proprietary solution, it becomes a lot more expensive to maintain your solution and fix any flaws you find along the way (so therefor less flaws will be fixed/found.).

So the end result is that a well secured system will be extremely difficult for someone to crack it. A proprietary solution will be less secure. If you were a bank.. which one would you choose? Hopefully you'd choose the more secure one.

Client-side certs? (1)

buzzbomb (46085) | more than 7 years ago | (#17667418)

I may be a little lost here, but if you're going to authenticate a client, why not use a client-side certificate? Is it too difficult to understand? Is the support in browsers/servers not there?

From my (limited) experience with this, it seems like it's a workable solution that would work on most browsers, no matter the OS, without a proprietary plug-in like Flash.

Re:Client-side certs? (1)

Sloppy (14984) | more than 7 years ago | (#17667802)

Bingo. If they're going to store a second password on the computer, one that is large rather than memorizable, why not use a system that was designed for exactly that purpose, by people who actually have a clue about authentication? Why is there such phobia about using the right tool for the job?

They're not storing a second password... (0)

Anonymous Coward | more than 7 years ago | (#17669368)

They're storing a token that basically says "I've authenticated myself previously from this computer" which means you -only- need to provide your account details and online banking password.

Without this token, it also asks you one of your secret questions, because you're not logging in from a previously "authenticated" computer.

Re:Client-side certs? (0)

Anonymous Coward | more than 7 years ago | (#17669764)

This very issue came up when our engineering group was tasked with securing our firm's transaction processing website. The requirement was that, in addition to username/password authentication, we needed to identify that the login was coming from an authorized computer.

Our recommendation was to use client certificates. Our product group rejected that recommendation because it was deemed "too hard" to manage client certificates. The solution that they insisted on used... wait for it.... COOKIES.

I hope not... (1)

creimer (824291) | more than 7 years ago | (#17667520)

The last thing I need to hear is a talking Bank of America ATM screaming when a dirty old man flashes for verification.

No web site should make Flash a REQUIREMENT (3, Insightful)

pyite69 (463042) | more than 7 years ago | (#17667582)

Flash is ok to add eye candy and a sound track.

However, all web sites should be usable by someone who doesn't use flash at all.

Banks have been acting really dumb (1)

Sloppy (14984) | more than 7 years ago | (#17667676)

Obviously requiring closed (therefore unauditable, therefore not even possible to secure) software is a bad idea. I'm not even sure how someone gets as far as the question "is this a good idea?" since it has absolutely nothing positive going for it at all.

The cookie thing is really stupid, too. My credit union made everyone use it a month or two ago. The only thing it does, is make things less convenient. Since I don't save cookies, I have to "verify" every time I log in. That means I have to answer three questions. It's just another password! Except unlike my old password (which I made up and keep in my head) these passwords are answers to real world questions, which means someone who isn't me could look up the answers. Brilliant.

Re:Banks have been acting really dumb (0)

Anonymous Coward | more than 7 years ago | (#17668106)

When you set up the questions, you don't have to enter the correct ones. For example, if it asks for your mother's maden name, put in the name the dog you had as a kid. If it askes for your high school, add a movie title ("Clerks High", for example). Etc. Be creative as long as it's easy to remember. Save it to a file and GPG it in case you forget.

Still, I'd personally prefer to use password-protected client SSL certificates. SSL was designed for things like that. Why continue to re-invent the wheel?

Re:Banks have been acting really dumb (1)

renelicious (450403) | more than 7 years ago | (#17668146)

Okay I'll out myself, I work for a bank. The banks are not the ones acting stupidly its the banks regulators. The use of Cookies/Flash is caused by the FFIEC's (use google to find out what that is) new Multi Factor Authentication requirements for bank's website.

Worst part is, many of the IT regulators already agree that MFA is worthless, however they still required banks to push its inconvenience onto their customers. Its been a pretty large hassle on bank's end as well and it costs us thousands of dollars to implement something that thier own people agree is a waste of time.

To come back to the original post, from what I've seen most banks as stated are only using flash when the cookies are cleared and they are not storing login information in flash, just a key verifying that the computer you are using is your computer. The FFIEC requirement is that the bank has another factor of authentication that will ensure the person is who they say they are. If you don't "enroll" your computer then you'll be asked to answer an annoying security question. Of course every bank if implementing this differently, some are using pictures, other tokens, one time email passwords, but its all to reach the same goal.

Re:Banks have been acting really dumb (1)

LotsOfPhil (982823) | more than 7 years ago | (#17668800)


Except unlike my old password (which I made up and keep in my head) these passwords are answers to real world questions, which means someone who isn't me could look up the answers. Brilliant.

You know, your "mother's maiden name" could be xj7_oSS:19. I bet she didn't mind changing when she got married.

Heck, there is no flash for 64-bit IE... (1)

Anonymous Freak (16973) | more than 7 years ago | (#17667712)

One of the reasons I use the 64-bit version of IE when I'm forced to use Windows is specifically to avoid plugins. There are basically *NO* plugins for 64-bit IE, including Flash.

And, double checking, apparently the OP is talking about the bank I use. Their main online login doesn't work on my Windows machine. Although in the place where the login box is on my Flash-laden computer is a simple 'login' button that takes me to a new (HTML-only) page that states "For a better security experience, we recommend installing Adobe Flash Player", but has an old fashioned form-based login.

"Security experience"???? Security shouldn't be an "experience"! Just say "For better security", even though the statement is debatable.

Wrong kind of flash. (2, Insightful)

stile99 (1004110) | more than 7 years ago | (#17667814)

Flash drive? Yeah sure, I might consider accepting a dongle of sorts and popping it into the USB port when I want to access my account info. Of course, you still need the password and pin and all the other fun stuff, if just the dongle itself could access my account I'd smash it with a hammer.

Flash software? Were my credit union (what's a bank?) to require this, I would close my account in a...well, you know.

Would You Want To? (1)

Flwyd (607088) | more than 7 years ago | (#17667840)

If you can log in using FlashCookies, someone who steals your computer can log in using FlashCookies.

I would much rather type my password, answer a captcha, and whatever else every time I log in to my bank than make it at all easier for an unauthorized user of my computer to log in to my bank. I'm even annoyed that Firefox auto-suggests my bank login.

Flash 9 is Our for Linux (2, Insightful)

DJ_Adequate (699393) | more than 7 years ago | (#17668112)

Not commenting on whether this is a good idea, but the article states that there is no Flash player for linux. Actually, Adobe just released a Linux version on Flash Player 9 a few days ago. And even before that you could install version 7. So you can remove crippling Linux users as a reason to bash this.

"Out for Linux" (1)

DJ_Adequate (699393) | more than 7 years ago | (#17668190)

If only you could edit posts. (And now Slashdot is making me wait to post this correction--in order to give people a fair chance to mock my lack of editing skill.)

Flash and Video (2, Interesting)

rice_web (604109) | more than 7 years ago | (#17668126)

Actually, Flash has the potential to revolutionize online security. With the increasing numbers of webcams, users could opt to require a "video signature" to log on, in addition to regular password credentials. The video signature could quickly be checked by a company like Brinks to see if the remote user is the correct user, and grant access to the user accordingly once the correct password has been provided.

Security questions (2, Informative)

MCZapf (218870) | more than 7 years ago | (#17668262)

This requirement of Flash will probably negate my ability to access my bank account when running Linux on my PowerMac since Flash Player is not available for it(haven't tested it yet).

Not necessarily. It sounds like, if you use the plugin, the bank won't ask you those stupid "security questions" at login time, since they will be able to "recognize the computer."

Ideas for security questions:
  • What is the name of the second-largest river that flows through the town where your grandmother on your father's side bought her first four-door car?
  • OK, what's your REAL password?

The answer has got to be... (1)

Khyber (864651) | more than 7 years ago | (#17668502)

.....

Someone's got in the LSD-tainted water supply, again.

NO. Heeeeeeellllllll NO.

Some more info (2, Informative)

larrystotler (998217) | more than 7 years ago | (#17668602)

Here's a little more info, but some of it has already been covered by other replies:

1. They use the Cookies and/or Flash to negate the requirement of answering "up to" 3 extra security questions. They still require you to use your password regardless of anything else.(of course, if you password is on a post-it note on your monitor and your computer gets stolen.....kinda makes it easier, especially in the case of a laptop).

2. I haven't fired up my PowerMac 9600 to see if I can even log into my account, but I doubt it since I have to click on the flashbloker icon to even be able to get to the logon on my Dell.

3. I have Firefox set to clear private data when it is closed. The Flash part is supposed to "help" verify my computer if the cookies aren't present. This would ONLY apply if I actually "register" my computer with the bank, which I don't forsee myself doing since I have a computer in about every room except the bathroom.

4. Does Flash store information about my browsing history on my system that would allow such a verification? If so, then it sounds like it needs to be removed from my system in my interest of a secure experience.

5. Reminds me of how a large sat TV company requires it's dealers to use IE6/ActiveX to input Credit Card info and Social Security numbers to create an account because it was the "Most secure" way to do it.....

How about accessibility? (1)

antdude (79039) | more than 7 years ago | (#17668898)

Flash is mainly for graphics. How is this going to work for people who have vision problems? Does Flash have accessibility support?

Re:How about accessibility? (1)

Ulky (199350) | more than 7 years ago | (#17670164)

Yes, infact Flash has much better accessibility support than JavaScript/HTML based applications - for a start you can actually detect when someone is using a screenreader or other accessibility aid running outside of the browser, and trigger code accordingly. Try doing that with JavaScript.

The problem is, like Web development in general, to achieve full accessibility, it usually takes additional time/effort/money - which often doesn't happen.

Re:How about accessibility? (1)

Eravau (12435) | more than 7 years ago | (#17670512)

yes. [adobe.com]

Wrong approach - use SmartCards (1, Interesting)

Anonymous Coward | more than 7 years ago | (#17670368)

It's just the Banks being stupid and tight. They do everything to protect their massive profits, while the least amount possible to protect their clients funds.

They should simply switch to using smartcards. Use them as part of a client side https handshake (ie you need to insert your smartcard). Offer it as an additional service to their customers.

I see card readers in all kinds of shops that take the standard magnetic reader - and have a spot where you could insert a smartcard.

Windows has had support for Smartcards since the days of NT 4.0.

Linux has support as well (Fedora Core 6 installs it by default).

The readers are cheap to get for your PC - have a look on eBay.

Deploying more software to the clients computer is not the answer. It just creates more long term support issues for them.

Not no but hell no. (1)

dosius (230542) | more than 7 years ago | (#17670912)

The Web wasn't made for heavy sites built on proprietary toolkits. It was made for content, delivered in the form of HTML pages. I think Flash is a blight on the whole Web and should not be used ANYWHERE.

-uso.

gnash (1)

bcrowell (177657) | more than 7 years ago | (#17671156)

This requirement of Flash will probably negate my ability to access my bank account when running Linux on my PowerMac since Flash Player is not available for it(haven't tested it yet)
Try Gnash [gnu.org] . It supports most of Flash 7, and the stuff it doesn't support (e.g., sound) may not matter to you for this application. Don't forget to install flashblock!

What I don't understand is the bank's rationale for using flash for this. If a user deletes his cookies, it's probably because he wanted to delete his cookies. There's no incredible hardship involved with logging in again.

Phishers are already using Flash (1)

miller60 (554835) | more than 7 years ago | (#17671324)

Phishing scams are already using Flash in their spoof pages [netcraft.com] . This was occurring as early as last June. Maybe the bank liked the idea so much they decided to copy it. Reverse phishing, sort of.

Does anybody know which bank the submitter is talking about?

Will we never stop asking the same dumb questions? (1)

akohler (997911) | more than 7 years ago | (#17672642)

Note: "Dumb" not directed toward the poster but the We (with a capital 'w').

There have already been many informative comments addressing the security issue, so I'll restrict myself to this: After 15 years of lawsuits in numerous countries to make online banking acessible, why do the banks keep trying to back-track?

I usually bank with a text browser. When I can't, I'll switch banks. I already spent two years complaining to my bank (back in 1999 or so) that I couldn't bank with my browser of choice - any of them - and that I had to have my browser tell the bank site that I was using IE (which then worked fine, even in Lynx). That's enough complaining for me.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?