Forgot your password?
typodupeerror
Security The Almighty Buck

Should Online Banking Use Flash for Verification? 139

Posted by Cliff
from the is-this-really-a-good-idea dept.
larrystotler asks: "One of my banks has instituted a new 'Secure Sign-in' setup. They allow you to register your computer with them so that you don't have to go through the new extra security steps. This involves the use of cookies -and- Flash Objects: 'Adobe Flash objects store data in much the same way that cookies do on your computer. If you have Flash installed, we can recognize your computer in the event that you erase all your cookies.' This requirement of Flash will probably negate my ability to access my bank account when running Linux on my PowerMac since Flash Player is not available for it(haven't tested it yet). However, the real question is: Is Flash a good, secure option that a bank should use to help identify you?"
This discussion has been archived. No new comments can be posted.

Should Online Banking Use Flash for Verification?

Comments Filter:
  • No. (Score:5, Insightful)

    by pipatron (966506) <pipatron@gmail.com> on Thursday January 18, 2007 @01:11PM (#17666730) Homepage

    No.

    Next question?

    • Re: (Score:2, Insightful)

      by FunkyELF (609131)
      Next Question:

      Should they use it at all?
      • Re: (Score:3, Insightful)

        by spyder913 (448266)
        Also no, unless they are using it to show funny animations (the only real good use of flash so far).
        • by LordWoody (187919)
          Actually Flash is quite useful for creating mostly cross platform applications (consider business/government audiences), not just animations and simple games although it does excel in those uses. The company I work for solved the need for an interface for cross platform requirements by writing an entire interface in Flash. Flash allows you to frame, create menus, show graphs, transport data back and forth between the client and server, create secondary windows, have frames and windows trigger events in oth
          • by spyder913 (448266)
            Definitely a lack of exposure. I've not yet personally seen apps like that, and I'm sure it's nice to not have to worry about the stuff you do with a web app (like cross browser display issues). From my personal experience though, flash is almost always well used for animations or games, or badly used to make an interface that's fancier (and clunkier) than a regular website. So I guess it's just like any other tool. Use it well and we won't have to complain about it =)
            • by nahdude812 (88157) *
              Google for Flex Examples. Flex and ActionScript 3 aren't quite synonymous as the grandparent suggested. Flex is explicitly designed around creating desktop style applications which are portable to be usable from the web, CD or download, and which run on every major platform including Linux. They create a very positive user experience and are especially good for data mining applications, daily dashboards, and other reporting features.

              Flex is up to version 2, but here are some 1.5 sample apps [adobe.com].
        • by fyngyrz (762201) *

          Also no. Banks should be using https/html and https/cgi. I don't rent my cpu out to them, and I don't want their code running on my computer. That goes for everyone else, too. As soon as you presume you can run a "client" application on my machine, you may be impacting other things I am doing without my permission. If you don't have the CPU power you need to run your operation, I decline to run it for you except in special cases that I will pick according to my own needs.

          And hey, as a bonus, your stuff

      • No, I recommend that they all find another bank.

      • Re:No. (Score:5, Insightful)

        by SatanicPuppy (611928) * <`Satanicpuppy' `at' `gmail.com'> on Thursday January 18, 2007 @01:31PM (#17667130) Journal
        No.

        Bank sites should be as server-side as possible. Anything else opens the user up to exploits; I'm not even a big fan of their push toward Ajax. Putting a lot of effort into cosmetic widgets is problematic at best.
        • by sumdumass (711423)
          On the side of server side verses using the host computer, Could someone controling a virus that take advantage of some undisclosed or patched exploit obtain these files and then give access to the bank and account information for the virus' controler.

          It is common for security holes to go long periods of time before they are discovered, patched or that user actualy applies the patch for varying reasons. I would hope this doesn't give someone a new approach to identity theft or fraud.

          BTW, I wonder if the fla
        • by elyk (970302)
          Exactly. It's difficult enough to defend against cross site cookie attacks, and supporting both cookie and flash-based authentication adds another layer, and one that the site owner cannot as easily defend against. There's not the same standards documentation for flash as there is for cookies. They also fail to mention that what they claim is a feature-that you're less likely to delete your authentication info-is also another large security flaw that makes it more difficult to manually delete your login inf
    • Re: (Score:2, Interesting)

      by Bastardchyld (889185)
      I agree. With my money is involved I don't want any sort of additional "feel good" authentication. Unless of course it is physical such as an RSA token. That way if it goes missing I can report it as such. How will you know if someone figures out how to move that flash object from one computer to another. How will you know?

      Although I must admit ING Direct has a pretty good "feel good" authentication. It will at least make it more difficult to determine your password over your shoulder.
    • by mrchaotica (681592) *

      You must be mistaken. The correct answer is "Hell, no! " or "Fuck, no!" or "No, and you should be executed for having suggested it!"

      Hope that clears things up. : )

      • Your forgot the part about calling them a Nazi. This is the internet after all.
      • by mrcaseyj (902945)

        Should Online Banking Use Flash for Verification?

        The correct answer is "Hell, no! " or "Fuck, no!" or "No, and you should be executed for having suggested it!"

        You're very kind. I would say they should be tortured for the rest of eternity for having suggested it. They should suffer for it like we will.

        Seriously though the crazy thing is that they require flash for those temporary credit card numbers that some credit card companies offer. As if I'm so paranoid that I'm going to take the trouble using

    • by matt_king (19018)
      There are plenty of resources for the banking community out there that can help you. If this is a US bank, remember that there are several laws and regulations you need to comply with, such as GLBA, FFIEC, FISMA, etc.
    • Flash is only used for ads and other blinking crap. It bloats pages making them load slower.

      Right now, there is a severe storm in Europe. People have died, thousands are stranded and can't get home tonight because of closed roads and shutdown public transport. The official emergency site to keep people informed about this crisis has been unreachable for most of the day. Why? Because the front page is riddled with Flash applets. Because of this the servers are severely overloaded. Nice going, for an emerge

  • The idea itself isn't bad, but the requirement to install a third-party software add-on isn't, especially one which is only available for a few platforms.
    • by TheGreek (2403) on Thursday January 18, 2007 @01:21PM (#17666916)
      The idea itself isn't bad, but the requirement to install a third-party software add-on isn't, especially one which is only available for a few platforms.
      I think you misspelled "99% of the people who use the Internet."
      • I know a number of people who don't know enough to install plugins, so your 99% figure is highly suspect. :-)
        • by TheGreek (2403)
          I know a number of people who don't know enough to install plugins, so your 99% figure is highly suspect. :-)
          1) You said "available," not "installed."

          2) I can't remember the last time I've actually had to download and install Flash player. It's either been installed already or the browser took care of it for me.
        • by Scaba (183684)

          It's somewhere between 96% [adobe.com] and 98% [adobe.com]. Persons who don't know enough to install plugins most likely bought a PC with said plugins pre-installed [adobe.com]. Pretty much the only persons who don't have Flash installed are the neo-Luddites who hang out here.

          • by Nutria (679911)
            Pretty much the only persons who don't have Flash installed are the neo-Luddites who hang out here.

            Them, and non-x86 Linux users.

            There are so few *BSD users that we won't even mention them...

            • by Scaba (183684)

              Non-x86 Linux users and Slashdot neo-Luddites. Oddly enough, those two groups have almost 100% overlap.

          • by Sancho (17056) * on Thursday January 18, 2007 @02:26PM (#17668294) Homepage
            It goes beyond 'neo-luddites'. We have open standards for a reason--and that reason is so that if I want to create a platform and communicate with the existing infrastructure, I have everything that I need to make an application on that platform that will work with everyone else. The HTML specification is an excellent example of this. People have made HTML rendering engines for almost every device that has an IP address, and for many that don't, as well (my old Palm IIIxe had an offline webpage reader).

            When you throw closed standards into the mix, you start make things harder. If my platform of choice doesn't have an HTMl renderer, I can write one. If my platform of choice doesn't have a Flash player, I can't. I either do without Flash, or I switch platforms.

            Of course, some people can't switch platforms. My Windows Mobile 5.0 phone doesn't work with Flash--at least, the default browser doesn't. If I use NetFront, I can get Flash 7. Will this banking website work with that, or will Flash 9 be required?

            My only problem with this is that the standard isn't open. If it's an open standard, even one for which my platform of choice has no current support, I'm ok with it. If it's a closed standard, the answer is 'no'.
          • Pretty much the only persons who don't have Flash installed are the neo-Luddites who hang out here.

            Some corporations don't allow Flash or other widgets to be installed, either as a matter of security or just to prevent support problems on the user's desktop. Others block Flash content at the firewall.

            Saying that 90-something percent of people have Flash is a bit like saying 50% to 80% of American adults have herpes simplex. It may be true, but it doesn't make it a good idea, and the people without

      • by buzzbomb (46085)
        Don't believe the Macromedia/Adobe hype. Of course they're gonna tell you that everyone has Flash.

        I did my own checking on a busy non-biased (i.e. non-geeky) site a few years ago. I came up with around 73% market penetration. And this was BEFORE all the overlay Flash ads and pop-ups were so prevalent. For the record, MM was still claiming 97+% of users had it installed back then.

        In all fairness, this was before Flash video had arrived with Youtube and Google Vids, etc.
        • by TheGreek (2403)
          Of course they're gonna tell you that everyone has Flash.
          I didn't say everyone has Flash, because that would have been simply retarded.

          I said Flash is available for 99% of internet users.
      • by finkployd (12902) on Thursday January 18, 2007 @03:12PM (#17669290) Homepage
        I guess we are cool giving a big "FU!" to anyone who is disabled (blind) and using a specialized browser. After all 99% of the population can see just fine. For that matter lets get rid of all those damn wheelchair ramps cluttering up the place.

        Finkployd
    • >The idea itself isn't bad,

      Yes it is.

      Flash has had so many serious security vulnerabilities that I uninstalled it (which was way too hard, but that's another story) and don't want to reinstall it.

  • Why flash? (Score:1, Informative)

    by Anonymous Coward
    I hope they're not using flash just to obscure the source code, as it is very easy to get to it with a decompiler like flare [nowrap.de]...
    • by Kelson (129150) *
      Judging by the quote in the summary, it sounds like it's a way to work around cookies being disabled/deleted.
  • No. (Score:3, Interesting)

    by Anonymous Coward on Thursday January 18, 2007 @01:16PM (#17666806)
    It's simply irresponsible to permanently store security credentials on the client. Also call and ask them how long they spent auditing the source code for flash player before implementing this.
    • by Anonymous Coward
      Also call and ask them how long they spent auditing the source code for flash player before implementing this.
      Probably about the same amount of time they spent auditing the source code for Internet Explorer, idiot.
      • Re: (Score:2, Insightful)

        by Anonymous Coward
        Internet explorer is the clients choice, there are other web browsers, not so with flash player. No excuse for requiring javascript or flash in a banking application, especially not for authentication.
        • by Zadaz (950521)
          "Internet explorer is the clients choice"

          Maybe for your bank. My old bank required IE. "For security reasons."

    • by lord aDam (860397)
      It's simply irresponsible to permanently store security credentials on the client

      Flash doesn't need to store information permanently on the client side. Flash can communicate with any dynamic pages (Coldfusion, ASP, PHP, etc) asynchronously, like AJAX can.

    • It's like comparing locking your front door with a key or a pin-code.
      Key's a physical object you can physically protect. Pin Code doesn't have to be carried which is both a benefit and a disadvantage.
      It's quite interesting actually. Pretty much everybody locks their house with a physical token (a key) and accesses online services with pin/password - and consider this is secure.
      If you reversed it, they'd be convinced somebody else would guess, brute-force their front door and would complain about carrying
  • NO! (Score:2, Insightful)

    by Anonymous Coward
    Use SSL Client Certificates.

    EOM. (Temojen at work)
  • by Anonymous Coward
    I don't like flash shared objects. You can disable them outside of flash by fudging up Flash's directory structure (essentially creating a file in place of the directory so flash can't recreate it). Instructions and bash file are available here [elifulkerson.com].
  • by Kelson (129150) * on Thursday January 18, 2007 @01:24PM (#17666976) Homepage Journal
    ...is to use two sets of authentication tokens, like this:

    1. Connect via HTTPS
    2. Log in. Sites sets tokens (with expiration times) in cookies and Flash data.
    3. If cookies and Flash data disagree, assume the connection has been hijacked by another app on the PC and discontinue session.
    4. Delete tokens on log-out.

    I'm not sure if this would actually accomplish anything, and I'm not exactly thrilled about requiring a third-party plug-in, that it's the only thing I can think of that might actually be useful.
    • Re: (Score:3, Interesting)

      by Bandman (86149)
      My bank does this, but I still have to login every time. If it detects that I have the flash data, it only asks for my username and password. If it doesn't see the data, it asks for the username/password AND one of my security questions.
  • by Anonymous Coward
    Surely more authentication is more better?

    I'm not familiar with the specifics of Adobe Flash, but I know many people have password-less logins so how does removing authentication layers help anyone (apart from the poor user who must remember their password)? Isn't Flash just an extra attack vector on top of the existing XSS, keylogging and such?
  • Was there not a story about Flash for Linux within the last 72 hours? http://linux.slashdot.org/article.pl?sid=07/01/17/ 1315228 [slashdot.org] Anyway, I don't think it's a good idea, but it's not going to stop you from using it in Linux (in theory.) I could be wrong.
    • Re: (Score:3, Informative)

      by Bogtha (906264)

      From this article:

      This requirement of Flash will probably negate my ability to access my bank account when running Linux on my PowerMac

      From the article you point to:

      The official Adobe Linux Flash blog has announced that Flash player for x86 Linux is now final

    • by Kelson (129150) *
      it's not going to stop you from using it in Linux (in theory.)

      It will if your Linux box runs on a PowerPC chip.

    • by takeya (825259) *
      I didn't understand what he meant either - I've had flash on my linux machine for a couple of years at least. Then I see the other comments - X86 only... that's a shame, so I googled it and found this - http://www.petitiononline.com/fla4lppc/ [petitiononline.com]

      A petition to bring flash to PPC linux. I suspect it's less of an issue now than ever, seeing as macs are moving to x86 chips, and they were by far the largest supplier of consumer ppc chips (though not the only one).
  • by American AC in Paris (230456) on Thursday January 18, 2007 @01:25PM (#17666992) Homepage
    Recently, I've moved from a house that had an electric water heater to a house with a gas water heater. Sadly for me, this means that I'll no longer be able to use my custom-built circuit monitoring hardware (which uses a Linux-based electricity usage tracking app I wrote myself!) to estimate what percentage of my monthly electrical bill was used to generate hot water. However, the real question is: is it really a good idea to pound on the gas main with a ball-peen hammer?
    • by MagicM (85041)
      ball-peen

      Thank you for a very good (although incredibly immature) laughing fit.
    • Re: (Score:3, Funny)

      by ajlitt (19055)
      Of course not. An acetylene torch is the appropriate destructor for a gas main.
  • What? (Score:3, Interesting)

    by Bogtha (906264) on Thursday January 18, 2007 @01:25PM (#17666994)

    If you have Flash installed, we can recognize your computer in the event that you erase all your cookies.

    If somebody is erasing all their cookies, chances are they don't want you hiding data elsewhere too. What happens when one of your customers wipes their cookies before selling their computer, and the buyer fishes out the sensitive data from the Flash storage instead because you've overridden their wishes?

    • What happens? Exactly the same thing that would happen if they wiped cookies and flash before selling their computer. I expect that most Slashdotters wipe their drives before giving away or selling a computer, but most people just delete and think the data is gone.
  • Uh, no. (Score:3, Informative)

    by jafiwam (310805) on Thursday January 18, 2007 @01:25PM (#17667006) Homepage Journal
    If they are using Flash and a feature intended to help make sure they know you are using a computer you previously used it helps. (Like a cookie)

    As part of a multi-factor authentication system it can help.

    The probably are not using it as the primary authentication (account number, password). (If they are, they'll get shut down quickly.)

    If your platform can't handle the Flash, chances are they'll make you go through a longer more customized login procedure, like answer previously arranged "security questions" and so on. It will be slower, but it will work.

    There are some pretty aggressive new regulations concerning online banking login methods, so more and more of this stuff will be appearing. They will all still have a primary user/pass combo of some kind though.
  • Absolutely not (Score:1, Offtopic)

    by tarlos25 (1036572)
    More often than not, Flash is a horrible bandwidth hog and slows page loading drastically. And if someone is on a dial-up connection (which still exists in many places due to no high-speed being available, and satellite being far too expensive), any slower page loading means less likelihood of a resource being used. Plus, not everyone will have a Flash player available, especially if you're using the latest version. So do you want to alienate your customers?
    • by Scaba (183684)

      More often than not, Flash is a horrible bandwidth hog and slows page loading drastically. And if someone is on a dial-up connection (which still exists in many places due to no high-speed being available, and satellite being far too expensive), any slower page loading means less likelihood of a resource being used. Plus, not everyone will have a Flash player available, especially if you're using the latest version. So do you want to alienate your customers?

      1998 just called and they want their rant back.

  • by Anonymous Coward
    But banks get to do whatever the hell they want for the most part in the USA (subject to state regs) and so it doesn't take much for special interest groups to tell the IT departments of those banks what is the "best" way to do things and since "everybody" has flash...what's the problem? (I'm being sarcastic here)
    You can argue that "they shouldn't use proprietary tech", well... if you want to push it, I'll bet you are using a computer that has proprietary tech in it somewhere and probably your ISP has a bi
  • by MagicM (85041) on Thursday January 18, 2007 @01:32PM (#17667148)
    The real question is: should any bank make it easy to "register your computer with them so that you don't have to go through the new extra security steps". The answer ofcourse is "no". If I break into your house and steal your computer, I now also have access to your bank account (which you probably have a handy bookmark for to make it even easier). Also, anyone you trust into your house (babysitter, etc.) can now get into your bank account.

    Banks shouldn't make it easy to remove the "what you know"-part of the authentication. It's there for a reason.

    (Then again, I probably misunderstood what "the new extra security steps" are. But there ya go.)
    • by jafiwam (310805)
      User/Password = security step

      Questions about dogs name = EXTRA security step

      Which is usually triggered by lack of cookie or new IP or new operating system or browser or whatever.

      In other words, in place of having to do some sort of extra assurance the user/password holder is legit, you can get this file to act like a cookie and bypass dumb questions about your dog. This thing is supposed to make the extra security step less of an annoyance, not replace a user/pass combo.

      So, stealing the computer just means
  • by mad.frog (525085) <[moc.knilknirc] [ta] [nevets]> on Thursday January 18, 2007 @01:35PM (#17667192)
    Regardless of the actual security issues, asking "Should Flash be used for(fill in blank here)?" on Slashdot is a question that I think we all know the probable responses to already...

    • This all makes me sad because I am a professional Flash and Flex Developer. I personally don't see a problem with using Flash in this case as long as other steps are taken to ensure security. I also used to work for a company that did Online Banking for Financial Institutions, and from what I know about all the research we did in this area Flash is no more or less secure. One that that it does offer over other options was we could do a catchpa and still have it be accessible to vision impaired people. So
      • by alienmole (15522)
        So all I can say to Flash bashing is grow up, open up you mind, just because it isn't as open or "free" as whatever crap you use doesn't make it a bad idea.

        Actually it does make it a bad idea, when you're talking about applications beyond something that's either in-house or advertising-oriented. The problem is just that you haven't yet grasped the importance of the open, standards-based technology that brought you the Internet.

  • by Vellmont (569020) on Thursday January 18, 2007 @01:35PM (#17667216) Homepage

      However, the real question is: Is Flash a good, secure option that a bank should use to help identify you?"

    This is a foolish, short sighted strategy. Do you really think Flash is going to be the same 5 years from now? Is it even going to exist in 10 years? Does this solution even address the real security concerns, or is it just an ugly hack dreamed up by some people that have no other solution? I'd say the latter.

    Banks need to get together and solve this problem outright. It's hurting all of them because they all have to develop these proprietary technologies (that only wind up sucking). They need to get together and find someone they all trust to lead development of a technology to secure transactions. If they were smart they'd hire someone like Bruce Schneier to design and oversee development of a system for them to secure web transactions.

    IMO this techology lies under the "something you have" category of authentication, unlocked by "something you know". In other words a hardware device of some type that plugs into a USB port, and verifies that:

    A. You're talking to the bank you think you are. Thus avoiding phishing attacks that get people to connect to sites pretending to be the bank.

    B. That you are who you say you are.

    Design it in such a way that if one component fails, the whole thing isn't compromised. I'm not a crypto/security expert, but from what I know all these requirements aren't even very technically challenging.
    • Re: (Score:2, Interesting)

      by Anonymous Coward
      they all have to develop these proprietary technologies

      No, they could just use SSL Client Certificates. The standard already exists, and is implemented in most browsers.

      IMO this techology lies under the "something you have" category of authentication, unlocked by "something you know".

      On the net everything devolves to "something you know" until matter transporters are invented.

    • Design it in such a way that if one component fails, the whole thing isn't compromised. I'm not a crypto/security expert, but from what I know all these requirements aren't even very technically challenging.

      Ah, yes, the old "but it seems so simple to my admittedly uneducated self." Really, isn't it common sense that if it were that easy it would have been done already?

      They need to get together and find someone they all trust to lead development of a technology to secure transactions.

      Do you think it's a

      • by Vellmont (569020)

        Ah, yes, the old "but it seems so simple to my admittedly uneducated self." Really, isn't it common sense that if it were that easy it would have been done already?

        I didn't say I knew NOTHING about security/crypto, I'm just not an expert along the lines of Bruce Schneire. Sheesh, there IS a middle ground between being a total neophyte and knowing everything about something.

        You seem to think the problems must obviously be technical, and that's why no one has done it yet. It's hardly ever that way in busine
        • You seem to think the problems must obviously be technical

          Not at all. My point was that if there was an easy, fool-proof technical solution, it would be in place. But even when the technical aspects are rock-solid, the system isn't necessarily secure -- which is why we don't have a uniform system.

          Why would you think that security relies on one or a few people "pulling an inside job" to screw everyone?

          I don't. It was just the first easy example I though of, of what can go wrong when you implement an in

          • by Vellmont (569020)

            My point was that if there was an easy, fool-proof technical solution, it would be in place.

            Well, I guess we simply disagree on why solutions aren't implemented. I don't think we live in a world where the biggest barrier to adoption of a better solution for everyone is simply technical.

            The fact still remains, though, that someone who's cracked one bank's system will have a huge leg up on cracking other banks' systems. Why expose yourself to the extra risk when you can use a proprietary system without that
  • I may be a little lost here, but if you're going to authenticate a client, why not use a client-side certificate? Is it too difficult to understand? Is the support in browsers/servers not there?

    From my (limited) experience with this, it seems like it's a workable solution that would work on most browsers, no matter the OS, without a proprietary plug-in like Flash.
    • by Sloppy (14984)
      Bingo. If they're going to store a second password on the computer, one that is large rather than memorizable, why not use a system that was designed for exactly that purpose, by people who actually have a clue about authentication? Why is there such phobia about using the right tool for the job?
  • The last thing I need to hear is a talking Bank of America ATM screaming when a dirty old man flashes for verification.
  • by pyite69 (463042) on Thursday January 18, 2007 @01:53PM (#17667582)
    Flash is ok to add eye candy and a sound track.

    However, all web sites should be usable by someone who doesn't use flash at all.
  • Obviously requiring closed (therefore unauditable, therefore not even possible to secure) software is a bad idea. I'm not even sure how someone gets as far as the question "is this a good idea?" since it has absolutely nothing positive going for it at all.

    The cookie thing is really stupid, too. My credit union made everyone use it a month or two ago. The only thing it does, is make things less convenient. Since I don't save cookies, I have to "verify" every time I log in. That means I have to answer t

    • Okay I'll out myself, I work for a bank. The banks are not the ones acting stupidly its the banks regulators. The use of Cookies/Flash is caused by the FFIEC's (use google to find out what that is) new Multi Factor Authentication requirements for bank's website.

      Worst part is, many of the IT regulators already agree that MFA is worthless, however they still required banks to push its inconvenience onto their customers. Its been a pretty large hassle on bank's end as well and it costs us thousands of dolla

    • Except unlike my old password (which I made up and keep in my head) these passwords are answers to real world questions, which means someone who isn't me could look up the answers. Brilliant.

      You know, your "mother's maiden name" could be xj7_oSS:19. I bet she didn't mind changing when she got married.
  • One of the reasons I use the 64-bit version of IE when I'm forced to use Windows is specifically to avoid plugins. There are basically *NO* plugins for 64-bit IE, including Flash.

    And, double checking, apparently the OP is talking about the bank I use. Their main online login doesn't work on my Windows machine. Although in the place where the login box is on my Flash-laden computer is a simple 'login' button that takes me to a new (HTML-only) page that states "For a better security experience, we recommen
  • by stile99 (1004110)
    Flash drive? Yeah sure, I might consider accepting a dongle of sorts and popping it into the USB port when I want to access my account info. Of course, you still need the password and pin and all the other fun stuff, if just the dongle itself could access my account I'd smash it with a hammer.

    Flash software? Were my credit union (what's a bank?) to require this, I would close my account in a...well, you know.
  • If you can log in using FlashCookies, someone who steals your computer can log in using FlashCookies.

    I would much rather type my password, answer a captcha, and whatever else every time I log in to my bank than make it at all easier for an unauthorized user of my computer to log in to my bank. I'm even annoyed that Firefox auto-suggests my bank login.
  • Not commenting on whether this is a good idea, but the article states that there is no Flash player for linux. Actually, Adobe just released a Linux version on Flash Player 9 a few days ago. And even before that you could install version 7. So you can remove crippling Linux users as a reason to bash this.
    • If only you could edit posts. (And now Slashdot is making me wait to post this correction--in order to give people a fair chance to mock my lack of editing skill.)
  • Flash and Video (Score:3, Interesting)

    by rice_web (604109) on Thursday January 18, 2007 @02:20PM (#17668126)
    Actually, Flash has the potential to revolutionize online security. With the increasing numbers of webcams, users could opt to require a "video signature" to log on, in addition to regular password credentials. The video signature could quickly be checked by a company like Brinks to see if the remote user is the correct user, and grant access to the user accordingly once the correct password has been provided.
  • Security questions (Score:2, Informative)

    by MCZapf (218870)

    This requirement of Flash will probably negate my ability to access my bank account when running Linux on my PowerMac since Flash Player is not available for it(haven't tested it yet).

    Not necessarily. It sounds like, if you use the plugin, the bank won't ask you those stupid "security questions" at login time, since they will be able to "recognize the computer."

    Ideas for security questions:

    • What is the name of the second-largest river that flows through the town where your grandmother on your father's si
  • .....

    Someone's got in the LSD-tainted water supply, again.

    NO. Heeeeeeellllllll NO.
  • Some more info (Score:2, Informative)

    by larrystotler (998217)
    Here's a little more info, but some of it has already been covered by other replies:

    1. They use the Cookies and/or Flash to negate the requirement of answering "up to" 3 extra security questions. They still require you to use your password regardless of anything else.(of course, if you password is on a post-it note on your monitor and your computer gets stolen.....kinda makes it easier, especially in the case of a laptop).

    2. I haven't fired up my PowerMac 9600 to see if I can even log into my account

  • Flash is mainly for graphics. How is this going to work for people who have vision problems? Does Flash have accessibility support?
    • by Ulky (199350)
      Yes, infact Flash has much better accessibility support than JavaScript/HTML based applications - for a start you can actually detect when someone is using a screenreader or other accessibility aid running outside of the browser, and trigger code accordingly. Try doing that with JavaScript.

      The problem is, like Web development in general, to achieve full accessibility, it usually takes additional time/effort/money - which often doesn't happen.

    • by Eravau (12435)
      yes. [adobe.com]
  • by Anonymous Coward
    It's just the Banks being stupid and tight. They do everything to protect their massive profits, while the least amount possible to protect their clients funds.

    They should simply switch to using smartcards. Use them as part of a client side https handshake (ie you need to insert your smartcard). Offer it as an additional service to their customers.

    I see card readers in all kinds of shops that take the standard magnetic reader - and have a spot where you could insert a smartcard.

    Windows has had support fo
  • The Web wasn't made for heavy sites built on proprietary toolkits. It was made for content, delivered in the form of HTML pages. I think Flash is a blight on the whole Web and should not be used ANYWHERE.

    -uso.
  • This requirement of Flash will probably negate my ability to access my bank account when running Linux on my PowerMac since Flash Player is not available for it(haven't tested it yet)
    Try Gnash [gnu.org]. It supports most of Flash 7, and the stuff it doesn't support (e.g., sound) may not matter to you for this application. Don't forget to install flashblock!

    What I don't understand is the bank's rationale for using flash for this. If a user deletes his cookies, it's probably because he wanted to delete his cookies.

  • Phishing scams are already using Flash in their spoof pages [netcraft.com]. This was occurring as early as last June. Maybe the bank liked the idea so much they decided to copy it. Reverse phishing, sort of.

    Does anybody know which bank the submitter is talking about?

  • Shortly after this article hits /. front page, tell us how much money you have left in your bank account.

    Actually, don't worry - we'll all just check for ourselves ;)

"Consistency requires you to be as ignorant today as you were a year ago." -- Bernard Berenson

Working...