Should Online Banking Use Flash for Verification? 139
A user asks: "One of my banks has instituted a new 'Secure Sign-in' setup. They allow you to register your computer with them so that you don't have to go through the new extra security steps. This involves the use of cookies -and- Flash Objects: 'Adobe Flash objects store data in much the same way that cookies do on your computer. If you have Flash installed, we can recognize your computer in the event that you erase all your cookies.' This requirement of Flash will probably negate my ability to access my bank account when running Linux on my PowerMac since Flash Player is not available for it(haven't tested it yet). However, the real question is: Is Flash a good, secure option that a bank should use to help identify you?"
No. (Score:5, Insightful)
No.
Next question?
Requiring additional browser plugins is a bad idea (Score:3, Insightful)
Re:No. (Score:2, Insightful)
Should they use it at all?
Re:No. (Score:3, Insightful)
NO! (Score:2, Insightful)
EOM. (Temojen at work)
Re:No. (Score:5, Insightful)
Bank sites should be as server-side as possible. Anything else opens the user up to exploits; I'm not even a big fan of their push toward Ajax. Putting a lot of effort into cosmetic widgets is problematic at best.
The real question... (Score:5, Insightful)
Banks shouldn't make it easy to remove the "what you know"-part of the authentication. It's there for a reason.
(Then again, I probably misunderstood what "the new extra security steps" are. But there ya go.)
Cue the Flash Bashing in 3... 2... 1... (Score:3, Insightful)
The need for standards. (Score:4, Insightful)
However, the real question is: Is Flash a good, secure option that a bank should use to help identify you?"
This is a foolish, short sighted strategy. Do you really think Flash is going to be the same 5 years from now? Is it even going to exist in 10 years? Does this solution even address the real security concerns, or is it just an ugly hack dreamed up by some people that have no other solution? I'd say the latter.
Banks need to get together and solve this problem outright. It's hurting all of them because they all have to develop these proprietary technologies (that only wind up sucking). They need to get together and find someone they all trust to lead development of a technology to secure transactions. If they were smart they'd hire someone like Bruce Schneier to design and oversee development of a system for them to secure web transactions.
IMO this techology lies under the "something you have" category of authentication, unlocked by "something you know". In other words a hardware device of some type that plugs into a USB port, and verifies that:
A. You're talking to the bank you think you are. Thus avoiding phishing attacks that get people to connect to sites pretending to be the bank.
B. That you are who you say you are.
Design it in such a way that if one component fails, the whole thing isn't compromised. I'm not a crypto/security expert, but from what I know all these requirements aren't even very technically challenging.
Re:No. (Score:2, Insightful)
No web site should make Flash a REQUIREMENT (Score:4, Insightful)
However, all web sites should be usable by someone who doesn't use flash at all.
Wrong kind of flash. (Score:2, Insightful)
Flash software? Were my credit union (what's a bank?) to require this, I would close my account in a...well, you know.
Flash 9 is Our for Linux (Score:2, Insightful)
Re:Requiring additional browser plugins is a bad i (Score:4, Insightful)
When you throw closed standards into the mix, you start make things harder. If my platform of choice doesn't have an HTMl renderer, I can write one. If my platform of choice doesn't have a Flash player, I can't. I either do without Flash, or I switch platforms.
Of course, some people can't switch platforms. My Windows Mobile 5.0 phone doesn't work with Flash--at least, the default browser doesn't. If I use NetFront, I can get Flash 7. Will this banking website work with that, or will Flash 9 be required?
My only problem with this is that the standard isn't open. If it's an open standard, even one for which my platform of choice has no current support, I'm ok with it. If it's a closed standard, the answer is 'no'.
Comment removed (Score:4, Insightful)