Should Online Banking Use Flash for Verification?

A user asks: "One of my banks has instituted a new 'Secure Sign-in' setup. They allow you to register your computer with them so that you don't have to go through the new extra security steps. This involves the use of cookies -and- Flash Objects: 'Adobe Flash objects store data in much the same way that cookies do on your computer. If you have Flash installed, we can recognize your computer in the event that you erase all your cookies.' This requirement of Flash will probably negate my ability to access my bank account when running Linux on my PowerMac since Flash Player is not available for it(haven't tested it yet). However, the real question is: Is Flash a good, secure option that a bank should use to help identify you?"

No.

[pipatron]

No.

Next question?

Requiring additional browser plugins is a bad idea

[Richard Steiner]

The idea itself isn't bad, but the requirement to install a third-party software add-on isn't, especially one which is only available for a few platforms.

Re:No.

[FunkyELF]

Next Question:

Should they use it at all?

Re:No.

[spyder913]

Also no, unless they are using it to show funny animations (the only real good use of flash so far).

NO!

[Anonymous Coward]

Use SSL Client Certificates.

EOM. (Temojen at work)

Re:No.

[SatanicPuppy]

No.

Bank sites should be as server-side as possible. Anything else opens the user up to exploits; I'm not even a big fan of their push toward Ajax. Putting a lot of effort into cosmetic widgets is problematic at best.

The real question...

[MagicM]

The real question is: should any bank make it easy to "register your computer with them so that you don't have to go through the new extra security steps". The answer ofcourse is "no". If I break into your house and steal your computer, I now also have access to your bank account (which you probably have a handy bookmark for to make it even easier). Also, anyone you trust into your house (babysitter, etc.) can now get into your bank account.

Banks shouldn't make it easy to remove the "what you know"-part of the authentication. It's there for a reason.

(Then again, I probably misunderstood what "the new extra security steps" are. But there ya go.)

Cue the Flash Bashing in 3... 2... 1...

[mad.frog]

Regardless of the actual security issues, asking "Should Flash be used for(fill in blank here)?" on Slashdot is a question that I think we all know the probable responses to already...

The need for standards.

[Vellmont]

  However, the real question is: Is Flash a good, secure option that a bank should use to help identify you?"

This is a foolish, short sighted strategy. Do you really think Flash is going to be the same 5 years from now? Is it even going to exist in 10 years? Does this solution even address the real security concerns, or is it just an ugly hack dreamed up by some people that have no other solution? I'd say the latter.

Banks need to get together and solve this problem outright. It's hurting all of them because they all have to develop these proprietary technologies (that only wind up sucking). They need to get together and find someone they all trust to lead development of a technology to secure transactions. If they were smart they'd hire someone like Bruce Schneier to design and oversee development of a system for them to secure web transactions.

IMO this techology lies under the "something you have" category of authentication, unlocked by "something you know". In other words a hardware device of some type that plugs into a USB port, and verifies that:

A. You're talking to the bank you think you are. Thus avoiding phishing attacks that get people to connect to sites pretending to be the bank.

B. That you are who you say you are.

Design it in such a way that if one component fails, the whole thing isn't compromised. I'm not a crypto/security expert, but from what I know all these requirements aren't even very technically challenging.

Re:No.

[Anonymous Coward]

Internet explorer is the clients choice, there are other web browsers, not so with flash player. No excuse for requiring javascript or flash in a banking application, especially not for authentication.

No web site should make Flash a REQUIREMENT

[pyite69]

Flash is ok to add eye candy and a sound track.

However, all web sites should be usable by someone who doesn't use flash at all.

Wrong kind of flash.

[stile99]

Flash drive? Yeah sure, I might consider accepting a dongle of sorts and popping it into the USB port when I want to access my account info. Of course, you still need the password and pin and all the other fun stuff, if just the dongle itself could access my account I'd smash it with a hammer.

Flash software? Were my credit union (what's a bank?) to require this, I would close my account in a...well, you know.

Flash 9 is Our for Linux

[DJ_Adequate]

Not commenting on whether this is a good idea, but the article states that there is no Flash player for linux. Actually, Adobe just released a Linux version on Flash Player 9 a few days ago. And even before that you could install version 7. So you can remove crippling Linux users as a reason to bash this.

Re:Requiring additional browser plugins is a bad i

[Sancho]

It goes beyond 'neo-luddites'. We have open standards for a reason--and that reason is so that if I want to create a platform and communicate with the existing infrastructure, I have everything that I need to make an application on that platform that will work with everyone else. The HTML specification is an excellent example of this. People have made HTML rendering engines for almost every device that has an IP address, and for many that don't, as well (my old Palm IIIxe had an offline webpage reader).

When you throw closed standards into the mix, you start make things harder. If my platform of choice doesn't have an HTMl renderer, I can write one. If my platform of choice doesn't have a Flash player, I can't. I either do without Flash, or I switch platforms.

Of course, some people can't switch platforms. My Windows Mobile 5.0 phone doesn't work with Flash--at least, the default browser doesn't. If I use NetFront, I can get Flash 7. Will this banking website work with that, or will Flash 9 be required?

My only problem with this is that the standard isn't open. If it's an open standard, even one for which my platform of choice has no current support, I'm ok with it. If it's a closed standard, the answer is 'no'.

Comment removed

[account_deleted]

Comment removed based on user account deletion