The Next Net

Update: 2nd March 2007: The bank confirmed they want to use Flash to defeat key loggers.

1. Key loggers are a “feature” of MS Windows, mostly. Well conceived operating systems do not allow the installation of such malware. The choice of the operating system is up to the user. He is free to upgrade to a more secure one. If he does not, that is his problem not the bank’s.
2. On the Windows platform, key loggers should be intercepted by the anti-virus program. If it does not, that is the user’s problem not the bank’s.
3. While the Flash applet may help defeat the key loggers on the Windows platform for the specific use of the online banking service, it does not solve the general issue of the key logging malware on the Windows platform in general. In fact, this would give the false impression to the clueless user that he is protected against key loggers, while in fact he is only protected for a specific application and not when using his credit card on Amazon or elsewhere.

The only conclusion one can draw from the whole thing is that the bank wants to be legally covered in case a customer complains. Security has nothing to do with it. The bank could easily disclaim liability in case the user does not implement the right security tools on his computer. It could, for example, disclaim liability in case the browser allows the installation of malware, which is typical of Internet Explorer.

The original post is after the break

My bank, Dexia Luxembourg, has recently changed the login procedure to their online banking system to use a Macromedia Flash applet. My guess is that they want to find a way to defeat phishing and key loggers. I said “my guess” because bankers are not known for communicating much with their customers, even less to actually explain their decisions. The customer is just too stupid to understand … This is just another guess.

Using Flash is a real bad idea, because it is proprietary technology. If and when Adobe decides to drop the whole thing or change the specs, or ends the support of one of another platform, the bank and its customers will be stuck.

Some years ago, the same bank had an authentication system that required the Microsoft Java virtual machine. Not only did it not work on non-M$ platforms, it did not work either on all those Windows based computers that ran Sun Java. Apparently, the bank did not learn from its own recent history.

Flash is only available on a limited number of platforms: Windows, MacOSX and Linux. The statistics of this web site indicate that only 82% of the browsers support Flash. Although this is certainly not representative of Dexia’s customers, it shows that not all users have the Flash plugin installed in their browsers. Why they don’t is a question the bank should ask itself. Maybe they have good reasons.

In many corporate computing environments, there are security policies which prohibit the download or use of some software. Windows network administrators can block the use of certain files types or programs with a few mouse clicks. As Flash is increasingly being used to deliver video content, which eats up the corporate bandwidth, I would expect that some companies will prevent Flash to be used in their environment. Too bad for the bank’s customers wishing to manage their checking account from their office.

There are other reasons, too:

1. Phishing fraudsters need to work quick. That means they have to find as much victims as possible in a very short time frame. The best way is to target banks with a huge number of customers, like Bank of America or HSBC. A small bank like mine is unlikely to be a target for fraudsters.
2. There are enough tools the ISPs can deploy to identify phishing attempts in e-mails. In Luxembourg, most of the ISPs do not filter spam or charge for filtering. Too bad. But again, it is up to the customer to vote with their feet and select a professional ISP.
3. The user should be suffciently aware by now that a real bank never sends an e-mail asking for access codes. It has been repeated over and over again in all languages and in all media. Unless you are just arriving from Mars, you should know. If you don’t, I am sorry to say it is your problem now and that you should bear the consequences of your ignorance. It is not up to a bank to set up strategies to work around clueless users.
4. The Internet is no different from the real world. You would not drive a car before learning how to drive. Similarly, you don’t believe the average salesman ringing at your door. Some people totally lose their common sense when they are front of a computer, forgetting the Internet is a ugly medium for a ugly world. But it is not a bank that is going to change this perception.

In the case of this specific Flash applet by Dexia, the design is poor, to remain polite. Its interface requires a mouse and even then, it asks you to place large areas into small boxes.

There is apparently a competition for the most unfriendly application ongoing between Dexia offices throughout Europe. At the same time the Luxembourg branch threw this awful Flash applet at its customers, the Belgian Branch did even worse.

They now require to have your Maestro card and a special random code generator, both of which you are most likely to have with you in a cybercafé in Shangai or elsewhere. It takes 9 steps to log in. And the same steps again every time you need to confirm an order.

Dexia Belgium wins the price of the most unfriendly Internet banking application, with Dexia Luxembourg close second.