Mozilla and Tor on the TLS attack [LWN.net]

Java and online banking

Posted Sep 28, 2011 14:34 UTC (Wed) by dskoll (subscriber, #1630) [Link]

Unfortunately, some banks require the Java plugin to do online banking on Linux.

Really? That's absurd... time to switch banks. (My bank works fine with any vanilla web browser without plugins on any OS, as far as I know.)

Java and online banking

Posted Sep 28, 2011 15:18 UTC (Wed) by cesarb (subscriber, #6266) [Link]

> time to switch banks

I do not know of any major bank in this country which does not require some sort of browser plugin for online banking (but I did not research to see if I could find an exception).

From what I know, when it works on Linux, the plugin is usually the Java plugin running an applet. On Windows, from what I have heard it is often something much more invasive (see for instance http://insanebits.blogspot.com/2007/04/g-buster-browser-d...).

Java and online banking

Posted Sep 28, 2011 15:21 UTC (Wed) by corbet (editor, #1) [Link]

Which country are you talking about here? I do a lot of browser-based banking in various forms (in the US) for both personal and company business, and none have ever required a Java plugin. JavaScript is another story, but, once that's enabled, things generally Just Work.

Java and online banking

Posted Sep 28, 2011 16:26 UTC (Wed) by cesarb (subscriber, #6266) [Link]

> Which country are you talking about here?

Brazil.

Java and online banking

Posted Sep 30, 2011 21:18 UTC (Fri) by Kwi (subscriber, #59584) [Link]

US netbanking is a joke when it comes to security, with many banks handing over your entire account to the first person who can guess your mother's maiden name.

In many other countries, however, machine-local key files is required for netbanking, requiring a hacker to compromise the user's machine in order to gain access to the account. This is often implemented using Java. (Client certificates would be just as secure and wouldn't require plugins, but suffers from UI inconsistencies between browsers.)

In Denmark, all the banks have recently replaced keyfiles with paper-based one-time tokens. While this could easily be implemented entirely using plain HTML, the banks for unknown reasons continue to require Java. The same Java-based paper token solution is also used to access government websites. Suffice to say, blocking Java is not feasible for Danish users. :-)

Java and online banking

Posted Oct 1, 2011 10:48 UTC (Sat) by spongy (guest, #59953) [Link]

> US netbanking is a joke when it comes to security, with many banks
> handing over your entire account to the first person who can guess your
> mother's maiden name.

Whats wrong with "making" your mother's maiden name a 20-30 char string with random l/c, U/C, digits and punctuation marks?

Java and online banking

Posted Oct 1, 2011 11:17 UTC (Sat) by Kwi (subscriber, #59584) [Link]

The fact that your bank may ask you to confirm it over the phone? :-)

Obviously, there are work-arounds, but I personally prefer a solution that isn't broken to begin with.

Two-factor authentication is apparently slowly becoming the norm in the US as well, better late than never. I guess it was a bit embarrassing for the banks to provide less account security than World of Warcraft.