I don't know how it works in the US, but in Norway most online banks can only be accessed through a Java applet where you enter SSN, password and token-code. Extremely frustrating since whether it works or not in Linux seems like a function of the day of the week, and, well, it's a Java applet.
At least you guys don't have a system that uses ActiveX. That's how it is in South Korea[0], supposedly the world's "most wired" nation. You can only use IE, on Windows, to access online banking services. Things are slowly getting better thanks to the explosion of iPhone/iPad/Mac popularity in Korea (particularly the iPhone), but even now, IE has more than 91% market share in South Korea[1].
Yeah, my reply was rude--I'd delete it if I could but I guess I've passed the point of no return. I can certainly sympathize with software screwing you over.
Not debating the rest of your post, but not all Norwegian banks rely solely on BankID. Just clarifying that there is no national mandated standard here, just a system which banks can opt in on to use. And then they don't have to opt in fully or exclusively.
One example of one who manages to get authentication right, through HTML alone is Skandiabanken. No Java, nonsense or security pains required. They allow you to use BankID too if you like to, but you don't have to.
Java is a never ending story of fun. I had a case where my grandma had issues logging into her online banking account, because the applet threw some sort of error response to her. Turns out that Chrome shipped with a newer version of Java than the banks accepted, and instead of telling her that, they threw an "You're running an old and outdated version of Java, please contact support"-error.
Because the applet produces a digital signature from a cryptographic key on your hard drive. This is much more secure and scalable than sending the password, see [1] and [2].
An alternative solution would be to use an SSL client certificate[3] or the WebCrypto[4] API (still under development).
well, in brazil you even have gbieh.dll - an undeletable, unkillable, always running, mysterious, "security" file/process from banco do brasil. http://www.file.net/process/gbieh.dll.html
Can't tell if trolling or not. That's an URL and they can name it with whatever name they want (.dll, 1761,1238,196.htm, .php, etc), and has absolutely nothing to do with an actual process running on your machine.
No so easy mate. Brazil has one of the largest bank concentration in the world, orchestraded of course by the central bank. We have the choice of 6 major banks, in this order of size -> Banco do Brasil, Itaú, Bradesco, BNDES, Caixa Econômica Federal, Santander
They are all highly regulated and with very little incentive to innovate. So they can screw around and do pretty much nothing at all. The fascist/socialist banking system that exists across the globe is even more pronounced here.
Pretty much every bank in Brazil optimizes for its largest target audience. Since most of their account holders run Windows and Internet Explorer and are able to install a Java runtime, that's what they will go for.
I have accounts on three banks that work well with Ubuntu and Firefox. Only one of them mandates a Java runtime to be installed (and only enforces the requirement on Windows and OSX).
I talked to some of the Mozilla security guys about it back in February at CanSecWest, since we've been blocking out-of-date and dangerous plugins (more than just Java) for a while in Chrome. They seemed in favor of doing it, so it's definitely on their radar.
Plugin management is actually a bit complicated, and in the case of Chrome we've had mulitple levels of it for years. The simplest is click-to-play, where the plugin is replaced with a graphic in the page that you can click to run it. This is the most convenient, but is vulnerable to click-jacking or other trickery. Then there's plugin blocking, which doesn't have the click-to-play weaknesses but is less convenient because you need to enable the plugin through a browser control (ie. infobar, page action, or context menu). Finally there's disabling, which just prevents the plugin from running at all.
For out-of-date and perennially vulnerable plugins (like Java) Chrome uses the second mode, which blocks the plugin unless the user accepts it through an infobar. It's not a perfect defense, but we've found it to be extremely effective at preventing exploits because the vast majority of the users don't let the potentially vulnerable plugin run. I'd really like to see this approach catch on more broadly, but other browser makers are understandably cautious about how they should handle plugins.
As a corporate sysadmin, I should say that the Chrome method is much better than the Firefox one.
We often have slightly out of date plugins, simply because it takes a while to get new versions tested and rolled out. When Firefox blocks them it breaks functionality and can cause a few awkward problems. Generally that just means that the user will use IE instead, so the protection is lost.
I wasn't aware the blocking worked that way in Firefox. We considered going that route as well, but in our testing the optional block was nearly as effective as fully disabling.
It's interesting that you don't mention uninstalling as a final option. Shouldn't the user have the ability to permanently remove a plugin from the browser?
They are working on it - the feature exists, but isn't currently exposed through the GUI configuration as it has some issues.
You can go to "about:config" and enable the option "plugins.click_to_play" if you want to see it. I disabled it as it caused issues with Flash for me, but I've straight up disabled the Java plugin anyway.
There're some banks that still need them. The irony is that, since their applet is signed, the user must click and confirm that he trusts the thing every time. Hackers can leverage that users won't read a damn thing, they will just click next to build an applet with file system access. Why exploit flaws when users will simply click a trust your applet?
I don't trust my bank with a signed applet (why the hell do they need that?), so obviously I only access my internet banking using a VM.
Most corporates that I've seen make heavy use of Java applet based software for internal software (and have multiple versions installed as a result). Also I've seen a fair number of administrative interfaces for IT kit that work via Java Applets...
I've had Java disabled in browsers for a long time and click to activate for other plugins. I've never noticed its absence.
I understand from other comments that banks in some require Java. I have or have had accounts or credit cards with nearly all major banks in the USA and many smaller institutions and none have required any plugins. Some require 3rd party cookies to use services like bill pay or ACH transfers.
Danes. It is used by the government electronic id system (nemid), and is the only way to e.g. make corrections to your tax returns (they are by default filled by the tax authority). Most government and many private (e.g. banks) institutions use it.
I have successfully avoided installing Java on many machines, even when installing browsers. The had to break down when it came time to build Android apps.
