What is BankID?
BankID Norge has developed a Norwegian online identification service named BankID. On their home page they write: "BankID er en personlig og enkel elektronisk legitimasjon for sikker identifisering og signering på nett." Translated into English it reads: "BankID is a personal and simple electronic ID for secure authorisation and electronic signing online."
BankID is used by all (?) banks in Norway, as an authorisation / log-in tool for online banking. It's also used by several other sites for identifying / logging in customers. Because of this all (? - at least most) Norwegians using online banking are BankID customers. At the time of writing there are 403 sites using BankID and BankID has in total got 2 796 587 users.
|Key numbers 1st of September 2012. (src: BankID)|
BankID writes a lot about security on their own pages, like:
"Som tilbyder av sikker digital ID og signaturtjeneste på Internett har vi et ansvar for å ta vare på sikkerheten din og beskytte dine personlige data." and "Vår erfaring er at sikkerheten best ivaretas som en kollektiv oppgave som alle brukere deltar i: personene som bruker BankID, våre partnere som lager systemer som inkluderer BankID, og de eksterne sikkerhetsentusiastene som går oss etter i sømmene. Denne fellesinnsatsen betyr mye for å gjøre Internett og BankID tryggere og sikrere for alle."
Which translates: "As a provider of secure digital ID and signature service online, we have a responsibility to take care of your safety and protect your personal data." and "Our experience is that security is best achieved as a collective task with all users involved: people who use BankID, our partners who create systems that include BankID and the external security enthusiasts who visit us in detail. This joint effort means a lot to make the Internet and BankID safer and safer for everyone."
|src : BankId|
|BankID is even using Flash on their own homepage.|
Why Java is bad
Java is a very powerful programming language, which lets you do almost anything. And that is the very reason why you do not want Java running in your browser. In short it means that malicious sites can execute some Java code and get control over the visitor's computer.
|Java has never been safe. In most version security bugs are found. (src: ars technica).|
In theory Java applets are sandboxed, and should have no access to the filesystem or the OS it is running on (read about Java applet security). In real life though that is not the case. Hackers have so far several times used bugs in Java to bypass the sandbox and gain control of computer systems. Recently several stories about security flaws in Java has surfaced in the media. A major security flaw in Java was discovered about four months ago. A fix was released by Oracle this Thursday, with version 7 Update 7. However it took no longer than two till three hours before a new even more serious security bug was discovered. The new bug can give potential hackers full control over PCs.
History has shown that it is just not safe using Java in the browser. It has never been safe and I doubt that it will ever be safe. From a security point of view you do not want anything running in your browser that can get access to the OS.
Why BankID is bad
Since BankID are pushing their Java applets to all banks, and several other sites, every Norwegian that wants to use online banking in Norway needs to install and run Java in their browsers. For most of these Norwegians I assume BankID is the only reason why the install Java at all. And most of these users are not aware of the security flaws in Java, and hence lets Java plugins run all the time which is the default option after having installed it in your browser. When these people accidentally visits a site running some malicious Java code their computers are compromised. So because of BankID their 2.8 million customers are actually a lot more likely to be hacked, than people not having Java installed.
What BankID should do
The answer is simple. They should come up with an alternative to their Java solution ASAP. There is no valid argument why BankID still runs as a Java applet.
What you should do
If you do not need Java uninstall it. If you need it, turn off Java by default in your browser. Only enable Java on sites you trust. Read how to disable Java in Chrome in this post. The same can be done in other browsers. Here is how to do it in Firefox, and here how to in Internet Explorer. You can also secure yourself using NotScript for Chrome and NoScript for Firefox. Read this post on how to secure yourself using Macintosh (and how to disable Java in Safari).
|Customers of Landkreditt Bank can login without using BankID, see bottom link.|
Note that some banks give you the option to use BankID on your mobile (code sent as SMS), and that apps also are developed (BankID on iOS exists, Android is under development). So if you can avoid the BankID Java applet do uninstall Java from you computer (unless you need it for something else that is). Some banks luckily also offer customers to login without using BankID.
What is BankID saying?
I have contacted both DnB, being the biggest bank in Norway, and BankID, with questions on why they are using this technology (all emails in Norwegian).
My email to DnB:
My follow up:
Second follow up (regarding new security holes found in Java):
My email to BankID Norge:
BankID Norge's answer:
My follow up:
BankID Norge says that the reason for BankID being developed in Java, as an applet, is that it was developed for more than 10 years ago. At that time Java seemed like a good choice. OK, if we go back more than 10 years Java might have been a reasonable choice. However if BankID truly are concerned about online security, as they states, they should start developing an alternative solution ASAP. There are no good arguments why BankID should be a Java app today. They should have avoided this technology years ago. Because Java not being safe is nothing new. That there are alternatives (BankID on mobile, as apps) to the BankID app is good, but not sufficient. Because as long as BankID's main solution is a Java app there will always be a fair amount of users using that.