AppSec Europe 2016 has ended
Back To Schedule
Friday, July 1 • 12:25 - 13:10
Internet banking safeguards vulnerabilities

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

All internet banking applications are different but all of them share many common security features which are very specific to this domain of web applications, such as: 
- transaction limits, 
- notifications via SMS or e-mail, 
- authorization schemes, 
- trusted recipients, 
- two-factor authentication and transaction authorization, 
- pay-by-links, 
- communication channel activation (e.g. mobile banking or IVR). 
It is not very rare that these safeguards are incorrectly implemented leaving the internet banking application vulnerable. 

Last year at AppSec EU I was talking about common vulnerabilities in e-banking transaction authorization. As a follow-up to this presentation, OWASP Transaction Authorization Cheat Sheet was published and gained some attention from banks, developers and testers. This year, I want to continue and expand this work to other security mechanisms which are specific and common to internet banking applications. During my presentation I want to show some common mistakes made during implementation of the abovementioned internet banking safeguards. 
As a follow-up, I am planning to expand OWASP Transaction Authorization Cheat Sheet to Internet Banking Cheat Sheet which will include guidelines for secure implementation of all security mechanisms common to contemporary internet banking applications. At the end of my presentation, I also want to discuss the idea of expanding key OWASP materials such as ASVS, Testing Guide, Development guide by adding appendixes specific to group of applications (such as internet/mobile banking, e-commerce, etc.). 

Proposed agenda: 
* Security features of contemporary internet banking – quick overview. 
* Examples of vulnerabilities in implementation of these safeguards (logical and technical flaws) and recommendations, e.g.: 
- transaction limit bypass, 
- trusted recipients feature abuses, 
- transaction authorization vulnerabilities (quick recap from AppSec EU 2015 presentation), 
- notification blocking, 
- currency exchange rates manipulation (e.g.: oscillator, rounding errors) 
- unauthorized changes to safeguards configuration 
* Upcoming changes due to PSD2 implementation (Payment Initiation Services, Account Information Services, Strong Customer Authentication). 
* Future work announcement and invitation to cooperation (Cheat Sheet, ASVS / Testing Guide / Dev Guide modules). 

avatar for Wojtek Dworakowski

Wojtek Dworakowski

IT security consultant with over 15 years of experience in the field. Managing Partner at SecuRing, a company dealing with application security testing and advisory on IT security. Has led multiple security assessments and penetration tests especially for financial services, payment... Read More →

Friday July 1, 2016 12:25 - 13:10 CEST
Room A (Michelangelo Ballroom Sect. 3)