Loading…
This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
View analytic
Friday, July 1 • 12:25 - 13:10
Internet banking safeguards vulnerabilities

Sign up or log in to save this to your schedule and see who's attending!

All internet banking applications are different but all of them share many common security features which are very specific to this domain of web applications, such as: 
- transaction limits, 
- notifications via SMS or e-mail, 
- authorization schemes, 
- trusted recipients, 
- two-factor authentication and transaction authorization, 
- pay-by-links, 
- communication channel activation (e.g. mobile banking or IVR). 
It is not very rare that these safeguards are incorrectly implemented leaving the internet banking application vulnerable. 

Last year at AppSec EU I was talking about common vulnerabilities in e-banking transaction authorization. As a follow-up to this presentation, OWASP Transaction Authorization Cheat Sheet was published and gained some attention from banks, developers and testers. This year, I want to continue and expand this work to other security mechanisms which are specific and common to internet banking applications. During my presentation I want to show some common mistakes made during implementation of the abovementioned internet banking safeguards. 
As a follow-up, I am planning to expand OWASP Transaction Authorization Cheat Sheet to Internet Banking Cheat Sheet which will include guidelines for secure implementation of all security mechanisms common to contemporary internet banking applications. At the end of my presentation, I also want to discuss the idea of expanding key OWASP materials such as ASVS, Testing Guide, Development guide by adding appendixes specific to group of applications (such as internet/mobile banking, e-commerce, etc.). 

Proposed agenda: 
* Security features of contemporary internet banking – quick overview. 
* Examples of vulnerabilities in implementation of these safeguards (logical and technical flaws) and recommendations, e.g.: 
- transaction limit bypass, 
- trusted recipients feature abuses, 
- transaction authorization vulnerabilities (quick recap from AppSec EU 2015 presentation), 
- notification blocking, 
- currency exchange rates manipulation (e.g.: oscillator, rounding errors) 
- unauthorized changes to safeguards configuration 
* Upcoming changes due to PSD2 implementation (Payment Initiation Services, Account Information Services, Strong Customer Authentication). 
* Future work announcement and invitation to cooperation (Cheat Sheet, ASVS / Testing Guide / Dev Guide modules). 

Speakers
avatar for Wojtek Dworakowski

Wojtek Dworakowski

Wojtek Dworakowski, SecuRing Managing Partner Wojtek is an application security consultant with over 10 years of experience and a managing partner of SecuRing, a company dealing with application security testing and advisory. Over last years he has been helping banks, major financial institutions, and software vendors to achieve proper level of application security, including ING, BNP, KBC, UniCredit Group, Sage, Sodexo. Member of Crisis... Read More →



Friday July 1, 2016 12:25 - 13:10
Room A (Michelangelo Ballroom Sect. 3)