E-banking transaction authorization – possible vulnerabilities, security verification and best practices for implementation presented at BSidesUK 2015

by Wojciech Dworakowski,

Summary : During 10+ years of my professional experience as application security expert I had a chance to verify many internet banking solutions. Most of the modern internet or mobile banking applications in Poland use some sort of second factor, such as TAN lists, SMS codes, time-based OTP tokens, challenge-response solutions, smart-cards, mobile tokens, unconnected card readers, etc. to let user verify banking operations and to protect against MitM or malware attacks.
As a result of security tests in pre-production, it turned out that is not very rare, for tested systems to have security flaws regarding implementation of those transaction authorizations mechanisms, especially in the business logic layer, that (if not detected and corrected) could allow attacker to bypass or weaken those safeguards. Vulnerabilities could be caused (as usual) by wrong decisions during planning phase or poor implementation,
During this presentation I would like to throw light on transaction authorization mechanisms security. The agenda will include:
- Discussion and some examples of possible vulnerabilities in a process of authorization of e-banking transactions (including incorrect assumptions and incorrect implementation), that could allow to bypass those security mechanisms.
- Discussion about resistance of selected transaction authorization mechanisms to common banking malware attacks.
- Suggested best practices regarding implementation of transaction authorization.