All posts tagged URL

Must Know Business Logic Vulnerabilities In Banking Applications

By blogger on

Over the last few years, our On-Demand and Hybrid Penetration Testing platform has performed security testing of applications across various verticals and domains including Banking, e-commerce, Manufacturing, Enterprise Applications, Gaming and so on. On one side, SQL Injection, XSS and CSRF vulnerabilities are still the top classes of vulnerabilities found by our automated scanning system, on the other hand however, there are a lot of business logic vulnerabilities that are often found by our security experts powered by a comprehensive knowledge base.

A business logic vulnerability is defined as security weakness or bug in the functional or design aspect of the application. Because the security weakness or bug is in the function or design, it is often missed by all existing automated web application scanners.

In this blog we are sharing the top commonly found Business Logic Vulnerabilities in the Virtual Credit Creation (VCC) module of a Banking Application.

Consider the following scenario: A Banking Application provides web based functionality to users to pay Bills Online as well as to create and manage Virtual Credit Cards. Virtual Credit cards are used to shop online. A Virtual Credit Card creation use case involves the following steps: 1.User visits banking application. 2.User opts to create virtual credit card. 3.User fills up personal details, required amount, expiry date of VCC etc. 4.User chooses a payment gateway. 5.User fills up credit / debit card details. 6.Banking Application redirects user to a Payment Gateway. 7.Required amount + Service Charge are debited from user’s Debit / Credit card. 8.Payment Gateway redirects user to a Callback URL provided by the Banking Application. 9.Banking Application verifies the Payment Gateway confirmation. 10.Banking Application generates a CVV number. 11.Banking Application presents VCC details to the user. 12.Banking application performs SMS verification of the user.

A couple of security weaknesses that are found in the above scenario are as follows:

TAMPERING OF DATA COMMUNICATION BETWEEN PAYMENT GATEWAY AND BANKING APPLICATION: Weaknesses: The Banking application does not verify whether the required amount is successfully paid at the Payment Gateway Side, or what amount is being paid at the Payment Gateway Side. As a result, a virtual card can be recharged with higher amount while paying a lower amount to the bank by modifying amount when the request is sent from payment gateway to the bank.

Mitigation: There should be sufficient validations between the Banking application and the payment gateway. The callback URL should not be allowed to be directly controlled by an attacker.

NO VALIDATION ON BANKING APPLICATION’S CALLBACK URL Weakness: There is lack of validation on the Banking Application Side when the Payment Gateway redirects a user to the Banking Application’s callback URL. As a result, a virtual credit card can be created without paying any service charges, by sending the request directly to the callback URL of Payment Gateway.

Mitigation: There should be enough validations on the callback URL including whether the URL is redirected by the Payment Gateway or directly called by an attacker.

VIRTUAL CREDIT NUMBER IS PREDICTABLE Weakness: Generated Virtual Credit card numbers are predictable or follow certain patterns. As a result, an attacker can predict what virtual credit card numbers are being used by other legitimate users.

Mitigation: Virtual Credit Card numbers should be sufficiently random.

NO ANTI-AUTOMATION IN VIRTUAL CREDIT CARD DETAILS VERIFICATION Weakness: There is no anti-automation (e.g. CAPTCHA) while verifying the Virtual Credit Card details such as CVV number and expiry date. The Credit Card number is sufficiently long however, the CVV number is generally a 3 digit number and expiry date is also a 2 digit number. As a result, it is possible to bruteforce the CVV number and expiry date, and shop online using a stolen virtual credit card number.

Mitigation: There should be sufficient anti-automation e.g. CAPTCHA while verifying the CVV numbers along with the Credit Card Number.

NO ANTI-AUTOMATION IN CARD CREATION PROCESS Weakness: There is no anti-automation while creating a virtual credit card. An attacker can use automated scripts to exhaust credit card numbers. As a result, Credit Card Numbers can be exhausted and be therefore made unavailable to users leading to a Denial of Service (DoS) attack. It can also lead to other attacks including Credit Card Number pattern prediction.

Mitigation: There should be sufficient anti-automation e.g. CAPTCHA while creating virtual credit card numbers

Finacle Mobile Banking Solution

By blogger on

With mobile devices becoming integral to people’s lives, banks are seeking to leverage the ubiquity of mobile phones to create a cost-effective distribution channel, rapidly innovate, extend reach across segments and improve convenience and security of use. However, due to consumer concerns regarding security, the adoption of this channel for value-based transactions has been limited. While some consumers prefer browser-based mobile banking, others use applications that can be downloaded to create a rich interface on the handset. Additionally, the diversity of hand held devices presents a unique challenge for banks seeking to optimize services delivery across the gamut of devices and customer segments.

A truly secure mobile banking solution built on open standards, for increased agility and flexibility, can prove invaluable for banks. The solution must also intuitively address the hurdles posed by multiple form factors and access mechanisms in the mobile space.

Finacle mobile banking solution empowers retail and corporate banking customers with access to banking services through SMS, GPRS/ 3G and USSD-enabled handsets, leveraging a single platform. The solution provides a secure, multi-lingual channel for banks to innovate by easily deploying new services with improved time to market. The end user experience thus created is richer and truly convenient.

Finacle mobile banking solution integrates easily with disparate host systems, core banking solutions, payment networks and third-party applications. The solution leverages Infosys mConnect, the indigenously developed middleware, which orchestrates mobile transactions between users’ devices and the Finacle universal banking solution. Infosys mConnect handles the multiplicity of form factors and access mechanisms on multiple devices to provide a context and device independent view to the transaction server. This presents banks with a powerful channel to service customer segments ranging from the mass affluent to the under-banked or unbanked, surmounting the challenge posed by the diversity of mobile devices.

The ubiquity of the platform adequately addresses the challenges of encryption, communication, synchronization, image resizing, downloading and security. This ushers in the advantages of reduced integration by leveraging common interface messages, maintenance and deployment costs.

Customer On-boarding

Finacle mobile banking enables the bank’s existing customers to be directed to use the mobile channel for banking and payment transactions through the following modes:

Mobile banking facility requested by sending SMS request in prescribed format

Registering for mobile banking through the bank’s Internet banking site

Phone banking leveraging the bank’s tele-banking call center

Mobile Banking and Payments

Customers are enabled to perform several financial transactions on their mobile phones using multiple languages and across multiple time zones. The functional capabilities of the solution include:

Account management and requests like balance inquiry, account aggregation (within and with other banks), mini statements, among others

Term deposit and renewal

Funds transfer (self and third-party accounts with multi-currency support)

Local and international payments with support for expedited payments

Bill presentment and payment

Remote deposit capture

Account origination, Forex rates and calculators

Cheque status inquiry, cheque book requests and stop cheque requests

Customer personalization including account setup and marketing preference

Transaction approvals for corporate customers

ATM and bank branch locator

Remittance request, enquiry and statement

Peer-to-peer payments

Business-to-business payments

Contactless payments

Support for administrative tasks like secure mails to relationship manager, approvals, password/ PIN change, block credit/ debit/ ATM card, customer billing, data synchronization and self-audit

Key Modules

Mobile Financial Management

The solution offers unmatched support to manage finances on the move. This helps banking consumers make informed decisions. A comprehensive set of tools is provided to enhance financial management.

Quantitative (such as EMI calculators) and qualitative analysis tools (such as budget vs. spend analysis)

Transaction tagging

Product selectors and comparators

Virtual financial advisory services through video chat on mobile

Alerts

This module empowers customers to subscribe and receive a wide variety of mobile alerts. The solution supports both push and pull alerts along with customizable alerts via integration with Finacle alerts solution. The module also allows the customer to set preferences and limits for alerts and configure ‘do not disturb’ timings.

Value Added Services

Finacle offers a gamut of value added services that provide extended convenience and comfort to the customer. These include:

Mobile commerce

Mobile ticketing

Mobile top-up for prepaid card recharge

Mobile advertising, based on location, user profile and actions

Mobile remittances to charity causes

Mobile wallet

Demat and stock trading services

Security

Finacle mobile banking solution offers state-of-the-art security through optimized measures. The solution offers:

Two factor authentication – PIN encryption

J2ME MIDP 2.0 support for SSL/ TLS

Encryption of data stored on mobile phone

Support for binary XML

Enabling and disabling of mobile numbers

Support for additional authentication mechanism

Business Benefits

Greater Customer Convenience

Finacle mobile banking solution empowers banking customers to make informed decisions by providing them with an invaluable set of financial management tools on the mobile handset. These tools help in quantitative and qualitative analysis, as well as in the selection and comparison of financial products.

Reduced Turnaround Time

Finacle mobile banking solution has a robust integration framework which allows it to function in tandem with disparate host systems, core banking solutions, payment networks and third-party applications. This translates into reduced go-to-market time for the bank as well as support for legacy systems.

Robust Inclusivity Framework

Finacle mobile banking solution leverages Infosys mConnect to smoothly hurdle the challenges posed by the multiplicity of form factors and access mechanisms on multiple devices to provide a context-agnostic view to the transaction server. This enables banks to include, through the mobile channel, its various customer segments, ranging from the HNWI to specific unbanked communities, surmounting the complexities of diverse location and dissimilar mobile devices.

Maximize Innovation

Banks can leverage Finacle solution’s indigenously developed middleware Infosys mConnect, to configure an unlimited palette of services from any channel, to the mobile space, with ease. The need for development of new back end services is precluded due to the availability of a banking solution behind the mobile interface. Finacle also provides the flexibility to deploy services over the existing online banking platform or through a standalone delivery channel interfaced directly with the relevant host systems. This ensures the rapid delivery of a comprehensive range of financial services, embellished with new innovative features, on mobile devices.

Business Benefits

Robust Security

The solution offers extensive application security features like URL encryption, referral URL check and session management to provide a robust security framework. The solution also supports OTP (one time password), which provides a two factor authentication mechanism for users transacting with downloadable mobility client. This enables the bank to offer products that are highly secure and geared to withstand the onslaught of security threats associated with mobile transactions.

Cost Savings

The solution presents banks with the advantages of reduced integration by leveraging common interface messages, maintenance and deployment costs. This translates into significant cost savings without banks having to compromise on features or the range of devices supported. The mobile banking solution is inherently independent of the network service provider, obviating the need to build a business model that involves costs and profits sharing with them.

Customer Delight

Finacle mobile banking solution enables banks to offer the convenience of comprehensive anywhere anytime banking, using GPRS, mobile browser or SMS. It supports a wide range of mobile devices and mobile browsers. Banking customers can query on account balances and make fund transfers. Banks can also proactively send timely information to customers in a completely secure environment, whenever a customer-defined event occurs. The solution’s self-service capabilities empower customers to manage their banking activities better. The solution also addresses data transmission and storage related security concerns adequately, delivering a truly streamlined customer experience.

Standard chartered online banking hints and tips

By blogger on

Online banking is a great feature which has come a long way from what it was. Standard Chartered Online Banking offers so many features which make banking much more convenient than it used to be. With the Standard Chartered online banking you can bank from anywhere you want, at any time during the day. You can even do mobile banking by accessing your bank account from your mobile phone as long as you can access the internet with it. Opening a Standard Chartered online bank account is quite simple and it can be done in no time at all. However, with the rise in internet fraud all around the world you have to be careful while using these online banking services.

Yes, you do have to take some common sense precautions to safeguard your personal information, but if you do so, internet banking can a be safe, secure and convenient way to pay credit cards, access online savings accounts, balance checking accounts and conduct a host of other online financial transactions. So what do you need to do?do?

Here are a few simple guidelines which you need to follow to have a safe and secure online banking experience with Standard Chartered:

1) Never give your username and password you use to log on to your online account to anyone. Honest, a bank employee will not ask you for it – so even if they claim to be part of your bank staff, do not give it to them.

2) If you receive an email with a link in it that leads to your bank’s website – Ignore it! This is a tactic called phishing that may direct you to a website that will take your login information to gain access to your financial accounts. It may even look exactly like your bank’s website, so always use your direct online banking website URL to access your account. Never click an email link and then sign in to your online banking account. Really!

3) Use your own computer to do your online banking on. Shared, public or networked systems at work just make it all the more possible to have your ID stolen.

4) Run Ccleaner, or manually clear browser history, cookies, cache and saved passwords after you accessed your online accounts.

5) No sticky posts or diary entries with ID, username or password. Keep these to yourself by committing them to memory – or at least written down where noone but you will ever find them.

6) Never forget to log out after you are done with the bank’s website. If you forget to do this, most of the other things you did above may not matter.

Take the time to follow the few simple steps listed above and you will help keep your Standard Chartered online banking transactions safe, secure and out of the hands of folks that shouldn’t be seeing them anyway. Of course, that goes for any online service you use where personal information is sent over the internet.

Max Nielsen – always looking for great investments and online banking opportunities. For more info, see internet banking

Safe Internet Banking

By blogger on

Tips for safe Internet Banking

How safe is internet banking?
Experts view on Internet banking right now is that it’s not safe. To get to a reasonable level of security you need a good knowledge of computers. If you don’t have that knowledge, you’re probably better off waiting until the banks get their acts together. The way forward is for them to supply their own software that you install on your own machine and use for accessing your account. Only then will Internet banking be relatively safe for people without computer expertise.
Internet Banking is becoming popular with people because we feel it is the easy way to deal with
money and one can make his PC a live bank, doing all the things a bank can do without actually
visiting a bank. But very few of us are able to protect our accounts from fraud. So if you have a
bank account with any bank and use the Internet to make transactions, money transfer or credit card
payments, here are some general ‘safe-banking’ tips that you might do well to follow:
Never use unprotected PCs at cyber-cafes for Internet banking.
Never keep your PIN and credit/debit card(s) together.
Never leave the PC unattended when on Internet banking in a public place.
Never reply to e-mails asking for your password or PIN.
Visit banks’ website by typing the URL in to the address bar, and not by clicking a link in
an e-mail arrived in your inbox.
Before using Internet banking, verify the domain name displayed to avoid spoof websites.
Log off and close your browser when you have finished using Internet banking.
Never let a stranger assist you at the ATM. Protect your ATM card PIN.
Count the cash and put it in your wallet before leaving the ATM.
Check your monthly credit/debit card statement for unusual activity.
Always draw a line through unused space on the cheque.
Never leave your cheque book unattended.

Never sign blank cheques.
Never keep pre-signed cheques anywhere.
Never hand over to unknown persons any signed blank cheques towards pre-EMI/EMI amount, for
opening of saving account or opening of any other accounts.
Remember to cross your cheque whenever applicable.
Count the number of cheque leaves whenever you receive a new cheque book.