Upload
amar-shahid
View
220
Download
0
Embed Size (px)
Citation preview
7/27/2019 BCSASIA2005 B02 Marie Hacking Internet Banking Applications
1/52H
acking
Inte
rnetBankin
g
H
acking
Inte
rnetB
ankin
g
A
pplications
A
pplications
BelluaCyberSecurityAsia2
005
2
005
By
FabriceA.Marie
fa
m
http://www.bellua.net/http://www.bellua.net/http://www.bellua.net/http://www.bellua.net/http://www.bellua.net/http://www.bellua.net/http://www.bellua.net/http://www.bellua.net/http://www.bellua.net/http://www.bellua.net/http://www.bellua.net/http://www.bellua.net/http://www.bellua.net/http://www.bellua.net/http://www.bellua.net/http://www.bellua.net/http://www.bellua.net/http://www.bellua.net/http://www.bellua.net/http://www.bellua.net/http://www.bellua.net/http://www.bellua.net/http://www.bellua.net/http://www.bellua.net/http://www.bellua.net/http://www.bellua.net/http://www.bellua.net/http://www.bellua.net/http://www.bellua.net/http://www.bellua.net/http://www.bellua.net/http://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/http://www.bellua.net/http://www.fma-rms.com/7/27/2019 BCSASIA2005 B02 Marie Hacking Internet Banking Applications
2/52
2
Goalofthis
presenta
tion
Goalofthis
presentation
1.
Showcasetermswellknow
ninternetba
nkingapplica
tions
attacks
2.
andofcou
rselesswellknowninterne
tattacks.
3.
Explainbasic
allythebestcase(fortheattacker)scenariosof
theattacks.
4.
Giveguidelin
esforprocurementofbankingapplicatio
ns.
5.
Giveguidelin
esforadditionalcontractualrequiremen
tstotake
intoaccount.
7/27/2019 BCSASIA2005 B02 Marie Hacking Internet Banking Applications
3/52
3
TableofCo
ntents
Ta
bleofContents
1.
Introduction
2.
Attacks:Usu
alsuspects
3.
Corporatees
pionage:loss
ofconfidentiality
4.
Interestinga
ttacks:Outrig
htfraud
5.
Internalfrauds
6.
Third-partyI
nternetBankingapplicationprocuremen
t
7.
Conclusions
http://www.fma-rms.com/services/itapplicationaudit.php7/27/2019 BCSASIA2005 B02 Marie Hacking Internet Banking Applications
4/52
4
1.Introduction
1.Introduction
1.1.Bankingapplicationarchitecture
1.2.CommonT
echnologies
1.3.Whatisus
uallygood
1.4.Whatisus
uallyNOTgood
1.5.Requireme
ntsforsuccessfulattack
1.6.Toolsused
http://www.fma-rms.com/services/itapplicationaudit.php7/27/2019 BCSASIA2005 B02 Marie Hacking Internet Banking Applications
5/52
5
BankingAp
plicationArchitectu
re
BankingApplicationA
rchitectu
re
3
-tierarchitecture
Eachtiersitt
ingontheirow
nmachineor
setofmachines
H
ighavailability
Eachtierclusteredtoensur
efaulttoleranc
eandHA
F
irewalls
Eachtierfrontedbyafirew
all
R
everseproxy
Reverseproxiesinfrontofthewebserver
andtheapplication
server
WebServerCluster
ApplicationServe
rCluster
Da
tabaseServerCluster
Firewall
and
reverse
proxy
Firewall
and
reverse
proxy
Firewall
Internet
Host
Firewall
7/27/2019 BCSASIA2005 B02 Marie Hacking Internet Banking Applications
6/52
6
CommonTechnologies
CommonTechnologie
s
J
avaJ2EE
WebLogicfro
m
BEA
WebSpherefrom
IBM
SunOneApp
licationServer
from
Sun
ProsandCons:
Developm
entdoneinJavaexclusively.
Platform
independent.
Applicationserversarece
rtifiedJ2EE.
Unfortun
atelyallo
fthem
offertheiruniquebetterfeatures.
These
betteruniquefeaturesarenotstandard.
Noteasytomigratefrom
oneJ2EEappserv
ertoanother.
7/27/2019 BCSASIA2005 B02 Marie Hacking Internet Banking Applications
7/52
7
CommonTechnologies
CommonTechnologie
s--contin
ued
contin
ued
M
icrosoft.Net
ProsandCons
Developm
entdoneinam
yriadof.NetLan
guages.
Very
simpletoshootyourselfinthefoot.
Docu
mentationwidelya
vailablebutsomew
hathardtosearch
through.
Thewholesolutionsupportingtheapplicationdevelopedby
one
consistentsoftwareprovid
er:Microsoft
.NETapp
licationrunalmo
stexclusivelyon
Microsoftplatform.
Mono
(http://www.mo
no-project.com/)isworking,butno
financial
applic
ationdevelopedforityet.
http://www.mono-project.com/http://www.mono-project.com/http://www.mono-project.com/http://www.mono-project.com/http://www.mono-project.com/http://www.mono-project.com/http://www.mono-project.com/http://www.mono-project.com/http://www.mono-project.com/http://www.mono-project.com/http://www.mono-project.com/http://www.mono-project.com/http://www.mono-project.com/http://www.mono-project.com/http://www.mono-project.com/http://www.mono-project.com/http://www.mono-project.com/http://www.mono-project.com/http://www.mono-project.com/http://www.mono-project.com/http://www.mono-project.com/http://www.mono-project.com/http://www.mono-project.com/http://www.mono-project.com/http://www.mono-project.com/http://www.mono-project.com/http://www.mono-project.com/http://www.mono-project.com/http://www.mono-project.com/7/27/2019 BCSASIA2005 B02 Marie Hacking Internet Banking Applications
8/52
8
W
hatisUsu
allyGood
W
hatisUsu
allyGood
S
essionManag
ement
P
asswordRSA
encryptedfro
m
end-to-end(ontopofS
SL,itisa
r
equirementin
Singaporeatleast)
G
oodqualitya
udittrails Th
atsall!
7/27/2019 BCSASIA2005 B02 Marie Hacking Internet Banking Applications
9/52
9
W
hatisusu
ally
W
hatisusu
allyNOTNOT
good
good
L
ackofinputv
alidation
Failuretocheckthatthepa
rameterevenexists.
Failuretoen
suretheparam
etersisreallywhattheapplic
ation
expects.
B
adqualityco
de
Failuretocheckreturncodeorfailstocatchexception.
Failuretoen
surethatthep
ointerisnotnu
llbeforedereferencingit.
P
rogrammersbecomemore
lazy
Theycreate
genericframew
orkthatcanno
tadaptproperlytoa
particularex
ceptionalcase.
Theyusethe
wronghamm
ertosolveaparticularproblem.
Theyarereluctanttologin
detailseverye
xceptionalbeh
avior.
7/27/2019 BCSASIA2005 B02 Marie Hacking Internet Banking Applications
10/52
7/27/2019 BCSASIA2005 B02 Marie Hacking Internet Banking Applications
11/52
11
RequirementsforaS
uccessfulAttack
Requiremen
tsforaS
uccessfulAttack
N
eedanaccou
ntwiththebank
A
validuserna
meandpassw
ord
N
osmartcard
basedend-to-endSSL
(regularend-to-endSSLitfinethough)
Thatsall!
S
omeattacks
stillpossiblewithoutthese
conditionsof
course.
Theyrej
usthardertocar
ryout
7/27/2019 BCSASIA2005 B02 Marie Hacking Internet Banking Applications
12/52
12
Toolsused
To
olsused
I
nteractivewe
bproxies
Burp(java)
Paros(java)
Spike(pytho
n)
Proxomitron
(compiledW
indowsonly)
D
ecompilers
jad(java)
Reflector(.N
ET)
E
ncodersanddecodersfor
MIME,base6
4,uuencode,h
exadecimal
L
otsofinterne
tapplications
arebrokens
owehaveto
u
nfortunatelyuseIEoften
7/27/2019 BCSASIA2005 B02 Marie Hacking Internet Banking Applications
13/52
13
Toolsused
To
olsused
Topolog
yofAttac
k
Topolog
yofAttac
k
BankN
etwork
Internet
Browser
Proxy
Theproxy
helpsthe
attackerto
hijackhis
own
requestsin
orderto
modifythem
freely.
7/27/2019 BCSASIA2005 B02 Marie Hacking Internet Banking Applications
14/52
14
Toolsused
To
olsused
e.g.burpproxy
e.g.bur
pproxy
7/27/2019 BCSASIA2005 B02 Marie Hacking Internet Banking Applications
15/52
15
2.Attacks:
UsualSuspects
2.Attacks:
UsualSuspects
2.1.Crosssites
cripting
2.2.SQLInjection
2.3.Bufferover
flows
2.4.Weakscripts
2.5.Variousdenialsofservice
http://www.fma-rms.com/services/itapplicationaudit.php7/27/2019 BCSASIA2005 B02 Marie Hacking Internet Banking Applications
16/52
16
CrossSiteScripting(XSS)
CrossSiteS
cripting(
XSS)
Worseenemyofaninternetbankingap
plication
Cancreate
scarilyaccuratefakes.
XSSallows
theattackerto
Stealcookies.
Trickthe
usertogivethe
m
theircredentials
Modifytheappearanceofthepage.
Execute
allsortsofmalic
iousjava-scriptc
ode.
Hardtodifferentiatefora
user(sameSSL
cert.,sameURL
,etc)
Effectiveonlywhennoauthenticationrequired
Theyareusuallyonthefo
llowingpages:
loginp
age.
lostpas
sword/resetpasswordrequestpage.
logout
page
Fortheattac
ktosucceed,
thevictimstillhastobetr
icked
7/27/2019 BCSASIA2005 B02 Marie Hacking Internet Banking Applications
17/52
17
SQLInjection
SQLInjection
Generallysm
allc
hanceof
success
Objectorientedlanguages
whenproperly
usedalmostruleout
SQLinjections.
LesseffectivethanCrossSiteScripting
forstealingm
oney.
Veryinterest
ingtomodify
orstealpersonaldata.
Mostlyfound
onsearchpa
gescontainin
gcomplexop
tions
7/27/2019 BCSASIA2005 B02 Marie Hacking Internet Banking Applications
18/52
18
BufferOver
flow
BufferOver
flow
Generallyverysmallc
hanceofsuccess
Objectorientedlanguages
whenproperly
usedalmostruleout
bufferoverflows.
Firewallw
illpreventconne
ct-backmost
ofthetimes.
Veryinterest
ingtogainac
cesstothein
ternalnetwork.
Failedbuffer
overflowsoftenleadtoapplicationDoS.
Mostlyintere
stingwhenfo
undonthelo
ginpage.
7/27/2019 BCSASIA2005 B02 Marie Hacking Internet Banking Applications
19/52
19
W
eakScripts
W
eakScripts
[N
otallscriptsarecreatedeq
ual]
Someareespeciallyweakerthanothers:
Noinputva
lidationwhatso
ever
Donteven
checkthatthe
parametersarepresent
Verboseerrormessages
Somedont
evencompile!
Theweakest
areextremelyeasytofind
justcallthe
m
withoutany
parameterandwatch!
easytoscriptonceyouha
vealistofURL
s
sometimet
heyevenDoSthewholeapplication
7/27/2019 BCSASIA2005 B02 Marie Hacking Internet Banking Applications
20/52
20
DenialofService(Do
S)
DenialofService(Do
S)
Itsalwayse
asiertodestr
oythantobu
ild
CommonDenialsofServic
e:
Recursiveo
peration
Extremelylongtimeouts
Blockingop
erations
Bufferover
flows
7/27/2019 BCSASIA2005 B02 Marie Hacking Internet Banking Applications
21/52
21
DenialofService(Do
S)
DenialofService(Do
S)cont
inued
continued
Re
cursiveopera
tion
Thescriptissupposedtocallanotherscr
ipt
Butattacke
rtrickedittoc
allitself
useupa
llt
hethreadsof
theserver
Ex
tremelylong
timeouts
Theoperationshouldcompleteinashort
time
Butattacke
rforcedittota
kelonger
useupallt
hethreadsoftheserver
7/27/2019 BCSASIA2005 B02 Marie Hacking Internet Banking Applications
22/52
22
DenialofService(Do
S)
DenialofService(Do
S)cont
inued
continued
Blockingoperation
Thescriptissupposedtoreadafileora
socketandreturndata
Butattacke
rtrickedittor
eadaspecialb
lockingfile
useupa
llt
hethreadsof
theserver
Bu
fferoverflow
Theoperationexpectsabufferofacerta
insize
Butattacke
roverflowedth
ebuffers
thethrea
d(ortheappserver)getkilledbytheOS.
7/27/2019 BCSASIA2005 B02 Marie Hacking Internet Banking Applications
23/52
23
CorporateE
spionage
CorporateE
spionage
Lossof
Confidentiality
Lossof
Confidentiality
3.1.Spyingon
competitorstransactionhistory
3.2.Spyingon
competitors
billpayments
3.3.Spyingon
competitorsbankingmess
ages
3.4.Spyingon
VIPsorcompetitorscreditcardbills
http://www.fma-rms.com/services/itapplicationaudit.php7/27/2019 BCSASIA2005 B02 Marie Hacking Internet Banking Applications
24/52
24
SpyingonC
ompetito
r
SpyingonC
ompetito
rsTransa
ctionHist
ory
sTransa
ctionHist
ory
Logontothe
internetban
kingusingyo
urcredentials
Gotothetra
nsactionhisto
ryfacility
Selectthere
questsoption
sasusual
Submittherequest
Interceptthe
request
Replaceyour
accountnum
bertomatch
theoneofth
etarget
Forwardthe
request
Eithertheap
plicationchec
ksandreturn
errormessage
oritdoesnt
andreturnsyourcompetitorsinfo
7/27/2019 BCSASIA2005 B02 Marie Hacking Internet Banking Applications
25/52
25
SpyingonC
ompetito
r
SpyingonC
ompetito
rsBillPayments
sBillPayments
Logontothe
internetban
kingusingyo
urcredentials
GototheBillPaymentmo
dule
Selectthere
questsoption
sasusual
Submittherequest
[Th
isoneisslightly
moretricky]
Interceptthe
request
ReplacethebillreferenceI
Dwiththecompetitorsone
(requiresom
ebrute-force)
Forwardthe
request
Eithertheap
plicationchec
ksandreturn
errormessage
oritdoesnt
andreturnsyourcompetitorsinfo
7/27/2019 BCSASIA2005 B02 Marie Hacking Internet Banking Applications
26/52
26
SpyingonC
ompetito
r
SpyingonC
ompetito
rsBankin
gMessag
es
sBankin
gMessag
es
Logontothe
internetban
kingusingyo
urcredentials
GototheInt
ernetBankingMessagesm
odule
Selectarand
om
message
ofyours
Submittherequest
Interceptthe
request
Replacethemessagesme
ssageIDwith
thecompetitorsone
(straight-forwardbrute-force)
Forwardthe
request
Eithertheap
plicationchec
ksandreturn
errormessage
oritdoesnt
andreturnsyourcompetitorsinfo
7/27/2019 BCSASIA2005 B02 Marie Hacking Internet Banking Applications
27/52
27
SpyingonV
IPorCom
petitorC
reditCardBills
SpyingonV
IPorCom
petitorC
reditCard
Bills
Logontothe
internetban
kingusingyo
urcredentials
GototheCreditCardbillfacility
Enteryourowncreditcard
number
Submittherequest
Interceptthe
request
Replaceyour
creditcardn
umberwithanothervalidc
redit
cardnumber
(ortheVIPs
orthecompe
titorsifyouhaveit).
Forwardthe
request
Eithertheap
plicationchec
ksandreturn
errormessage
oritdoesnt
andreturnsthecreditca
rdinfo
7/27/2019 BCSASIA2005 B02 Marie Hacking Internet Banking Applications
28/52
28
In
teresting
Attacks:OutrightF
rauds
In
teresting
Attacks:OutrightF
rauds
4.1.Stealingm
oneyusingFundTransferfunctionality.
4.2.Stealingm
oneyusingCashierOrders
functionality.
4.3.Buyingsharesatadiscountedprice.
4.4.Buyingsharesforfree.
4.5.Avoidingv
ariousTransa
ctionfees.
4.6.Purchasing
Insurancefo
rfree.
4.7.Changingvictimspayee
information.
http://www.fma-rms.com/services/itapplicationaudit.php7/27/2019 BCSASIA2005 B02 Marie Hacking Internet Banking Applications
29/52
7/27/2019 BCSASIA2005 B02 Marie Hacking Internet Banking Applications
30/52
30
Thief
PurchaseCashierOrder
Onthewebinterface:
Thief
PurchaseCashierOrder
Infactweinstructthebankto:
Thief
Victim
Purchase
Cashierorder
For:Thief
Fromaccount:T
hief
Purchase
Cashierorder
For:Thief
Fromaccount:V
ictim
StealingMo
neyUsing
CashierOrder
StealingMo
neyUsing
CashierOrder
Fu
nctionality
Fu
nctionalit
y
7/27/2019 BCSASIA2005 B02 Marie Hacking Internet Banking Applications
31/52
31
Thief
Payforshares
Onthewebinterface:
Thief
Infactweinstructthebankto:
Purchase
Shares
Sharesfor:Thie
f
Paidby:Thief
Numberofunits
:100
Priceperunit:$
10
Purchase
Shares
Sharesfor:Thie
f
Paidby:Thief
Numberofunits
:100
Priceperunit:$
1
Thief
Share
Price
Payforshares
SharePrice
LowerSharePrice
BuyingSha
resataD
iscounted
Price
BuyingSha
resataD
iscounted
Price
7/27/2019 BCSASIA2005 B02 Marie Hacking Internet Banking Applications
32/52
7/27/2019 BCSASIA2005 B02 Marie Hacking Internet Banking Applications
33/52
33
Thief
Performtransaction
Onthewebin
terface:
Thief
Performtransaction
Infactweinstruct
thebankto:
Victim
Payfees
Fundsfrom:Thief
Feesfrom:Thie
f
Fundsfrom:Thief
Feesfrom:Vict
im
Paytransactionfees
Paytransactionfees
Thief
AvoidingVa
riousTransactionF
ees
AvoidingVa
riousTransactionF
ees
7/27/2019 BCSASIA2005 B02 Marie Hacking Internet Banking Applications
34/52
34
Purchasing
InsuranceforFree
Pu
rchasing
Insurance
forFree
Giv
ec
reditc
ard
de
tail
s
$
Bank
Transaction
number
Thief
Thief
$
PaymentGateway
Transac
tion
Num
ber
InsurancePurchased
Thief
FirstTran
saction
Paid
for
Give
cre
dit
card
de
tail
s
$
B
ank
Transactionnumber
Thief
Thief
$
Payme
ntGateway
Transac
tion
Num
ber
InsurancePurchased
Thief
SubsequentTransactions
Unpaidfor
Thisreplayattac
kvulnerability
isluckilyquite
rarelyfound
7/27/2019 BCSASIA2005 B02 Marie Hacking Internet Banking Applications
35/52
35
ChangingV
ictim
ChangingV
ictimsPa
yeeInformation
sPa
yeeInformation
Logontothe
internetban
kingusingyo
urcredentials
GotoView/M
odifyPayeeInformation
Modifyoneo
fyourpayeebankaccount
detailstobecome
youraccount
details
Submittherequest
Interceptthe
request
ReplacethepayeeIDwith
thevictimsp
ayeeID
(Fraudmore
effectiveifth
epayeegets
paidoftenan
dalot)
Forwardthe
request
Eithertheap
plicationchec
ksandreturn
errormessage
oritdoesnt
anditreplac
esthepayeedetailswithyours
Everytimethevictim
paysthepayee,y
ougetthem
oney
7/27/2019 BCSASIA2005 B02 Marie Hacking Internet Banking Applications
36/52
36
In
ternalFra
uds
In
ternalFra
uds
5.1.RunningBack-endcom
mandsfrom
Front-end.
5.2.Bypassing
roles.
5.3.Bypassing
authoritative
boundaries.
5.4.Masquerad
ingasacustomer.
http://www.fma-rms.com/services/itapplicationaudit.php7/27/2019 BCSASIA2005 B02 Marie Hacking Internet Banking Applications
37/52
37
RunningBa
ckEndCo
mmands
RunningBa
ckEndCo
mmands
ontheFron
tEnd
on
theFron
tEnd
Ba
ckEndisthe
administrativ
einterfaceof
thebank
To
carryoutthe
attackwene
ed:
Initialaccess
tothebacke
ndtolearnh
owitworks
Ex-employe
e
Otherwise,
brute-forceor
educatedguessessometime
swork.
Theback-endcommandsneedtoberunnableonthe
front
end
Eitheraconfigurationmistake
Oradesign
mistake
Th
eattackbasicallyusesthe
replaymecha
nism
Logontothefront-endus
ingyourusualcredentials
Executeadmincommands
thatyourecor
dedpreviously
7/27/2019 BCSASIA2005 B02 Marie Hacking Internet Banking Applications
38/52
38
BypassingRolesontheBackE
nd
BypassingR
olesontheBackE
nd
Ba
ckEndhasro
leslikeadmin,clerk,sales
,etc
To
carryoutthe
attackwene
ed:
Initialadmin
(accessoran
yotherrolew
ewanttoattack)
Ex-employe
e,oremployeethatchanged
duties
Otherwise,
brute-forceor
educatedguessessometime
swork.
Th
eattackbasicallyusesthe
replaymecha
nism
Logontotheback-endus
ingyourusualcredentials
Executeadmin(orotherroles)commandsthatyourecorded
previously
7/27/2019 BCSASIA2005 B02 Marie Hacking Internet Banking Applications
39/52
39
BypassingAuthoritativeBound
aries
BypassingA
uthoritativeBound
aries
Ba
ckEndsystem
allowsadminstochange
alotofsettin
gs
butsomeoft
hem
supposedlycannotb
echanged
Allt
heparam
etersoftheapplicationaresortedby
functionality.
Eachonehasitsownscreen
Someofthesesettingscanbechanged,otherscannot
Tocarryout
theattack,m
akeadummy
change,and
submit
Intercepttherequest
Makethechangeononeo
ftheseunchangeablesetting
s
Forwardtherequest
Eitherthea
pplicationchec
ksandreturnerrormessage
oritdoesntanditmodifiesthesetting
7/27/2019 BCSASIA2005 B02 Marie Hacking Internet Banking Applications
40/52
40
MasqueradingasaC
ustomer
MasqueradingasaCustomer
BackEndsom
etimesallow
thebanksta
fftomasquer
adeasa
customer.
Allt
heaction
sarelogged.
Bankingtran
sactionsinvolvingmoveme
ntofmoneyarenot
available
Someofthem
useatwos
tagesauthentication
Logon
Signin(as
thecustomer)
Aflawinthe
authenticatio
nmodelallow
stheuserto
masquerade
asacustome
r
Logonas
techsupport
Signinas
customer1
Logoutcallingdirectlythe
logoutfunctio
n(vsclickingo
nthelink)
Youjustbecamecustome
r1andaudittrailswillsta
rtfailing
7/27/2019 BCSASIA2005 B02 Marie Hacking Internet Banking Applications
41/52
41
33rdrdPartyIn
ternetBankingApp
lication
PartyIn
ternetBankingApp
lication
Procuremen
t
Pr
ocuremen
t
6.1.Whatyoushouldknowbeforebuying
6.2.Roleofthe
internalsecu
ritystaff
6.3.Veryexplicitsecuritysp
ecifications
6.4.Roleofthe
UserAcceptanceTest(UA
T)
6.5.Faircontra
ct
http://www.fma-rms.com/services/itapplicationaudit.php7/27/2019 BCSASIA2005 B02 Marie Hacking Internet Banking Applications
42/52
42
W
hatYouS
houldKnowBefore
Buying
W
hatYouS
houldKnowBefore
Buying
Theapplicationwillhavesecurityproblems.
InternetBa
nkingapplicationareextreme
lycomplexand
large
Webdevelo
perslackofse
curitytraining
Thedevelopm
entcompanywillsayitsnormal.
SQLinjection:itsnorm
al.
Stealingmoney:thebank
hostwassupp
osedtocheck.
Theywillmakeyoupayfo
rsecurityfixe
s.
Sinceallthesesecuritybu
gsarenormal,fixingthem
isan
enhancem
ent
Youhavetopayforenhan
cements.
Theywontfixtheapplicationproperly
Toocostlytofixallt
heproblems
Bigtime-to
-marketpressu
re.
7/27/2019 BCSASIA2005 B02 Marie Hacking Internet Banking Applications
43/52
43
RoleofInte
rnalSecu
rityStaff
RoleofInte
rnalSecu
rityStaff
Sendyourse
curitystafffo
rregulartraining.
Implicatethe
m
inthebuyingdecisionp
rocess.
Implicatethe
m
intheApplicationSpecificationsdesig
nphase.
Implicatethe
m
intheUAT
/QAtest.
7/27/2019 BCSASIA2005 B02 Marie Hacking Internet Banking Applications
44/52
44
VeryExplicitSecurity
Specifica
tions
VeryExplicitSecurity
Specifica
tions
Se
curityflawsn
otinthelistarechargedtoyourorganization
Listindetails
thesecurity
flawsthatthe
vendorisforcedtofix
withoutanyadditionalfee:
SQLinjections
Bufferover
flows
Crosssites
cripting
Privilegees
calation
Unauthorizedmoneytrans
fers
Unauthorizedcharges
Unauthorizedaccesstoda
ta
W
ARNING:
THISLISTISNOTEXHAUSTIVE!
7/27/2019 BCSASIA2005 B02 Marie Hacking Internet Banking Applications
45/52
45
RoleofUse
rAcceptanceTest(
UAT)
RoleofUserAcceptanceTest(
UAT)
Anextensive
QualityAssuranceplanwill
reducethe
numberofregularbugs
reduceasw
ellt
henumberofsecuritybu
gs
QAtestplan
shouldinclud
eextensivein
putvalidationchecks
willreduce
byabout60%securityflawsfound.
Perform
athoroughApplic
ationSecurity
Assessment
by
qualifiedthirdpartiesduringtheUAT.
7/27/2019 BCSASIA2005 B02 Marie Hacking Internet Banking Applications
46/52
46
Fa
irContract
Fa
irContract
InternetBankingApplicationsareextremelyexpensive
Annuallicense.
Negotiateto
obtainthesourcecode
directly(sig
naspeciallice
nseandanND
A)
otherwiseu
nderescrow(incasethevendorclosesdown).
Negotiateto
makesureth
evendorisliableforfixing
bugs
regularbug
swillcostthebankmoneyif
unfixed.
securitybugswillcostthe
bankmoneyif
unfixed.
Negotiateso
thatthevend
orpaysforanyadditional
security
re-check
willensure
theytreatsecu
rityseriously.
willmotivatethem
todoitrightfrom
the
start.
7/27/2019 BCSASIA2005 B02 Marie Hacking Internet Banking Applications
47/52
47
Conclusion
Conclusion
SomeS
tatistics
SomeS
tatistics
[Source:15lastInte
rnetBankingApplicationSecurityAssessmen
ts
weconductedformajorbanksintheregio
n]
Percentageo
fInternetBankingapplicat
ion..
from
whic
hwedidnotm
anagetostealmoneysomehow:
0%
from
whic
hwedidnotm
anagetostealpersonalorfin
ancial
information
:
0%
7/27/2019 BCSASIA2005 B02 Marie Hacking Internet Banking Applications
48/52
48
Statistics
Statistics
continued
continued
Breakdownof
vulnerabilitiesbyca
tegory
3%
10%
3% 9
%10%
25%
2%
10%2
8%
SqlInjection
CrossSiteScripting
DenialofService
Stolenmoney
Losso
fconfidentiality
Systemi
nformationdis
closure
Cryptography
Seesio
nrelated
Therest
7/27/2019 BCSASIA2005 B02 Marie Hacking Internet Banking Applications
49/52
49
Statistics
Statistics
continued
continued
In
these15app
licationasses
sments
To
talnumberofvulnerabilitie
sfound:
258
T
otalnumberofbetaqualityscriptsfound:
429
T
otalnumberofunnecessaryfilefound:
339
A
veragenumb
erofvulnerabilitiesperapplication:
17
7/27/2019 BCSASIA2005 B02 Marie Hacking Internet Banking Applications
50/52
50
Statistics
Statistics
continued
continued
Averageriskratingofvulnerabilitiesfound 3
7%
19%
44%
Low
Medium
High
7/27/2019 BCSASIA2005 B02 Marie Hacking Internet Banking Applications
51/52
51
Q
uest
ions
andA
nswers
Q
uest
ionsandA
nswers
7/27/2019 BCSASIA2005 B02 Marie Hacking Internet Banking Applications
52/52
52
Than
kYou!
Than
kYou! fab
rice@fm
a-rms.com
http://www.fma-rms.com/mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/mailto:[email protected]