BCSASIA2005 B02 Marie Hacking Internet Banking Applications

7/27/2019 BCSASIA2005 B02 Marie Hacking Internet Banking Applications

1/52H

acking

Inte

rnetBankin

g

H

acking

Inte

rnetB

ankin

g

A

pplications

A

pplications

BelluaCyberSecurityAsia2

005

2

005

By

FabriceA.Marie

fa

[email protected]

m
http://www.bellua.net/http://www.bellua.net/http://www.bellua.net/http://www.bellua.net/http://www.bellua.net/http://www.bellua.net/http://www.bellua.net/http://www.bellua.net/http://www.bellua.net/http://www.bellua.net/http://www.bellua.net/http://www.bellua.net/http://www.bellua.net/http://www.bellua.net/http://www.bellua.net/http://www.bellua.net/http://www.bellua.net/http://www.bellua.net/http://www.bellua.net/http://www.bellua.net/http://www.bellua.net/http://www.bellua.net/http://www.bellua.net/http://www.bellua.net/http://www.bellua.net/http://www.bellua.net/http://www.bellua.net/http://www.bellua.net/http://www.bellua.net/http://www.bellua.net/http://www.bellua.net/http://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/http://www.bellua.net/http://www.fma-rms.com/


2/52

2

Goalofthis

presenta

tion

Goalofthis

presentation

1.

Showcasetermswellknow

ninternetba

nkingapplica

tions

attacks

2.

andofcou

rselesswellknowninterne

tattacks.

3.

Explainbasic

allythebestcase(fortheattacker)scenariosof

theattacks.

4.

Giveguidelin

esforprocurementofbankingapplicatio

ns.

5.

Giveguidelin

esforadditionalcontractualrequiremen

tstotake

intoaccount.


3/52

3

TableofCo

ntents

Ta

bleofContents

1.

Introduction

2.

Attacks:Usu

alsuspects

3.

Corporatees

pionage:loss

ofconfidentiality

4.

Interestinga

ttacks:Outrig

htfraud

5.

Internalfrauds

6.

Third-partyI

nternetBankingapplicationprocuremen

t

7.

Conclusions
http://www.fma-rms.com/services/itapplicationaudit.php


4/52

4

1.Introduction

1.Introduction

1.1.Bankingapplicationarchitecture

1.2.CommonT

echnologies

1.3.Whatisus

uallygood

1.4.Whatisus

uallyNOTgood

1.5.Requireme

ntsforsuccessfulattack

1.6.Toolsused


5/52

5

BankingAp

plicationArchitectu

re

BankingApplicationA

rchitectu

re

3

-tierarchitecture

Eachtiersitt

ingontheirow

nmachineor

setofmachines

H

ighavailability

Eachtierclusteredtoensur

efaulttoleranc

eandHA

F

irewalls

Eachtierfrontedbyafirew

all

R

everseproxy

Reverseproxiesinfrontofthewebserver

andtheapplication

server

WebServerCluster

ApplicationServe

rCluster

Da

tabaseServerCluster

Firewall

and

reverse

proxy

Firewall

and

reverse

proxy

Firewall

Internet

Host

Firewall


6/52

6

CommonTechnologies

CommonTechnologie

s

J

avaJ2EE

WebLogicfro

m

BEA

WebSpherefrom

IBM

SunOneApp

licationServer

from

Sun

ProsandCons:

Developm

entdoneinJavaexclusively.

Platform

independent.

Applicationserversarece

rtifiedJ2EE.

Unfortun

atelyallo

fthem

offertheiruniquebetterfeatures.

These

betteruniquefeaturesarenotstandard.

Noteasytomigratefrom

oneJ2EEappserv

ertoanother.


7/52

7

CommonTechnologies

CommonTechnologie

s--contin

ued

contin

ued

M

icrosoft.Net

ProsandCons

Developm

entdoneinam

yriadof.NetLan

guages.

Very

simpletoshootyourselfinthefoot.

Docu

mentationwidelya

vailablebutsomew

hathardtosearch

through.

Thewholesolutionsupportingtheapplicationdevelopedby

one

consistentsoftwareprovid

er:Microsoft

.NETapp

licationrunalmo

stexclusivelyon

Microsoftplatform.

Mono

(http://www.mo

no-project.com/)isworking,butno

financial

applic

ationdevelopedforityet.
http://www.mono-project.com/http://www.mono-project.com/http://www.mono-project.com/http://www.mono-project.com/http://www.mono-project.com/http://www.mono-project.com/http://www.mono-project.com/http://www.mono-project.com/http://www.mono-project.com/http://www.mono-project.com/http://www.mono-project.com/http://www.mono-project.com/http://www.mono-project.com/http://www.mono-project.com/http://www.mono-project.com/http://www.mono-project.com/http://www.mono-project.com/http://www.mono-project.com/http://www.mono-project.com/http://www.mono-project.com/http://www.mono-project.com/http://www.mono-project.com/http://www.mono-project.com/http://www.mono-project.com/http://www.mono-project.com/http://www.mono-project.com/http://www.mono-project.com/http://www.mono-project.com/http://www.mono-project.com/


8/52

8

W

hatisUsu

allyGood

W

hatisUsu

allyGood

S

essionManag

ement

P

asswordRSA

encryptedfro

m

end-to-end(ontopofS

SL,itisa

r

equirementin

Singaporeatleast)

G

oodqualitya

udittrails Th

atsall!


9/52

9

W

hatisusu

ally

W

hatisusu

allyNOTNOT

good

good

L

ackofinputv

alidation

Failuretocheckthatthepa

rameterevenexists.

Failuretoen

suretheparam

etersisreallywhattheapplic

ation

expects.

B

adqualityco

de

Failuretocheckreturncodeorfailstocatchexception.

Failuretoen

surethatthep

ointerisnotnu

llbeforedereferencingit.

P

rogrammersbecomemore

lazy

Theycreate

genericframew

orkthatcanno

tadaptproperlytoa

particularex

ceptionalcase.

Theyusethe

wronghamm

ertosolveaparticularproblem.

Theyarereluctanttologin

detailseverye

xceptionalbeh

avior.


10/52


11/52

11

RequirementsforaS

uccessfulAttack

Requiremen

tsforaS

uccessfulAttack

N

eedanaccou

ntwiththebank

A

validuserna

meandpassw

ord

N

osmartcard

basedend-to-endSSL

(regularend-to-endSSLitfinethough)

Thatsall!

S

omeattacks

stillpossiblewithoutthese

conditionsof

course.

Theyrej

usthardertocar

ryout


12/52

12

Toolsused

To

olsused

I

nteractivewe

bproxies

Burp(java)

Paros(java)

Spike(pytho

n)

Proxomitron

(compiledW

indowsonly)

D

ecompilers

jad(java)

Reflector(.N

ET)

E

ncodersanddecodersfor

MIME,base6

4,uuencode,h

exadecimal

L

otsofinterne

tapplications

arebrokens

owehaveto

u

nfortunatelyuseIEoften


13/52

13

Toolsused

To

olsused

Topolog

yofAttac

k

Topolog

yofAttac

k

BankN

etwork

Internet

Browser

Proxy

Theproxy

helpsthe

attackerto

hijackhis

own

requestsin

orderto

modifythem

freely.


14/52

14

Toolsused

To

olsused

e.g.burpproxy

e.g.bur

pproxy


15/52

15

2.Attacks:

UsualSuspects

2.Attacks:

UsualSuspects

2.1.Crosssites

cripting

2.2.SQLInjection

2.3.Bufferover

flows

2.4.Weakscripts

2.5.Variousdenialsofservice


16/52

16

CrossSiteScripting(XSS)

CrossSiteS

cripting(

XSS)

Worseenemyofaninternetbankingap

plication

Cancreate

scarilyaccuratefakes.

XSSallows

theattackerto

Stealcookies.

Trickthe

usertogivethe

m

theircredentials

Modifytheappearanceofthepage.

Execute

allsortsofmalic

iousjava-scriptc

ode.

Hardtodifferentiatefora

user(sameSSL

cert.,sameURL

,etc)

Effectiveonlywhennoauthenticationrequired

Theyareusuallyonthefo

llowingpages:

loginp

age.

lostpas

sword/resetpasswordrequestpage.

logout

page

Fortheattac

ktosucceed,

thevictimstillhastobetr

icked


17/52

17

SQLInjection

SQLInjection

Generallysm

allc

hanceof

success

Objectorientedlanguages

whenproperly

usedalmostruleout

SQLinjections.

LesseffectivethanCrossSiteScripting

forstealingm

oney.

Veryinterest

ingtomodify

orstealpersonaldata.

Mostlyfound

onsearchpa

gescontainin

gcomplexop

tions


18/52

18

BufferOver

flow

BufferOver

flow

Generallyverysmallc

hanceofsuccess

Objectorientedlanguages

whenproperly

usedalmostruleout

bufferoverflows.

Firewallw

illpreventconne

ct-backmost

ofthetimes.

Veryinterest

ingtogainac

cesstothein

ternalnetwork.

Failedbuffer

overflowsoftenleadtoapplicationDoS.

Mostlyintere

stingwhenfo

undonthelo

ginpage.


19/52

19

W

eakScripts

W

eakScripts

[N

otallscriptsarecreatedeq

ual]

Someareespeciallyweakerthanothers:

Noinputva

lidationwhatso

ever

Donteven

checkthatthe

parametersarepresent

Verboseerrormessages

Somedont

evencompile!

Theweakest

areextremelyeasytofind

justcallthe

m

withoutany

parameterandwatch!

easytoscriptonceyouha

vealistofURL

s

sometimet

heyevenDoSthewholeapplication


20/52

20

DenialofService(Do

S)

DenialofService(Do

S)

Itsalwayse

asiertodestr

oythantobu

ild

CommonDenialsofServic

e:

Recursiveo

peration

Extremelylongtimeouts

Blockingop

erations

Bufferover

flows


21/52

21

DenialofService(Do

S)

DenialofService(Do

S)cont

inued

continued

Re

cursiveopera

tion

Thescriptissupposedtocallanotherscr

ipt

Butattacke

rtrickedittoc

allitself

useupa

llt

hethreadsof

theserver

Ex

tremelylong

timeouts

Theoperationshouldcompleteinashort

time

Butattacke

rforcedittota

kelonger

useupallt

hethreadsoftheserver


22/52

22

DenialofService(Do

S)

DenialofService(Do

S)cont

inued

continued

Blockingoperation

Thescriptissupposedtoreadafileora

socketandreturndata

Butattacke

rtrickedittor

eadaspecialb

lockingfile

useupa

llt

hethreadsof

theserver

Bu

fferoverflow

Theoperationexpectsabufferofacerta

insize

Butattacke

roverflowedth

ebuffers

thethrea

d(ortheappserver)getkilledbytheOS.


23/52

23

CorporateE

spionage

CorporateE

spionage

Lossof

Confidentiality

Lossof

Confidentiality

3.1.Spyingon

competitorstransactionhistory

3.2.Spyingon

competitors

billpayments

3.3.Spyingon

competitorsbankingmess

ages

3.4.Spyingon

VIPsorcompetitorscreditcardbills


24/52

24

SpyingonC

ompetito

r

SpyingonC

ompetito

rsTransa

ctionHist

ory

sTransa

ctionHist

ory

Logontothe

internetban

kingusingyo

urcredentials

Gotothetra

nsactionhisto

ryfacility

Selectthere

questsoption

sasusual

Submittherequest

Interceptthe

request

Replaceyour

accountnum

bertomatch

theoneofth

etarget

Forwardthe

request

Eithertheap

plicationchec

ksandreturn

errormessage

oritdoesnt

andreturnsyourcompetitorsinfo


25/52

25

SpyingonC

ompetito

r

SpyingonC

ompetito

rsBillPayments

sBillPayments

Logontothe

internetban

kingusingyo

urcredentials

GototheBillPaymentmo

dule

Selectthere

questsoption

sasusual

Submittherequest

[Th

isoneisslightly

moretricky]

Interceptthe

request

ReplacethebillreferenceI

Dwiththecompetitorsone

(requiresom

ebrute-force)

Forwardthe

request

Eithertheap

plicationchec

ksandreturn

errormessage

oritdoesnt



26/52

26

SpyingonC

ompetito

r

SpyingonC

ompetito

rsBankin

gMessag

es

sBankin

gMessag

es

Logontothe

internetban

kingusingyo

urcredentials

GototheInt

ernetBankingMessagesm

odule

Selectarand

om

message

ofyours

Submittherequest

Interceptthe

request

Replacethemessagesme

ssageIDwith

thecompetitorsone

(straight-forwardbrute-force)

Forwardthe

request

Eithertheap

plicationchec

ksandreturn

errormessage

oritdoesnt



27/52

27

SpyingonV

IPorCom

petitorC

reditCardBills

SpyingonV

IPorCom

petitorC

reditCard

Bills

Logontothe

internetban

kingusingyo

urcredentials

GototheCreditCardbillfacility

Enteryourowncreditcard

number

Submittherequest

Interceptthe

request

Replaceyour

creditcardn

umberwithanothervalidc

redit

cardnumber

(ortheVIPs

orthecompe

titorsifyouhaveit).

Forwardthe

request

Eithertheap

plicationchec

ksandreturn

errormessage

oritdoesnt

andreturnsthecreditca

rdinfo


28/52

28

In

teresting

Attacks:OutrightF

rauds

In

teresting

Attacks:OutrightF

rauds

4.1.Stealingm

oneyusingFundTransferfunctionality.

4.2.Stealingm

oneyusingCashierOrders

functionality.

4.3.Buyingsharesatadiscountedprice.

4.4.Buyingsharesforfree.

4.5.Avoidingv

ariousTransa

ctionfees.

4.6.Purchasing

Insurancefo

rfree.

4.7.Changingvictimspayee

information.


29/52


30/52

30

Thief

PurchaseCashierOrder

Onthewebinterface:

Thief

PurchaseCashierOrder

Infactweinstructthebankto:

Thief

Victim

Purchase

Cashierorder

For:Thief

Fromaccount:T

hief

Purchase

Cashierorder

For:Thief

Fromaccount:V

ictim

StealingMo

neyUsing

CashierOrder

StealingMo

neyUsing

CashierOrder

Fu

nctionality

Fu

nctionalit

y


31/52

31

Thief

Payforshares

Onthewebinterface:

Thief

Infactweinstructthebankto:

Purchase

Shares

Sharesfor:Thie

f

Paidby:Thief

Numberofunits

:100

Priceperunit:$

10

Purchase

Shares

Sharesfor:Thie

f

Paidby:Thief

Numberofunits

:100

Priceperunit:$

1

Thief

Share

Price

Payforshares

SharePrice

LowerSharePrice

BuyingSha

resataD

iscounted

Price

BuyingSha

resataD

iscounted

Price


32/52


33/52

33

Thief

Performtransaction

Onthewebin

terface:

Thief

Performtransaction

Infactweinstruct

thebankto:

Victim

Payfees

Fundsfrom:Thief

Feesfrom:Thie

f

Fundsfrom:Thief

Feesfrom:Vict

im

Paytransactionfees

Paytransactionfees

Thief

AvoidingVa

riousTransactionF

ees

AvoidingVa

riousTransactionF

ees


34/52

34

Purchasing

InsuranceforFree

Pu

rchasing

Insurance

forFree

Giv

ec

reditc

ard

de

tail

s

$

Bank

Transaction

number

Thief

Thief

$

PaymentGateway

Transac

tion

Num

ber

InsurancePurchased

Thief

FirstTran

saction

Paid

for

Give

cre

dit

card

de

tail

s

$

B

ank

Transactionnumber

Thief

Thief

$

Payme

ntGateway

Transac

tion

Num

ber

InsurancePurchased

Thief

SubsequentTransactions

Unpaidfor

Thisreplayattac

kvulnerability

isluckilyquite

rarelyfound


35/52

35

ChangingV

ictim

ChangingV

ictimsPa

yeeInformation

sPa

yeeInformation

Logontothe

internetban

kingusingyo

urcredentials

GotoView/M

odifyPayeeInformation

Modifyoneo

fyourpayeebankaccount

detailstobecome

youraccount

details

Submittherequest

Interceptthe

request

ReplacethepayeeIDwith

thevictimsp

ayeeID

(Fraudmore

effectiveifth

epayeegets

paidoftenan

dalot)

Forwardthe

request

Eithertheap

plicationchec

ksandreturn

errormessage

oritdoesnt

anditreplac

esthepayeedetailswithyours

Everytimethevictim

paysthepayee,y

ougetthem

oney


36/52

36

In

ternalFra

uds

In

ternalFra

uds

5.1.RunningBack-endcom

mandsfrom

Front-end.

5.2.Bypassing

roles.

5.3.Bypassing

authoritative

boundaries.

5.4.Masquerad

ingasacustomer.


37/52

37

RunningBa

ckEndCo

mmands

RunningBa

ckEndCo

mmands

ontheFron

tEnd

on

theFron

tEnd

Ba

ckEndisthe

administrativ

einterfaceof

thebank

To

carryoutthe

attackwene

ed:

Initialaccess

tothebacke

ndtolearnh

owitworks

Ex-employe

e

Otherwise,

brute-forceor

educatedguessessometime

swork.

Theback-endcommandsneedtoberunnableonthe

front

end

Eitheraconfigurationmistake

Oradesign

mistake

Th

eattackbasicallyusesthe

replaymecha

nism

Logontothefront-endus

ingyourusualcredentials

Executeadmincommands

thatyourecor

dedpreviously


38/52

38

BypassingRolesontheBackE

nd

BypassingR

olesontheBackE

nd

Ba

ckEndhasro

leslikeadmin,clerk,sales

,etc

To

carryoutthe

attackwene

ed:

Initialadmin

(accessoran

yotherrolew

ewanttoattack)

Ex-employe

e,oremployeethatchanged

duties

Otherwise,

brute-forceor

educatedguessessometime

swork.

Th

eattackbasicallyusesthe

replaymecha

nism

Logontotheback-endus

ingyourusualcredentials

Executeadmin(orotherroles)commandsthatyourecorded

previously


39/52

39

BypassingAuthoritativeBound

aries

BypassingA

uthoritativeBound

aries

Ba

ckEndsystem

allowsadminstochange

alotofsettin

gs

butsomeoft

hem

supposedlycannotb

echanged

Allt

heparam

etersoftheapplicationaresortedby

functionality.

Eachonehasitsownscreen

Someofthesesettingscanbechanged,otherscannot

Tocarryout

theattack,m

akeadummy

change,and

submit

Intercepttherequest

Makethechangeononeo

ftheseunchangeablesetting

s

Forwardtherequest

Eitherthea

pplicationchec

ksandreturnerrormessage

oritdoesntanditmodifiesthesetting


40/52

40

MasqueradingasaC

ustomer

MasqueradingasaCustomer

BackEndsom

etimesallow

thebanksta

fftomasquer

adeasa

customer.

Allt

heaction

sarelogged.

Bankingtran

sactionsinvolvingmoveme

ntofmoneyarenot

available

Someofthem

useatwos

tagesauthentication

Logon

Signin(as

thecustomer)

Aflawinthe

authenticatio

nmodelallow

stheuserto

masquerade

asacustome

r

Logonas

techsupport

Signinas

customer1

Logoutcallingdirectlythe

logoutfunctio

n(vsclickingo

nthelink)

Youjustbecamecustome

r1andaudittrailswillsta

rtfailing


41/52

41

33rdrdPartyIn

ternetBankingApp

lication

PartyIn

ternetBankingApp

lication

Procuremen

t

Pr

ocuremen

t

6.1.Whatyoushouldknowbeforebuying

6.2.Roleofthe

internalsecu

ritystaff

6.3.Veryexplicitsecuritysp

ecifications

6.4.Roleofthe

UserAcceptanceTest(UA

T)

6.5.Faircontra

ct


42/52

42

W

hatYouS

houldKnowBefore

Buying

W

hatYouS

houldKnowBefore

Buying

Theapplicationwillhavesecurityproblems.

InternetBa

nkingapplicationareextreme

lycomplexand

large

Webdevelo

perslackofse

curitytraining

Thedevelopm

entcompanywillsayitsnormal.

SQLinjection:itsnorm

al.

Stealingmoney:thebank

hostwassupp

osedtocheck.

Theywillmakeyoupayfo

rsecurityfixe

s.

Sinceallthesesecuritybu

gsarenormal,fixingthem

isan

enhancem

ent

Youhavetopayforenhan

cements.

Theywontfixtheapplicationproperly

Toocostlytofixallt

heproblems

Bigtime-to

-marketpressu

re.


43/52

43

RoleofInte

rnalSecu

rityStaff

RoleofInte

rnalSecu

rityStaff

Sendyourse

curitystafffo

rregulartraining.

Implicatethe

m

inthebuyingdecisionp

rocess.

Implicatethe

m

intheApplicationSpecificationsdesig

nphase.

Implicatethe

m

intheUAT

/QAtest.


44/52

44

VeryExplicitSecurity

Specifica

tions

VeryExplicitSecurity

Specifica

tions

Se

curityflawsn

otinthelistarechargedtoyourorganization

Listindetails

thesecurity

flawsthatthe

vendorisforcedtofix

withoutanyadditionalfee:

SQLinjections

Bufferover

flows

Crosssites

cripting

Privilegees

calation

Unauthorizedmoneytrans

fers

Unauthorizedcharges

Unauthorizedaccesstoda

ta

W

ARNING:

THISLISTISNOTEXHAUSTIVE!


45/52

45

RoleofUse

rAcceptanceTest(

UAT)

RoleofUserAcceptanceTest(

UAT)

Anextensive

QualityAssuranceplanwill

reducethe

numberofregularbugs

reduceasw

ellt

henumberofsecuritybu

gs

QAtestplan

shouldinclud

eextensivein

putvalidationchecks

willreduce

byabout60%securityflawsfound.

Perform

athoroughApplic

ationSecurity

Assessment

by

qualifiedthirdpartiesduringtheUAT.


46/52

46

Fa

irContract

Fa

irContract

InternetBankingApplicationsareextremelyexpensive

Annuallicense.

Negotiateto

obtainthesourcecode

directly(sig

naspeciallice

nseandanND

A)

otherwiseu

nderescrow(incasethevendorclosesdown).

Negotiateto

makesureth

evendorisliableforfixing

bugs

regularbug

swillcostthebankmoneyif

unfixed.

securitybugswillcostthe

bankmoneyif

unfixed.

Negotiateso

thatthevend

orpaysforanyadditional

security

re-check

willensure

theytreatsecu

rityseriously.

willmotivatethem

todoitrightfrom

the

start.


47/52

47

Conclusion

Conclusion

SomeS

tatistics

SomeS

tatistics

[Source:15lastInte

rnetBankingApplicationSecurityAssessmen

ts

weconductedformajorbanksintheregio

n]

Percentageo

fInternetBankingapplicat

ion..

from

whic

hwedidnotm

anagetostealmoneysomehow:

0%

from

whic

hwedidnotm

anagetostealpersonalorfin

ancial

information

:

0%


48/52

48

Statistics

Statistics

continued

continued

Breakdownof

vulnerabilitiesbyca

tegory

3%

10%

3% 9

%10%

25%

2%

10%2

8%

SqlInjection

CrossSiteScripting

DenialofService

Stolenmoney

Losso

fconfidentiality

Systemi

nformationdis

closure

Cryptography

Seesio

nrelated

Therest


49/52

49

Statistics

Statistics

continued

continued

In

these15app

licationasses

sments

To

talnumberofvulnerabilitie

sfound:

258

T

otalnumberofbetaqualityscriptsfound:

429

T

otalnumberofunnecessaryfilefound:

339

A

veragenumb

erofvulnerabilitiesperapplication:

17


50/52

50

Statistics

Statistics

continued

continued

Averageriskratingofvulnerabilitiesfound 3

7%

19%

44%

Low

Medium

High


51/52

51

Q

uest

ions

andA

nswers

Q

uest

ionsandA

nswers


52/52

52

Than

kYou!

Than

kYou! fab

rice@fm

a-rms.com
http://www.fma-rms.com/mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/http://www.fma-rms.com/mailto:[email protected]

Documents

BCSASIA2005 B02 Marie Hacking Internet Banking Applications