Security B-Sides London 2015

3rd of June 2015
ILEC Conference Centre 47 Lillie Road, London, SW6 1UD
Back To Schedule
Wednesday, June 3 • 2:15pm - 3:00pm
E-banking transaction authorization – possible vulnerabilities, security verification and best practices for implementation

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

During 10+ years of my professional experience as application security expert I had a chance to verify many internet banking solutions. Most of the modern internet or mobile banking applications in Poland use some sort of second factor, such as TAN lists, SMS codes, time-based OTP tokens, challenge-response solutions, smart-cards, mobile tokens, unconnected card readers, etc. to let user verify banking operations and to protect against MitM or malware attacks.
As a result of security tests in pre-production, it turned out that is not very rare, for tested systems to have security flaws regarding implementation of those transaction authorizations mechanisms, especially in the business logic layer, that (if not detected and corrected) could allow attacker to bypass or weaken those safeguards. Vulnerabilities could be caused (as usual) by wrong decisions during planning phase or poor implementation,

During this presentation I would like to throw light on transaction authorization mechanisms security. The agenda will include:
- Discussion and some examples of possible vulnerabilities in a process of authorization of e-banking transactions (including incorrect assumptions and incorrect implementation), that could allow to bypass those security mechanisms.
- Discussion about resistance of selected transaction authorization mechanisms to common banking malware attacks.
- Suggested best practices regarding implementation of transaction authorization.


Wojciech Dworakowski

Wojtek is IT security consultant with over 10 years of experience in the field. He is a business partner in SecuRing, a company dealing with application security testing and advisory. He gained his experience leading multiple penetration tests and security assessments of critical... Read More →

Wednesday June 3, 2015 2:15pm - 3:00pm BST
b. Track 2