I was asked some time ago to provide a list of things which may be considered when looking at Internet Banking.
Below is the list. It was just a brain dump and as such may not be complete.
Don’t underestimate the value of standards for your infrastructure, website configuration, database engine configuration/architecture,staging environment and development/QA environments.
Some thoughts:
- Many don’t lock accounts after X failed logins, this is normally done for good customer service, but leaves the system vulnerable.
– And all the other things expected for a remote login session (forced password changes, aging, etc))
– Tools such as Brutus may be use to brute force hack authenticated sessions.
- Many allow session sequence numbers to be incremented, allowing an authenticated user to view other customer session.
– These may be server side, client side, cookie based, etc.
– Get someone to check the development methodologies and the code being used.
– Database query strings can be placed into test entry fields, allowing table dumps to browser.
– Check all pages served are secure and contain user authentication flags.
- Customer data may not be segregated, this needs to be checked.
- Customer data should not reside on the Web Server.
- Authentication databases / system data should not reside on the webserver.
- The databases should reside on a private/semi-private network.
– A different segment to the main banking system.
- Webserver should be dual homed or equivalent (some VLAN techniques are good)
– Separate private and public network cards, monitoring/backup/administration
– Infrastructure set-up to explicitly deny inbound/outbound ports, private IP & monitoring escaping from the network.
- At all data segregation points ensure rules are in place which appreciates the traffic though that point.
- All customer data where possible should be sourced from a secure back-end database.
– This may be a staging environment. i.e. no the main banking system.
– This usually allows for transactions to appear real time to the customer.
– Many transactions may be batched in reality. (internal or external to the bank)
- Ensure suitable rules have been set-up on firewalls.
– There should be inbound and outbound rules on firewalls and filtering routers.
- Don’t allow any infrastructure on the front end to allow remote administrative connections. (telnet, etc.)
– Use the serial console port to connect to a server or back-end terminal server.
- Look for the segregation / staging of online customer content from main banking systems
- Ensure that a separate development / QA / production environment system and suitable process is in place.
- Services not used by the system are active
– These should be disabled.
- Port scan of the supporting infrastructure (routers /switches) and server(s).
– Investigate the reasons for all open ports.
- Don’t use the main gateway for trusted partner access (clearing / RAS / etc.)
- Do all that standard IIS checks and NT checks (Sample scripts, change management, patching methodologies, etc.)
- Ensure denial of service precaution have been taken into account for all infrastructure and server equipment.
- Check the adequacy of the escalation procedures used.
– Look for real-time monitoring and alerting.
– Look for responsibility matrix.
– Look for ownership of issues.
- Consider upstream carrier(s) vulnerability (denial of service, IP spoofing, DNS hacking, etc)
- Consider social engineering of customer, administrative, partner accounts / systems / infrastructure.
– Helpdesk procedures and policies and/or alternate technologies (Caller ID, Gateway IP, etc.).
- Use dynamic passwords where possible (SecureID, TACACS, etc.).
- Use encrypted tunnelling where needed (IPSec, Firewall 1, etc)
- Consider looking at other customer authentication methods to enhance existing methods.
– Digital cert, IP address locked to account, etc.
– Consider use of CVV or CVN for bank issued cards.
- Consider how passwords are distributed /changed for customers.
– Plain text email, telephone, etc.
– Can passwords be changed online?
- Is additional authentication used between sections of the services once authenticated?
- Consider what the customer has access to once authenticated.
– Look at SWIFT, RTGS, inter-bank transfers, access to credit cards, etc.
– If an attacker does get in, what can the do?
- Use techniques to ensure pages, customer details are not cached at ISP, or client system.
– These are flags that can be set within pages.
– Normally SSL is cached, but some proxy vendors have been playing with techniques to do so.
– Caching of SSL pages on the client system can be turned on on some browsers.
– May banks use a Java (or similar) applet for all customer interaction, restricting all caching issues.
- Ensure paper based and on-line liability clauses are available are address all effected areas.
- Ensure within the customer sign-up process banking liability is reduced.
– I’ve seen statements like “use this system at your own risk, responsibility for any liability or claim will NOT……”
– Not very customer focused, but that’s what their legal department recommended.
All of the above can effect the security and/or operation of an on-line banking system.
Other things to consider:
- External development and support of the application.
- Ownership and management of the hardware/applications
- Publishing points for new content (internal/private/trusted network or Internet)
- Topology of front end. i.e. Security Architecture document should be in place and managed appropriately.
- Are limited AP tests performed whenever changes are made to the environment? i.e. integrated AP into Change management process.
- Database access. Is it buffered or is it live to the core banking systems.
- What facilities are provided? Direct debit + Credit Card + SWIFT + ……. Consider different scenarios for your attack depending on the feature.
- What other services are shared within the network segment that the Internet Banking service is running. Can this be used to compromise the Internet Banking site. eg. different support/business/development organisations with differing security strategies/profiles.
- Consider all external supporting services within you AP. Look at internal/external DNS poisoning opportunities, mail relay, etc. What IPS’s do they use has the ISP any opportunity to access systems or supporting services which may affect Internet Banking.
- Depending on the size of the Bank, many organisation do not use the same support groups for infrastructure and the application. As a result external connections to the infrastructure may be provided for an external support organisation to administer the infrastructure.
- Look at the business and user authentication methods and paths (client side certs, secure ID, SMART Card, etc). Consider two factor authentication and modern user identification methods. eg. what is your favourite food in addition to normal usernames and passwords. Do system administration staff use dynamic passwords (secureID, etc)?
- See if the Internet Banking application sends email to users which may contain interesting information.
- Better access to the application can generally be gained after access to the system. i.e. get an legitimate account on the system. I have found that some sample/administration screens have been restricted to authenticated users only.
- Consider social engineering the Help desk to have an account password reset.