How to Rob an Online Bank (and get away with it) - Acros Security

More documents

Recommendations

Info

Apply: Bankers – Short Term• Currency conversion attacks• Set minimum amount or fee• “Phase 1”: Disallow vulnerability tests• Terms of service: suspend user account if vuln-testing46
Apply: Bankers – Long Term• “Phase 1”: Detect vulnerability tests• OWASP AppSensor*• Terminate user session if testing is detected• Many server-side errors caused by single user• “Phase 2”: Find and fix vulnerabilities• Review your code (tools don’t find logical bugs)• Get help from those who break into banks• Use external pentest for designing and testing“Phase 1” detection* https://www.owasp.org/index.php/OWASP_AppSensor_Project47
Page 4 and 5: Evolution Of E-banking AttacksPAST-
Page 6 and 7: Attacks Against Corporate UsersGoal
Page 8 and 9: Example: Published Corporate Certif
Page 10 and 11: Direct ResourceAccess10
Page 12: Direct Resource Access - URL Base64
Page 15 and 16: Transaction Creation ProcessI want
Page 17 and 18: Negative Numbers - A Devastating Ov
Page 19 and 20: Creating Money Out Of Thin AirNorma
Page 21 and 22: Normal OverdraftAccount #1:Account
Page 23 and 24: Luca Carettoni & Stefano di Paolaht
Page 25 and 26: HTTP Parameter Pollution(Source Acc
Page 27 and 28: SQL Injection27
Page 29 and 30: SQL Injection - Messing With Transa
Page 31 and 32: SQL Injection - Messing With Transa
Page 33 and 34: Automated Signing Of Deposit Agreem
Page 35 and 36: Server-Side Code ExecutionExamples
Page 37 and 38: Other Attacks• Session Puzzling
Page 40 and 41: Knownat leastsince2001Asymmetric Cu
Page 43 and 44: http://blog.acrossecurity.com/2012/
Page 45: Apply45
Page 49: Mitja KolsekACROS d.o.o.www.acrosse

How to Rob an Online Bank (and get away with it) - Acros Security

Create successful ePaper yourself

Delete template?

Save as template?