How to Rob an Online Bank (and get away with it) - Acros Security

More documents

Recommendations

Info

Evolution Of E-banking AttacksPAST-PRESENTFUTUREBack-EndServerPRESENTOnlineBankingServerFUTURE 2.04
Attacks Against Individual UsersGoal: Identity TheftMethodsE-BankingServerBack-EndServer• Phishing, Fake security alerts• XSS, CSRF• Malware (man in the browser,extraction of certs and private keys)Problems• User awareness• 2-factor authentication• OOB transaction confirmations• Additional passwords/PINs• “Known good” target accounts5
Page 6 and 7: Attacks Against Corporate UsersGoal
Page 8 and 9: Example: Published Corporate Certif
Page 10 and 11: Direct ResourceAccess10
Page 12: Direct Resource Access - URL Base64
Page 15 and 16: Transaction Creation ProcessI want
Page 17 and 18: Negative Numbers - A Devastating Ov
Page 19 and 20: Creating Money Out Of Thin AirNorma
Page 21 and 22: Normal OverdraftAccount #1:Account
Page 23 and 24: Luca Carettoni & Stefano di Paolaht
Page 25 and 26: HTTP Parameter Pollution(Source Acc
Page 27 and 28: SQL Injection27
Page 29 and 30: SQL Injection - Messing With Transa
Page 31 and 32: SQL Injection - Messing With Transa
Page 33 and 34: Automated Signing Of Deposit Agreem
Page 35 and 36: Server-Side Code ExecutionExamples
Page 37 and 38: Other Attacks• Session Puzzling
Page 40 and 41: Knownat leastsince2001Asymmetric Cu
Page 43 and 44: http://blog.acrossecurity.com/2012/
Page 45 and 46: Apply45
Page 47 and 48: Apply: Bankers - Long Term• “Ph
Page 49: Mitja KolsekACROS d.o.o.www.acrosse

How to Rob an Online Bank (and get away with it) - Acros Security

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?