Account opening tracker – Security Testing Handbook for Banking Applications

4: Security Testing Repository
150
Account opening tracker
The account opening tracker (AOT) is used to manage the
opening of new accounts and closing of existing accounts in
the bank. The application helps in creating a centralised
repository of all customer information required by the bank
before it opens a new account. It also helps in tracking the
status of various types of accounts such as savings, current,
premium and salary accounts. The application also keeps
track of details of each account such as the minimum
amount that needs to be retained in an account or the
interest earned every year. The tracker also alerts the bank
when a customer exceeds pre-set limits.
Each account opened comes with certain features. For
example if you have a salary account or direct deposit and
commit to keep $1,000 in your account at all times, the
bank might not charge you a fee per month for usage of
ATMs, extra cheque leaves or phone banking. Some banks
offer overdraft protection when you have multiple accounts
in the same bank. They automatically take money from the
other account if there are insufficient funds in the first
account. The account opening tracker maintains a record of
all the features a particular customer is entitled to and the
fees they are charged.
The administrator can add new products to the application.
This will usually be done when the bank launches a new
service.
Finally, the tracker also maintains records of closed or
disabled accounts. Once the account is completely created
and activated the information is synchronised with other
related applications to ensure consistency throughout.
4: Security Testing Repository
151
The AOT might seem like a very small and relatively
insignificant application vis-à-vis other sensitive
applications but it has its part to play in ensuring that
banking operations run smoothly. If an attacker manages to
manipulate the data that this application controls, customers
will be inconvenienced and the bank will lose revenue.
There are two types of users in this application – customer
service representatives and administrators. Customer
service representatives are responsible for entering
customer data into the account opening form.
Administrators are responsible for creating new record
fields for the account opening form and editing the existing
ones.
Threat profile
An attacker creates false account opening requests on
behalf of others.
An attacker converts a savings account into a corporate
account without authorisation.
An attacker changes the minimum balance that needs to
be kept for a savings account.
An attacker modifies the account opening form used by
customers.
An attacker obtains privileges that a user with their
account type is not allowed to have.
An attacker deletes/modifies valid requests
created/approved by another user.
An attacker enables a disabled account.
An attacker adds a new service to the application even
before it has been approved.
4: Security Testing Repository
152
Test plan
An attacker creates false account opening requests on
behalf of others:
o Check if scripts can be embedded in inputs and
reflected to users.
o Check if users can be tricked to add accounts via
CSRF attacks.
o Check if privileged data can be accessed without
logging into the application.
An attacker converts a savings account into a corporate
account without authorisation:
o Check if an account-adding request can be changed to
that of another user for privilege escalation.
o Check if user can be tricked to convert accounts via
CSRF attacks.
An attacker changes the minimum balance that needs to
be kept for a savings account:
o Check if an account-adding request can be changed to
that of another user for privilege escalation.
o Check if validations performed at the browser can be
bypassed.
An attacker modifies the account-opening form used by
customers:
o Check if a form editing request can be tampered with
and a new field added for privilege escalation.
An attacker obtains privileges that a user with their
account type is not allowed to have:
o Check if a user can modify their account type using
parameter manipulation.