Balance viewer terminals – Security Testing Handbook for Banking Applications

4: Security Testing Repository
172
o Check if confidential reports are visible in browser
cache/history.
o Check if confidential reports can be accessed directly
without logging into the application.
Balance viewer terminals
At times a customer just wants to check their account
balances while inside the bank or ATM. The customer can
then use the pre-installed terminals called ‘balance
viewers’. These terminals are installed at bank branches and
ATMs.
The balance viewer terminals are similar to point-of-sale
terminals; they are integrated with software that manages
the device. A customer can swipe their credit/debit card at
the machine and enter their PIN, after which they are
authenticated and given the options of viewing
account/transaction history. This application is beneficial to
both the bank and its customers: the bank can avoid direct
queries by customers and customers need not wait in line at
the counter to get their queries resolved – they just have to
go to the nearest location where the Balance Viewer is
setup.
The balance viewer provides users with key functionalities
present on the Internet banking website. More advanced
versions of the balance viewer even allow fund transfers.
The application is primarily for customers who do not want
to transfer money between accounts through Internet
banking or mobile banking but want to be aware of account
activities. The application can help in improving business at
a bank especially in busy branches.
4: Security Testing Repository
173
The balance viewer is an embedded system. While
performing a security assessment of such a machine we not
only test the application but also perform an analysis of the
network to which the system is connected and the bank’s
physical security policies. If required we look at the PCI-
DSS (Payment Card Industry Data Security Standard) and
audit the machine against all the card data storage criteria.
The application is primarily a helper application for the
bank, but one that’s still important from a security
perspective because of the sensitivity of the data it
processes.
Threat profile
An attacker logs in on behalf of others by swiping their
credit/debit card.
An attacker bypasses authentication by using flaws in
the PIN authentication process.
An attacker logs in without swiping the card.
An attacker views statements of others.
An attacker views pending cheque status of others.
An attacker applies for credit cards or loans on behalf of
others.
An attacker views sensitive data stored inside the
embedded system.
Test plan
An attacker logs in on behalf of others by swiping their
credit/debit card:
o Check if a user can gain unauthorised access to the
system using parameter manipulation.
4: Security Testing Repository
174
o Check if a user can gain unauthorised access to the
system by manipulating SQL queries using SQL
injection.
An attacker bypasses authentication by using flaws in
PIN authentication process:
o Check if a user can crack weak encryption or
obfuscation used by the application to hide card PINs.
o Check if a user can gain access using a fake debit
card but their own PIN and vice versa.
An attacker gains login without swiping the card:
o Check if a user can gain unauthorised access to the
application by performing a replay attack.
An attacker views statements of others:
o Check if a user can gain access to statements of other
users using parameter manipulation.
o Check if the user’s account statements are visible in
browser cache/history.
o Check if privileged data can be accessed without
logging into the application.
An attacker views pending cheque status of others:
o Check if a user can view cheque status of other users
using parameter manipulation.
o Check if privileged data can be accessed without
logging into the application.
An attacker applies for credit cards or loans on behalf of
others:
o Check if a user can manipulate requests using
parameter manipulation and apply for loans on behalf
of other users.
An attacker views sensitive data stored inside the
embedded system: