Cash depositor – Security Testing Handbook for Banking Applications

4: Security Testing Repository
160
Cash depositor
When a customer wishes to deposit in their account, they
have many options: they can transfer money between
accounts using Internet banking; they can deposit money
using a cheque or a DD; or they could go to a branch and
deposit cash with a bank teller. Some banks however have
come up with a novel way to provide the customer with yet
another alternative – the cash depositor. The user can now
just walk into a branch where the machine is installed and
deposit cash in the form of currency into the machine. This
can be of huge help in reducing long lines at busy branches
and especially helpful for those who want to just deposit
money in their accounts.
The cash depositor application is an example of an
embedded system. The user only needs to place cash in the
supported denominations in the cash slot. They then enter
their account details through the touch pad. The note reader
in the embedded system scans the currency, confirms that
the note isn’t counterfeit and records the value on the
screen. The user continues placing notes until they reach
the amount they want to deposit. Once they are done, they
hit a button confirming that they do not want to deposit any
more cash. The different denominations are then sorted
internally and placed into their respective cassettes. On
successfully depositing the cash, the machine issues the
customer a confirmation slip confirming the transaction.
The customer can also enquire about the status of their
previous transactions.
The underlying OS in this case could be either Windows or
a hardened version of Linux. No other operations except
those of the cash depositor are allowed. The touch pad on
the cash depositor machine does not allow normal users to
4: Security Testing Repository
161
enter any character/number except those that are provided
on the touch pad itself. All function keys as well as special
keys like Ctrl, Alt and Shift are also disabled thus
preventing the user from invoking any operating system
commands or executables. The cash depositor also lets
users enquire about the status of their bank accounts and
transactions.
The machine synchronises all its transaction-related
information with core banking and ensures that the results
of the transactions are reflected in the customer’s account.
The money that is stored in the machine is then emptied
under supervision and stored in the bank’s safe deposit
lockers.
Since it is the user who is supplying the cash, there seems
to be little that can go wrong with this application. But as it
involves customer data and accesses customer accounts, it’s
important that this too, like every other application, is tested
thoroughly.
Threat profile
An attacker deposits money into their account using
counterfeit notes.
An attacker views transaction/account details of other
users.
An attacker deposits an amount smaller than the number
they entered on screen.
An attacker generates a confirmation slip without
performing a successful transaction.
An attacker directly accesses the underlying OS of the
cash depositor machine using various key combinations.
4: Security Testing Repository
162
An attacker physically damages the system and steals
money from the machine.
Test plan
An attacker deposits money into their account using
counterfeit notes:
o Obtain counterfeit notes and insert them into the cash
slot. Check that the machine rejects these notes.
An attacker views transaction/account details of other
users:
o Check if a user can sniff sensitive traffic on the
network and gain account/transaction information
from the packets.
o Check if the machine can be ARP poisoned and all its
traffic captured.
An attacker deposits an amount smaller than the number
they entered on screen:
o Check if a user can enter an amount larger than the
amount of cash placed in the slot.
An attacker generates a confirmation slip without
performing a successful transaction:
o Check if a user can cause a confirmation slip to be
generated without performing a transfer or entering
an incorrect amount.
An attacker directly accesses the underlying OS of the
cash depositor machine using various key combinations:
o Check if a user can access OS utilities by using
special keys on the keyboard (Ctrl, Alt, Function
keys).