Customer care centre application – Security Testing Handbook for Banking Applications

4: Security Testing Repository
175
o Check if a user can view PIN or CVV information
accidentally stored inside the machine’s memory or
storage devices.
o Check if card information is transmitted in plain text
on the wire and can be sniffed.
Customer care centre application
Many users use Internet banking to access their account and
perform transactions. Some customers might wish to
perform other banking transactions like ordering of a
chequebook or need help using certain features of the
application. In such cases, it isn’t feasible for a customer to
walk up to a branch every time. Hence banks have 24×7
customer care centres where users can call up and be
assisted by a customer care advisers.
The customer care centre application is used by the advisers
at the customer care centre. The application performs
different operations for them:
Fetch customer bank account details.
Fetch customer balance, effective available amount,
clear balance, system reserve amount and transaction
limit, etc.
Order chequebooks for the customer.
Find the status of transactions.
The data is retrieved from the relevant database when a
customer calls with a query related to their account.
The application is used only by call centre advisers and the
application’s administrators.
The call centre adviser enters a customer account or debit
card number and the application provides the user with
4: Security Testing Repository
176
relevant account details. Different call centre advisers may
have different privileges on the application. The features an
adviser may access might depend on their privilege, and the
limits for specific transactions also might depend on the
privileges of the user. The administrator can create new call
centre advisers and assigns privileges and features to them.
The administrator also sets the limits for each privilege
level.
The attackers of the application could be malicious
customer care advisers and administrators or outsiders who
are not provided legitimate access to the application.
Threat profile
An attacker views bank account details of a customer
without gaining authorisation.
An attacker modifies the effective balance or transaction
limit of a customer.
An attacker orders chequebooks or buys DDs on behalf
of another user.
An attacker views the status of customer transactions.
An attacker views other sensitive customer data by
directly accessing the database.
An attacker modifies credit/debit card details of a
customer.
An attacker creates new users and assign roles to them.
Test plan
An attacker views bank account details of a customer
without gaining authorisation:
4: Security Testing Repository
177
o Check if a user can view bank account details of
another user using parameter manipulation.
o Check if privileged data can be accessed without
logging into the application.
o Check if bank account details are visible in the
browser cache/history.
o Check if a user can bypass authentication using SQL
injection and view sensitive account details.
An attacker modifies the effective balance or transaction
limit of a customer:
o Check if a user can change balance or limit of another
user using parameter manipulation.
o Check if a user can modify customer information by
manipulating SQL queries using SQL injection.
An attacker orders chequebooks or buys DDs on behalf
of another user:
o Check if a user can order chequebooks or DDs on
behalf of another user using parameter manipulation.
An attacker views the status of customer transactions:
o Check if a user can view status of customer
transactions using parameter manipulation.
o Check if privileged data can be accessed without
logging into the application.
o Check if customer transaction details are visible in the
browser cache/history.
An attacker views other sensitive customer data by
directly accessing the database:
o Check if a user can bypass authentication using SQL
injection and view sensitive account details.
An attacker modifies credit/debit card details of a
customer: