Internet banking (1/3) – Security Testing Handbook for Banking Applications

4: Security Testing Repository
94
o Check if a user can close their account bypassing
interest calculation using parameter manipulation.
o Check if a user can escalate privileges and change
their interest using SQL injection or parameter
manipulation.
Internet banking
Traditional banking required the customer to visit the bank
for everything, even to check their account balance. As
Internet usage started becoming popular banks came up
with the concept of Internet banking where customers could
perform most of the transactions from their homes or
anywhere for that matter.
While it was convenient for customers, Internet banking
proved to be a cost-effective solution for the banks. With
customers increasingly opting for Internet banking, banks
could have smaller branches with fewer staff. So banks
encouraged online banking.
The Internet banking application has features that help meet
most of the banking needs of a bank account holder over
the Internet. Almost all Internet banking applications
provide basic features like viewing the account statement,
transferring funds, ordering demand drafts, cheques,
maintaining and editing personal details like address, etc.
Some other features commonly seen are credit card
payments, bill payments, standing instructions, loans, fixed
and recurring deposits.
An Internet banking user would need to have an account at
the bank and should have registered for Internet banking
access. The bank provides a username and a password/PIN
to the user for accessing the application. Some banks
4: Security Testing Repository
95
provide more security through two-factor authentication
and secure tokens.
The online banking application deals with a lot of sensitive
data like the password/PIN, the account numbers, credit
card details, personal information and account statements.
Considering the nature of the data in such an application,
banks have to ensure the application is secure. Users will
not use it if they perceive the online banking site as
insecure. But at the same time, security features shouldn’t
make it inconvenient for the users. So the challenge is to
ensure security without affecting usability.
The threats to Internet banking applications are always on
the increase – from conventional threats like password
guessing, stealing sensitive information and siphoning off
funds to the more recent threats like bots and phishing.
Threat profile
Threats related to personal details
An attacker views another user’s confidential/personal/
contact information/details.
An attacker modifies another user’s confidential/
personal/contact information/details.
Threats related to account and account details
An attacker views another user’s financial/account
information/ details.
An attacker modifies own/other user’s financial/ account
information/details.
4: Security Testing Repository
96
An attacker modifies the account profile (type, currency
and balance) of own/other user’s account.
Threats related to statement
An attacker views financial statements of other users.
An attacker modifies own/other user’s financial
statement.
An attacker fetches statements older than specified time
period.
Threats related to cards
An attacker views other user’s card details/history.
An attacker modifies own/other user’s card details.
An attacker fetches card history older than specified time
period.
Threats related to investments
An attacker views other user’s certificate details.
An attacker modifies own/other user’s certificate details.
An attacker redeems another user’s certificate.
An attacker redeems own certificate multiple times.
An attacker redeems greater amount than entitled.
Threats related to bill payment
An attacker pays bills using another user’s account.
An attacker pays bills using a non-payer account.
An attacker makes bill payment to a non-registered bill
payee.
4: Security Testing Repository
97
Threats related to fund transfers and transactions/
payments
An attacker transfers funds from other account to own
account.
An attacker transfers amounts beyond the available
balance.
An attacker schedules fund transfer/payment on an
invalid date.
An attacker changes the date of a previous
transaction/payment.
An attacker performs pre-dated transaction/payment.
An attacker performs a transaction without valid
transaction credentials.
An attacker manipulates transaction/payment amount
and service charges levied for transaction.
An attacker performs transaction/payment from and to a
non-existing/invalid account.
An attacker modifies the currency during
transaction/payment.
An attacker modifies the cross-currency exchange rate
during transaction/payment.
An attacker views/adds/modifies beneficiary/payees of
other user’s account.
An attacker views the pending/scheduled
transaction/payment details of another user.
An attacker modifies the pending/scheduled
transaction/payment details of other users.
An attacker views transfer/payment history of other
users.
An attacker fetches payment history older than specified
time period.
4: Security Testing Repository
98
An attacker places a fixed deposit request for amount
less than minimum specified.
Threats related to mail/messages
An attacker views or deletes the e-mails of other users.
An attacker sends spoofed e-mail to other users.
An attacker fakes the timestamp on own e-mails.
Test plan
An attacker views other user’s confidential/personal/
contact information/details:
o Check if a user can view personal details of another
user using parameter manipulation.
o Check if a user’s session can be stolen by running
scripts and exploiting an XSS flaw.
o Check if a user can manipulate queries to the database
by using SQL injection.
o Check if a user’s personal details can be viewed in the
browser cache.
An attacker modifies other user’s confidential/personal/
contact information/details:
o Check if a user can modify another user’s personal
information using parameter manipulation.
o Check if a user can be tricked into modifying their
own information using a CSRF attack.
o Check if a user can manipulate queries to the database
by using SQL injection.
o An attacker modifies the account profile (type,
currency and balance) of another user’s account.