Overdraft calculator application – Security Testing Handbook for Banking Applications

4: Security Testing Repository
137
o Check if a user can copy/delete files from the
directory in which cheque images are stored due to
weak permissions on folders.
o Check if user can view cached image files from
browser history/cache or weakly protected folders on
the disk.
An attacker disrupts the ACH process of cheque
collection leading to delays in clearance:
o Check if a user can prevent the ACH process from
occurring using parameter manipulation.
o Check if an unauthorised user can perform the ACH
process using SQL injection.
o Check if a user can be tricked into performing the
ACH process using a CSRF attack.
An attacker gains access to the post-dated cheque
module and manipulates cheque details accessed by the
LM application:
o Check if a user can manipulate the cheque account
number of another user using parameter
manipulation.
An attacker changes the due date of post-dated cheques:
o Check if a user can change the date on a post-dated
cheque using parameter manipulation.
o Check if an admin user can be tricked into changing
the date of a post-dated cheque using a CSRF attack.
Overdraft calculator application
The overdraft calculator application is used to calculate and
manage overdrafts used by customers.
4: Security Testing Repository
138
First, some background: When a customer withdraws funds
from their account, the bank usually doesn’t charge the
customer as long as they have sufficient funds in the bank
to complete the transaction. There are times, however,
when a customer withdraws a sum of money greater than
the available balance in their account. This could be for a
number of reasons, some of them being: knowingly or
unknowingly withdrawing an extra amount, cheques not
clearing, periodic automatic account debits, loan payments
being due, etc. When that happens, it’s called an overdraft
and the customer is charged for the same.
The withdrawal could be done through various channels –
by using a debit card at an ATM or at a retail outlet, by
issuing cheques or demand drafts or even in the form of
cash across the counter. Irrespective of the channel, a
customer can use the overdraft when they exhaust the funds
in their account.
Every customer has an overdraft limit. The limit is lower
for individuals and higher for companies. The bank decides
the limit when the customer opens the account. The bank
charges interest on the overdraft amount, the sum that the
customer withdraws once they no longer have funds in their
account. The interest is automatically debited from the
customer’s account once they replenish their account with
funds.
The overdraft calculator identifies all customers who have
availed themselves of the overdraft facility. It calculates the
interest that each customer has to pay and keeps track of the
due dates of all such payments. It also has features for
modifying the rates of interest in case a customer changes
their account type or cancels their overdraft protection.
Once the overdraft payment is made the application adjusts
4: Security Testing Repository
139
the customer records accordingly. All these activities are
performed by bank application users. The overdraft
calculator application allows management to view the
percentage of overdrafts incurred by customers and
segregate them based on the overdraft incurred.
All transactions in the overdraft calculator are linked to
core banking. Activities, such as knowing when to debit a
customer account or cancel/reduce a customer’s overdraft
limit, are performed only after the relevant updates are
made in both places.
Threat profile
An attacker withdraws funds beyond their overdraft
limit.
An attacker doesn’t pay the interest for their overdraft
subscription but cheats the system into thinking they
have.
An attacker manipulates and increases their overdraft
limit without changing their account type or informing
the bank.
An attacker modifies the interest rate that the bank
charges them per month.
An attacker modifies the date on which the interest
payment for the overdraft is due.
An attacker views/steals sensitive data by downloading
reports on behalf of other users.
Test plan
An attacker withdraws funds beyond their overdraft
limit:
4: Security Testing Repository
140
o Check if a user can increase their overdraft limit or
change their account type using parameter
manipulation.
o Check if validations performed at the browser can be
bypassed.
An attacker doesn’t pay the interest for their overdraft
subscription but cheats the system into thinking they
have:
o Check if a user can skip paying interest using
parameter manipulation or by replaying a request.
o Check if validations performed at the browser can be
bypassed.
An attacker manipulates and increases their overdraft
limit without changing their account type or informing
the bank:
o Check if a user can increase their overdraft limit or
change their account type using parameter
manipulation.
An attacker modifies the interest rate that the bank
charges them per month:
o Check if a user can change their interest rate using
parameter manipulation.
o Check if a user can change the period during which
they are charged interest by the bank.
An attacker modifies the date on which the interest
payment for the overdraft is due:
o Check if a user can modify the due date using
parameter manipulation.
An attacker views/steals sensitive data by downloading
reports on behalf of other users: