Month: November 2017

Must Know Business Logic Vulnerabilities In Banking Applications

blogger /

Over the last few years, our On-Demand and Hybrid Penetration Testing platform has performed security testing of applications across various verticals and domains including Banking, e-commerce, Manufacturing, Enterprise Applications, Gaming and so on. On one side, SQL Injection, XSS and CSRF vulnerabilities are still the top classes of vulnerabilities found by our automated scanning system, on the other hand however, there are a lot of business logic vulnerabilities that are often found by our security experts powered by a comprehensive knowledge base.

A business logic vulnerability is defined as security weakness or bug in the functional or design aspect of the application. Because the security weakness or bug is in the function or design, it is often missed by all existing automated web application scanners.

In this blog we are sharing the top commonly found Business Logic Vulnerabilities in the Virtual Credit Creation (VCC) module of a Banking Application.

Consider the following scenario: A Banking Application provides web based functionality to users to pay Bills Online as well as to create and manage Virtual Credit Cards. Virtual Credit cards are used to shop online. A Virtual Credit Card creation use case involves the following steps: 1.User visits banking application. 2.User opts to create virtual credit card. 3.User fills up personal details, required amount, expiry date of VCC etc. 4.User chooses a payment gateway. 5.User fills up credit / debit card details. 6.Banking Application redirects user to a Payment Gateway. 7.Required amount + Service Charge are debited from user’s Debit / Credit card. 8.Payment Gateway redirects user to a Callback URL provided by the Banking Application. 9.Banking Application verifies the Payment Gateway confirmation. 10.Banking Application generates a CVV number. 11.Banking Application presents VCC details to the user. 12.Banking application performs SMS verification of the user.

A couple of security weaknesses that are found in the above scenario are as follows:

TAMPERING OF DATA COMMUNICATION BETWEEN PAYMENT GATEWAY AND BANKING APPLICATION: Weaknesses: The Banking application does not verify whether the required amount is successfully paid at the Payment Gateway Side, or what amount is being paid at the Payment Gateway Side. As a result, a virtual card can be recharged with higher amount while paying a lower amount to the bank by modifying amount when the request is sent from payment gateway to the bank.

Mitigation: There should be sufficient validations between the Banking application and the payment gateway. The callback URL should not be allowed to be directly controlled by an attacker.

NO VALIDATION ON BANKING APPLICATION’S CALLBACK URL Weakness: There is lack of validation on the Banking Application Side when the Payment Gateway redirects a user to the Banking Application’s callback URL. As a result, a virtual credit card can be created without paying any service charges, by sending the request directly to the callback URL of Payment Gateway.

Mitigation: There should be enough validations on the callback URL including whether the URL is redirected by the Payment Gateway or directly called by an attacker.

VIRTUAL CREDIT NUMBER IS PREDICTABLE Weakness: Generated Virtual Credit card numbers are predictable or follow certain patterns. As a result, an attacker can predict what virtual credit card numbers are being used by other legitimate users.

Mitigation: Virtual Credit Card numbers should be sufficiently random.

NO ANTI-AUTOMATION IN VIRTUAL CREDIT CARD DETAILS VERIFICATION Weakness: There is no anti-automation (e.g. CAPTCHA) while verifying the Virtual Credit Card details such as CVV number and expiry date. The Credit Card number is sufficiently long however, the CVV number is generally a 3 digit number and expiry date is also a 2 digit number. As a result, it is possible to bruteforce the CVV number and expiry date, and shop online using a stolen virtual credit card number.

Mitigation: There should be sufficient anti-automation e.g. CAPTCHA while verifying the CVV numbers along with the Credit Card Number.

NO ANTI-AUTOMATION IN CARD CREATION PROCESS Weakness: There is no anti-automation while creating a virtual credit card. An attacker can use automated scripts to exhaust credit card numbers. As a result, Credit Card Numbers can be exhausted and be therefore made unavailable to users leading to a Denial of Service (DoS) attack. It can also lead to other attacks including Credit Card Number pattern prediction.

Mitigation: There should be sufficient anti-automation e.g. CAPTCHA while creating virtual credit card numbers

Read Banking Labour Law Books Ca Cs Mba Books At Online Book Store

blogger /

How an Online Book Store can be defined?
An online book store is nothing but a website owned by a dealer of various types of books like books on banking, law, taxation, labor law, CA, CS, MBA etc. Also online book stores usually maintain in accordance to the market they serve.
Reading knowledgeable books is a good habit to everyone. Books are a great source to get information on any topic or subject. Reading books is some peoples hobby too, they can spare a long time reading some informative books.
The Internet is a great source where you can find adequate and relevant information on any topic or subject. Buying books online is much easier and full of fun than purchasing books from on-road books shops. Online Buying of books not only save your time but also the physical exertion and money you spend while traveling to purchase books from the regular bookstore. Thus, buying books online is more advantageous than buying books from regular shops. As buying books online is fast, accurate, takes less time.
Bookcorporation is one of the leading book store of law, taxation, labor law, CA, CS, MBA etc. It has a wealth of books with considerable strengths in the law, Direct Taxation, FEMA, SEBI, Banking, Service Tax, Central Excise, Customs, Import, Export, etc. It aims to be the book store of choice for students, lawyers, Engineers, businessmen, labor etc.
Labor law books available online are full of information and updated labouring rules/laws which help to business and other industries. You cannot take any type of labour work from child under 14 years age, because this comes under the law. All such laws are fully explained in these law books. Books provide guidelines to us in all fields/areas for business or commercial point of view.
Another advantage of buying books online is the impressive discount offered by the online bookstores. Due to reduced cost of maintaining a physical store and paying the salesmen, you can get discount books online as well as a large collection of books too.
You have to very careful during search for online books, such as price and the right author name of the book etc. The same text book is sold at different prices on the Internet. So, you need to search various online shops that sell the same text book. You will experience the difference in prices by some book sellers for the same book or title. You can save some money by visiting some great online book stores online. Moreover, you don’t need to waste your time searching for the textbook in your local store.

Unlimited Features and Benefits of Mobile Banking

blogger /

Banking sector is swinging in upward direction with fast embracing of technologies that are converting the way people transact. Banks are continuously involved in research and development to cater the budding needs of the common man. They are re-defining their strategies and gaining competitive advantage. They are taking initiatives in order to strategize, govern, execute, as well as optimize their operations and simplifying the transaction facilities for people. They are implementing mobile banking in almost all parts of the country to eliminate the hassle of people.

By implementing the concept of mobile banking, banks have substantially enhanced their productivity and cater the widest needs of the people. At the same time, they have dramatically improved processes and increased productivity. They are also exploring vital elements, as well as technologies that will enable and support their infrastructure in long run. This will enable SMEs and business houses to access banking services at any point of time.

Some of the elements that are underlined by the banks are:

1. Keeping abreast of the advanced explorations in payments technology
2. Assessing new responsibilities for the banking and financial services industry
3. Collaborating with emerging alternative payment providers

One thing that is broadly appreciated in banking industry is the mobile banking facility. It is the most widely celebrated technological platform that assists highest number of customers in minutes. It certainly helps a broad category of customers to go global and access distinguished, friendly banking services. They can securely access the most popular internet banking functions and banking technology from their smart phones or other high-end devices. Whether you’re on a holiday trip or anywhere you can conveniently access the services provided.

Brilliant and innovative features & benefits of mobile banking technology:

1. Check your account information
2. Make quick and secure money transfers
3. Pay to Mobile – Perfect way to pay someone
4. Collect payment
5. Overseas Transfers

In order to provide more convenience to the common people, banks and financial institutions are indulged in developing mobile apps so that people can easily access their services and gain substantial advantage. Banks are also giving sufficient flexibility to the SMEs, businesses and giant industries so that they can be benefitted through the unparallel features and assistance. Through these features, they can respond to the changing market demands as well as opportunities for shiny growth through mobile banking.

When it comes to constant innovation, banks take the lead role and define payments product in a more creative and secure manner. It eventually enhances customer experience by delivering easier, more transparent, efficient, reliable, sensible, friendly and convenient payment options. Banking and financial industries detail their future plans, risks, and opportunities, industry trends through banking technology conference or press conference events. About the Author:

FST Media produces the most successful banking technology conference, financial & insurance technology conference, roundtables and publications for the banking and finance, insurance and wealth management sectors across the Asia Pacific region. With management experience in conference production, journalism and business development, FST Media prides its reputation on unparalleled access to senior financial services executives.

Safe Internet Banking

blogger /

Tips for safe Internet Banking

How safe is internet banking?
Experts view on Internet banking right now is that it’s not safe. To get to a reasonable level of security you need a good knowledge of computers. If you don’t have that knowledge, you’re probably better off waiting until the banks get their acts together. The way forward is for them to supply their own software that you install on your own machine and use for accessing your account. Only then will Internet banking be relatively safe for people without computer expertise.
Internet Banking is becoming popular with people because we feel it is the easy way to deal with
money and one can make his PC a live bank, doing all the things a bank can do without actually
visiting a bank. But very few of us are able to protect our accounts from fraud. So if you have a
bank account with any bank and use the Internet to make transactions, money transfer or credit card
payments, here are some general ‘safe-banking’ tips that you might do well to follow:
Never use unprotected PCs at cyber-cafes for Internet banking.
Never keep your PIN and credit/debit card(s) together.
Never leave the PC unattended when on Internet banking in a public place.
Never reply to e-mails asking for your password or PIN.
Visit banks’ website by typing the URL in to the address bar, and not by clicking a link in
an e-mail arrived in your inbox.
Before using Internet banking, verify the domain name displayed to avoid spoof websites.
Log off and close your browser when you have finished using Internet banking.
Never let a stranger assist you at the ATM. Protect your ATM card PIN.
Count the cash and put it in your wallet before leaving the ATM.
Check your monthly credit/debit card statement for unusual activity.
Always draw a line through unused space on the cheque.
Never leave your cheque book unattended.

Never sign blank cheques.
Never keep pre-signed cheques anywhere.
Never hand over to unknown persons any signed blank cheques towards pre-EMI/EMI amount, for
opening of saving account or opening of any other accounts.
Remember to cross your cheque whenever applicable.
Count the number of cheque leaves whenever you receive a new cheque book.