We had a number of Security On-Demand teammates attend “Hacker Summer Camp”, otherwise known as DEFCON. In an effort to help share what they learned, we are going to post a series of short articles highlighting their interests. These topics do not always necessarily align with Security On-Demand’s primary business offerings, however they are very interesting cybersecurity topics and advancements that are significant to the global and local community, cybersecurity industry, and individual security and privacy. We hope you find them engaging, educational, and even actionable.
Your Bank’s Digital Side Door – Presenter: Steven Danneman
By Danny King, Cyber Security Operator
One of the most intriguing talks at DEFCON 26 centered on vulnerabilities in the way financial software, financial institutions, and the Open Financial Exchange (OFX) protocol interface together. OFX is the open standard for client-server systems and cloud based APIs for exchanging financial data, and performing financial transactions between financial institutions, and financial applications. Steven Danneman, a Security Engineer at Security Innovation in Seattle, WA, offered his findings about such vulnerabilities during his talk entitled: “Your Bank’s Digital Side Door.”
One of the catalysts for Danneman’s research included the realization that when he was allowing his financial software (Quicken, QuickBooks, Mint, GnuCash applications, etc.) to gather data from his banks, the multi factor authentication he had set up directly with his online banking, was not being honored via the financial software, nor the middleware (OFX). This is concerning because it leaves one’s data, money, personal information, and the bank’s assets more vulnerable to attack through credential compromise. The weakest link in this vulnerability chain resides in the OFX protocol, which over 3000 North American banks use to connect with financial software. Danneman claims there is a security disconnect in the way that some OFX servers are using federation, OAUTH, OpenID, and API calls to liaise with banks and financial software. Moreover, he notes that he found 30 different implementations of the OFX protocol in the wild, and servers which had been built as far back as 2007; highlighting how much of a wild west scenario is still at play in the financial security sector.
Upon fingerprinting OFX services, many servers were not patched with the latest updates and were running deprecated operating systems. He achieved this by fuzzing certain insecure OFX servers which were not employing graceful error handling. The OFX servers were essentially spilling out information regarding operating systems, what the password requirements were for user bank accounts, when the last time the server was updated, and a host of other tasty data which could be used for exploitation of OFX servers, banks, and financial software.
The other issue Danneman noted was the fact that after writing a script to perform passive reconnaissance on OFX servers, it was revealed that none were implementing the latest and most secure version of the protocol, which could shore up some vulnerabilities. Unfortunately, Danneman says that there is simply no enforced standardization with respect to the ways banks interact with OFX and the servers they reside on. To make matters worse, and regardless of the problem with OFX servers overriding multi-factor authentication from banks, many financial institutions don’t even offer multi-factor authentication to begin with. Furthermore, many banks have very weak password policies and still employ the oft compromised “security questions” used for password reset. These include such questions as: “your favorite pet’s name,” “Your mother’s maiden name,” etc., which can sometimes easily be discovered through social media and open source intelligence.
Again, there does not seem to be any enforcement driving financial institutions to standardize security policies across the board. This highlights the overarching theme of negligence from banks, the OFX Consortium, financial software companies, governments, and a host of regulatory committees. Such organizations need to increase their diligence in ensuring that financial transactions are secure through the entire process.
The takeaway from this is, if you thought your financial data was possibly becoming more secure, guess again, as there is still more work to be done. This vulnerability affects both individual consumers and corporations alike. Danneman suggests writing to the OFX consortium, banks, and financial software companies to turn up the heat so that this problem can be addressed in earnest.
About Security On-Demand
Security On-Demand is an industry pioneer and recognized innovator within the managed security space. We are leading the industry in threat detection through behavioral analytics and machine learning.