Month: May 2019

Must Know Business Logic Vulnerabilities In Banking Applications

Posted on by blogger

Over the last few years, our On-Demand and Hybrid Penetration Testing platform has performed security testing of applications across various verticals and domains including Banking, e-commerce, Manufacturing, Enterprise Applications, Gaming and so on. On one side, SQL Injection, XSS and CSRF vulnerabilities are still the top classes of vulnerabilities found by our automated scanning system, on the other hand however, there are a lot of business logic vulnerabilities that are often found by our security experts powered by a comprehensive knowledge base.

A business logic vulnerability is defined as security weakness or bug in the functional or design aspect of the application. Because the security weakness or bug is in the function or design, it is often missed by all existing automated web application scanners.

In this blog we are sharing the top commonly found Business Logic Vulnerabilities in the Virtual Credit Creation (VCC) module of a Banking Application.

Consider the following scenario: A Banking Application provides web based functionality to users to pay Bills Online as well as to create and manage Virtual Credit Cards. Virtual Credit cards are used to shop online. A Virtual Credit Card creation use case involves the following steps: 1.User visits banking application. 2.User opts to create virtual credit card. 3.User fills up personal details, required amount, expiry date of VCC etc. 4.User chooses a payment gateway. 5.User fills up credit / debit card details. 6.Banking Application redirects user to a Payment Gateway. 7.Required amount + Service Charge are debited from user’s Debit / Credit card. 8.Payment Gateway redirects user to a Callback URL provided by the Banking Application. 9.Banking Application verifies the Payment Gateway confirmation. 10.Banking Application generates a CVV number. 11.Banking Application presents VCC details to the user. 12.Banking application performs SMS verification of the user.

A couple of security weaknesses that are found in the above scenario are as follows:

TAMPERING OF DATA COMMUNICATION BETWEEN PAYMENT GATEWAY AND BANKING APPLICATION: Weaknesses: The Banking application does not verify whether the required amount is successfully paid at the Payment Gateway Side, or what amount is being paid at the Payment Gateway Side. As a result, a virtual card can be recharged with higher amount while paying a lower amount to the bank by modifying amount when the request is sent from payment gateway to the bank.

Mitigation: There should be sufficient validations between the Banking application and the payment gateway. The callback URL should not be allowed to be directly controlled by an attacker.

NO VALIDATION ON BANKING APPLICATION’S CALLBACK URL Weakness: There is lack of validation on the Banking Application Side when the Payment Gateway redirects a user to the Banking Application’s callback URL. As a result, a virtual credit card can be created without paying any service charges, by sending the request directly to the callback URL of Payment Gateway.

Mitigation: There should be enough validations on the callback URL including whether the URL is redirected by the Payment Gateway or directly called by an attacker.

VIRTUAL CREDIT NUMBER IS PREDICTABLE Weakness: Generated Virtual Credit card numbers are predictable or follow certain patterns. As a result, an attacker can predict what virtual credit card numbers are being used by other legitimate users.

Mitigation: Virtual Credit Card numbers should be sufficiently random.

NO ANTI-AUTOMATION IN VIRTUAL CREDIT CARD DETAILS VERIFICATION Weakness: There is no anti-automation (e.g. CAPTCHA) while verifying the Virtual Credit Card details such as CVV number and expiry date. The Credit Card number is sufficiently long however, the CVV number is generally a 3 digit number and expiry date is also a 2 digit number. As a result, it is possible to bruteforce the CVV number and expiry date, and shop online using a stolen virtual credit card number.

Mitigation: There should be sufficient anti-automation e.g. CAPTCHA while verifying the CVV numbers along with the Credit Card Number.

NO ANTI-AUTOMATION IN CARD CREATION PROCESS Weakness: There is no anti-automation while creating a virtual credit card. An attacker can use automated scripts to exhaust credit card numbers. As a result, Credit Card Numbers can be exhausted and be therefore made unavailable to users leading to a Denial of Service (DoS) attack. It can also lead to other attacks including Credit Card Number pattern prediction.

Mitigation: There should be sufficient anti-automation e.g. CAPTCHA while creating virtual credit card numbers

Mobile Banking Performance Testing

Posted on by blogger

Mobile Banking is rapidly deployed across developed markets as well as emerging markets. In some regions the race is driven by customer demand, for example Africa, India etc. where the computer penetration is low and primary channel is mobile banking. In other markets where computer penetration is high and matured its still launched as additional channel to support latest Apple iPhone, Google Droid, HTC Hero, Nokia Symbian etc.

The mobile banking or sms banking or text banking testing encompasses various steps like

Functional Testing on Server Side
Functional Testing on Client Side
Performance Testing
Security Testing

Is the functionality for SMS Push/Pull or does it have other client applications and content?

Functional testing will include certain standard testing like

Funds Transfer
Enquiry Services
Requests
Bill Pay
Credit Card Transaction confirmations

For Mobile Banking Performance Testing the objective and scope is very important as it may involve end-to-end or server side or client side testing.
If its end-to-end need to have some visibility and control or access to various points in the chain. Which component should you be concentrating your efforts on based upon what the Bank owns and controls?

Mobile apps

Devices and Operating Systems
Network GPRS etc.
Multiple carriers and locations
Server side components

Experienced teams who have done these testing will be in better position to quickly get the job done for Client.
Once the mobile banking performance testing channel is live next step is to Monitor the Banking Channel from locations of your interest. It will be better to see if one vendor can deliver performance in pre-production as well as provide continuous support during post production.

Personal Banking Can Benefit You In Various Ways!

Posted on by blogger

Personal banking or personal touch banking is often called retail banking because of the retail services offered to consumers. It differs from commercial banking in a number of ways. There are various banks offering personal touch banking services in Florida. The banking services and financial products available to individuals may differ from those offered to institutions. Commercial banking and personal touch banking Jacksonville, Florida often differ in the total amount deposited by individual customers. Personal banking deposits are usually much smaller than those from commercial bank customers.

Customers

Personal bank customers are individuals with deposits of less than $100,000. Commercial banking customers vary from small businesses to very large businesses and corporations. Sometimes, a commercial customer may be another bank.

Loans
Loans made by a personal bank may include auto loans, personal loans and mortgages. Personal bank loans are much smaller than the loans offered by commercial bankers. Commercial banks offer lines of credit and larger loans that allow a company to stay in business.
Account types
Both personal banking and commercial banking offer checking accounts. The commercial accounts include fixed deposit, an interest-bearing account similar to a retail banking certificate of deposit (CD) and a current deposit, an account that generally pays no interest on money in the account.
Profitability
Commercial banking can often be more beneficial for large financial institutions as compared to personal banking. However, there is also more risk in commercial banking because of the potential for larger losses. The capability for losses from personal banking are much smaller, thus they are lower risk.
Acceptability of risk
Commercial clients with very large deposits and some private banking customers are more often willing to accept higher risks with bank investments. This acceptability of risk can sometimes lead to high gains, but can also lead to large losses.
With personal touch banking Jacksonville, you can get all the banking services you need in a checking account with a no minimum balance requirement and unlimited check writing. The Jacksonville bank personal checking is a no-cost, value-added solution for you.
Personal checking services can benefit you in a number of ways:
1.Unlimited check writing
2.Free online and phone banking
3.A free cash and check card
4.Free notary service
5.Free imaged monthly bank statements and checks

So, if you are interested in personal or personal touch banking Florida, please visit jaxbank.com

Career Leads of Banking Tasks in India

Posted on by blogger

The functions of the bank and one of the most sought after jobs in India. Good wages and benefits package supplements, and job security, as well as the scope is very good for the growth are the main reasons for a large number of young Indians began to gravitate to this lucrative career. Despite a career in the banking sector can appear to be intended for graduates of trade or finance, but does not apply in the modern era. At present, banks provide equal opportunities for all graduates of the streams.

India is one of the fastest growing economies in the world with a growth rate of 8-10% per year. This has resulted in economic growth in the various career opportunities in public sector banks, private banks and multinational banks based in India. Today, we can note that the banks in real estate loans, consumer loans, investment funds, credit cards and business activities of foreign exchange. Each bank has been growing rapidly in India with a huge 30-40% growth in the year and all of them centrally organized by the Reserve Bank of India (RBI). As a result of a decade of the Reserve Bank to all banks and financial institutions in India including public sector banks and private sectors alike are not only highly profitable but also very stable.

These factors have led also to the stability of a large bank in jobs as well as high demand for banking professionals. Banks are looking for professionals having good communication skills, analysis skills, project loans, and skill of management along with good computer literacy. Public sector banks conduct recruitment drives in the form of a written test and interviews at all levels of India. If you look at any of the advertising campaign to recruit any nationalized bank, you can see that there are opportunities for students to pass 12TH with some computer knowledge at the level of the clergy. There is also a general banking (probation officers) and the function of any graduates and administrative functions, especially in the field of information technology, finance and law practices and operational functions of marketing, preferably an MBA in marketing. Even if someone joins at junior level (the clergy) can last up to senior positions with experience and education in promoting rehabilitation. Public sector banks to pay around Rs.6000 / – to Rs.8000 / – per month basic salary at junior level and Rs.25, / 000 – to Rs.30, 000 / – at a high level.

Earlier banks used to transfer training to aspiring professionals through the institution called the National School of Banking. Used to prepare students for exams at the national level banks. Now, days later, runs the same work by the Institute of Banking staff selection. You can visit ibps.in for more details. Also can be sites like bankbpo.in help prepare for exams, as well as interviews. Solution leaves the question of past examination questions and an interview published by the candidates themselves large are very helpful in addressing the success of the recruitment process.

Examinations of banking in India is usually in stock – 1. The ability to think, 2. Arithmetic and tests digital, 3. General knowledge and 4. English knowledge. Apart from this common stock, depending on the nature of this task, you can insert additional sheets of computer knowledge, finance and law. A major factor in the success of these exams is time management. It is expected that about 225 questions to be solved in about 150 minutes. It is important to divide your time equally to all subjects and not to waste time reading the questions as in the traditional examination papers. Fast decision-making process is one of the key factors and the applicant needs to make a decision immediately on whether to try to resolve the issue, and should also be questions very quickly without spending a lot of time on a particular issue. Short listed students high marks on an equal footing in all subjects on the basis of merit.

So, the career prospects in the banking sector in India in a stable condition, as well as profitable and every candidate must be well prepared for exams in the appointment and functions of the bank.

About Author

Get fresh & latest information in few clicks about Govt Jobs , SSC Jobs, Defence Jobs, Banking jobs, Teaching Jobs , Railway Jobs.

Acceleration of Technological Breakthrough in Banking Industry

Posted on by blogger

With ever-so-incrementing competition and fierce global expansion, the banking and financial services scenario has been swinging directionally. Today, banking and financial institutions are differentiating themselves on the basis of their broad range of techno-infused services provided. Banks are collaboratively assimilating technological advancements for becoming better service provider in the industry. They are significantly combining regulations and modern financial instruments to offer better opportunities to businesses in order to reduce operational pressures. On the other hand of fulcrum, global customers want highly reliable, figurative, transformational and personalized services to fulfill their appetite.

Banks need to develop financial compliance reports as well as diligent monitoring tools that can provide accurate insights fulfill growing customer demands and balk illegal activities. Today, on broader perspectives, banking and financial institutions are vying to meet these demands and are exerting their efforts in reducing escalating costs and controlling risks. However, success is near, as banks have finally decided to protect their data from illegal use. In fact, they are busy in creating banking intelligence system, which can offer complete insight for better and tangible decision making process. Today, most of the forward-thinking financial institutions are unfolding their potential to embrace technological trends and at the same time developing robust financial instruments that can enhance profitability, minimize risk, simplify online transactions and achieve competitive advantage.

Unquestionably, the acceleration of technological breakthrough and propulsive digitization has overtaken the traditional banking methods. This has speed-up the degree of online transaction, online transfer, bill payment and complete e commerce in the community. It results in broadening of the horizon of banks and allowed them to focus on phone banking, web banking, mobile banking and social media networks. The instant proliferation in the technological advancement has made banks and financial institutions a body of never-ceasing service provider. In fact, the adoption of online banking is more likely to continue to climb for the consistent rise in economies.

Banking analysts are also deeply thinking about discovering key technology priorities; streamlining customer interactions and optimizing data management in order to better inform and embrace banking technology decisions. It has contributed to customer satisfaction as an IT leader. This will directly impact front line interactions with the customers and help banking and financial institutions to think critically.

In this environment, financial institutions are managing to deliver best of banking practices, invaluable assistance, support services, reliable financial products and above all easy-to-use functionality for the business houses. This will not only help them attaining market share, but also leads to successful ethical digital transformation. This vivid transformation dramatically help businesses, institutions and industries to have full scale vision for expansion, growth, new project development, fresh venture and/or diversification. This will certainly help banking and financial industries to develop immunity to the emerging recession and financial crunch.