Netherlands January 31, 2013

From OWASP
Jump to: navigation, search
OWASP Netherland Wiki
All OWASP NL Events 2013

Contents

January 31, 2013

Broken Online Strong Authentication and OWASP update

This chaptermeeting will be about broken online strong authentication with banking web applications and OWASP updates.

Programme:

18:30 - 19:00 Registration
19:00 - 19:45 The Truth about the e.dentifier2 - Erik Poll
19:45 - 20:00 Break
20:00 - 20:45 OWASP Update - Martin Knobloch
20:45 - 21:30 Networking

Presentations

The Truth about the e.dentifier2

We present a security analysis of an internet banking system used by one of the bigger banks in the Netherlands, in which customers use a USB-connected device – a smartcard reader with a display and numeric keyboard – to authorise transactions with their bank card and PIN code. Such a set-up could provide a very strong defence against online attackers, notably Man-in-the-Browser attacks, where an attacker controls the browser and host PC. However, we show that the system we studied is flawed: an attacker who controls an infected host PC can get the smartcard to sign transactions that the user does not explicitly approve, which is precisely what the device is meant to prevent.

OWASP Update

News and updates on OWASP BeneLux 2013, OWASP Dutch Chapter meetings, AppSec EU 2013, OWASP Connector, the OWASP Newsletter and new OWASP initiatives.

Speakers

Erik Poll

Erik works in the Digital Security group of the Radboud University on a range of topics in security, including smartcards, security protocols, software security, and critical infrastructures (esp. the smart grid).

Martin Knobloch

Martin Knobloch is member of the Dutch chapter board and chair of the Global Education Committee. Next to this he contributes to several projects as the OWASP Education Project and the OWASP Academy Portal. Martin is an independent security consultant and owner of PervaSec. His main working area is (software) security in general, from awareness to implementation. In his daily work, Martin is responsible for education in application security matters, advise and implementation of application security measures.