Transaction Authorization Cheat Sheet
Last revision (mm/dd/yy): 07/6/2015
DRAFT DOCUMENT - WORK IN PROGRESS
Some applications use second factor to check whether sensitive operations are being performed by an authorized user. Common example is wire transfer authorization, typically used in internet or mobile banking applications. For the purpose of this document we will call such process: “transaction authorization”. However, usage scenarios are not only limited to financial systems. For example: an e mail with a secret code or a link with some kind of token to unlock user account is also a special case of transaction authorization. User authorizes operation of account unlocking by using second factor (a unique code sent to his email address).
Transaction authorization is currently performed by various methods. The following are common examples:
Some of these can be implemented on a physical device or in a mobile application.
Transaction authorization is implemented in modern financial systems in order to protect against unauthorized wire transfers as a result of attacks using malware, phishing, password or session hijacking, CSRF, XSS and other. Unfortunately, as with any piece of code, such protection can be improperly implemented and as a result it might be possible to bypass this safeguard. Purpose of this cheat sheet is to provide guidelines on how to properly implement transaction authorization to protect it from bypassing.
Authors and Primary Editors
Eoin Keary eoinkeary[at]owasp.org